Purple Teaming the Fallout: A Red Team Perspective on U.S. Infrastructure Risks Amid Israel-Iran Conflict
The Middle East just exploded again. Last week, Israel launched direct airstrikes into Tehran, hitting nuclear and military targets in a bold escalation against Iran. It’s a major geopolitical escalation with potential nuclear implications, but the digital fallout could spread even faster.
And if you’re in the United States, especially in critical infrastructure or cyber defense, it’s time to pay attention.
Because Iran doesn’t just retaliate with rockets. It retaliates with cyber warfare. With phishing lures, industrial control system (ICS) exploits, and carefully crafted TTPs.
This blog is from a Red Teamer's perspective. Here are some ideas on how offensive security and our blue team partners could be preparing right now for what could be a wave of cyber retaliation targeting American infrastructure.
Why This Conflict Matters to U.S. Cyber Defenders
Iranian APTs (APT33, APT34/OilRig, APT35/Charming Kitten, and affiliated groups) have a well-documented history of targeting U.S. critical infrastructure. Especially energy, telecommunications, transportation, manufacturing, and water sectors.
If Iran sees U.S. alignment with Israel as cause for escalation, we can expect:
Sophisticated phishing and credential theft targeting ICS engineers (targets can be found via LinkedIn)
Exploits of OT/ICS devices with destructive or manipulative intent
Influence operations aimed at undermining public trust in infrastructure (deface an internal HMI clone in a safe area to show fake pump failures)
Cyberattacks coordinated with physical proxy group actions (DDoS attack + Drone attack targeting physical power grid components)
In other words, not just breach-and-leak, but disruption and deception at scale.
Red Team Goals in This Moment
Red Teams must act as stress testers of national resilience. It’s not about just emulating threat actors, it’s about arming the Blue Team with muscle memory before bullets fly in cyberspace.
A perfect example? CDX Trisector. This event brought together cybersecurity professionals from both the public and private sectors, spanning three critical infrastructure verticals: finance, telecommunications, and energy. The goal was to simulate coordinated, real-world cyberattacks across sector boundaries, highlighting the interdependencies, vulnerabilities, and response challenges that arise when multiple critical sectors are targeted simultaneously. While also emphasizing cross-sector communication, intelligence sharing, and the importance of harmonized incident response during nation-state scale cyber campaigns.
Like I said, that's a PERFECT example. But you can execute wargame simulations in smaller-scaled environments as well via purple team engagements.
Here are some ideas on how to turn this crisis into a proving ground for your detection, response, and defense strategy through a MITRE ATT&CK ICS aligned purple team campaign.
MITRE-Driven Purple Team Engagement Plan
Phase 1: Initial Access
Simulate phishing and web exploitation used by APT34 and APT35. (I apologize in advance, I attempted to copy and paste tables here and just couldn’t format it correctly, so I had to take screenshots).
Phase 2: Credential Access & Lateral Movement
Recreate how adversaries like Elfin (APT33) move across ICS-connected environments.
Phase 3: ICS/OT Disruption Simulation
Think beyond IT. Bring the fight to the control systems where real-world impact happens. (Although we do recognize that these are more difficult and require extra planning as we don't want to impact production ICS/OT systems).
References: T0855 T0856 T0816 HMI
Phase 4: Command & Control + Influence
These campaigns often blur the line between cyber and psyops.
References: T0831
Optional Injects for Full-Spectrum Readiness
USB bait drops in OT facilities (does your environment detect a Rubber Ducky?)
Fake breach reports to test executive and PR comms
Final Thoughts: Red Readiness, Blue Resilience
Cyberwar doesn't announce itself with a bang. It creeps, probes, and breaks things when you least expect it.
As Red Teamers, we don’t just simulate threats, we pressure-test reality so defenders can respond when it matters.
Build exercises that reflect the geopolitical tension
Map them tightly to ATT&CK ICS for clarity and effectiveness
And always use purple teaming engagements to transform chaos into resilience
If you're running simulations in energy, water, manufacturing, telecommunications, or emergency services right now, you’re not paranoid. You’re preparing!