Unit 42's Iran Threat Brief: What We're Seeing [Threat Vector]

7 snips

Mar 5, 2026

Andy Piazza, Senior Director of Threat Intelligence at Unit 42 with 20+ years in security ops, and Justin Moore, Senior Manager of Threat Intelligence Research with prior intelligence officer roles, discuss Iran-linked hacktivist activity. They cover observed group behaviors, how Iran's internet outages change the threat landscape, dispersed operators and proxy dynamics, and immediate defensive priorities like DDoS protection, backups, MFA, and validation of claims.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Connectivity Blackout Shifted Attack Origins

Iran's near-total internet outage shifted most observed attacks to actors outside the country.
Justin Moore and Andy Piazza note globally dispersed pro-activists carried the retaliation while in-country units faced operational isolation and limited collection ability.

INSIGHT

Isolated Units Favor Disruption Over Collection

Operationally isolated state-aligned units may act autonomously and change their normal mission focus.
Andy Piazza explains that forward-deployed or autonomous units may prioritize disruptive activity over long-term intelligence collection.

INSIGHT

Pragmatic Tracking Uses Self Names And Verifications

Unit 42 is using rapid-response naming (self-names) for hacktivist groups while validating origins and claims.
Andy Piazza highlights pragmatic tracking by handles/chat names and emphasises verifying pro-Iranian vs pro-Russian origins before attribution.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Unit 42 is tracking more than 60 active hacktivist groups and Iran-linked threat actors right now. What are they actually doing, what should you believe, and what should you do about it?

In this episode of Threat Vector, David Moulton sits down with Justin Moore, Senior Manager of Threat Intelligence Research at Unit 42, and Andy Piazza, Senior Director of Threat Intelligence at Unit 42, to walk through the Unit 42 Iran Threat Brief and what the observed activity means for defenders.

You'll learn:

- What Unit 42 is actually observing from groups like Handala Hack, FAD Team, and Dark Storm, and what claims remain unverified

- Why Iran's reduced internet connectivity changes the threat picture in ways that aren't obvious

- What dispersed operators and proxy groups mean for organizations far outside the Middle East

- Which defensive actions matter most against the TTPs and IOCs Unit 42 has documented

- How to handle hacktivist claims that may be exaggerated or false

Justin Moore brings nine years of intelligence officer experience plus senior threat intel roles at Mandiant, Google, and TikTok before joining Unit 42. Andy Piazza has more than 20 years in security operations and threat intelligence, including leading IBM X-Force's global threat intel team.

Read the threat brief from Unit 42:

- Escalation of Cyber Risk Related to Iran (March 2026)

- Escalation of Cyber Risk Related to Iran (June 2025)

This episode is essential listening if you're: a CISO assessing current exposure, a threat analyst tracking Iran-linked groups, or a security leader who needs to explain the actual observed risk to your board.

Related Episodes:

- Inside the Mind of State-Sponsored Cyberattackers

- Frenemies With Benefits

- From Policy to Cyber Interference

#Cybersecurity #ThreatIntelligence

About Threat Vector

Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends.

The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers.

Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization.

Palo Alto Networks

Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile.⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠http://paloaltonetworks.com.⁠

Learn more about your ad choices. Visit megaphone.fm/adchoices