The first sign wasn’t a security alert. It was a temperature reading.
A food plant’s cold rooms were warming up and the product was spoiling. The engineers expected a dead compressor. Instead, someone had been inside the controllers and rewritten them on purpose: setpoints, safety limits, valves pinned open, and the engineers’ own remote account locked out while the plant failed. Three compressors destroyed. No malware required, just an attacker who understood refrigerant physics.
On the same network, our team found a disk wiper hiding as a fake Microsoft update.
One IRGC-directed front. Two target sets, IT and OT. And it all ran under a ceasefire, when everyone had been told the fighting was over. That’s not a coincidence. It’s the doctrine.
Our IRT broke the whole thing down, with GRAT IOCs and a YARA rule: