Iran's hackers surge as CISA runs on 800 furloughed-down staff

Gottumukkala's warning proved prophetic in the worst possible way. On February 28, the same night Operation Epic Fury launched in Iran, CISA's website displayed a notice that it had not been updated since February 17 'due to a lapse in federal funding' and was 'not being actively managed.' The agency responsible for publishing threat advisories, vulnerability alerts, and critical infrastructure warnings had gone dark at the exact moment the United States entered active conflict with one of the world's most capable state-sponsored cyber powers. The shutdown also halted implementation of CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, which was already delayed beyond its May 2026 deadline. CNBC Security Week

The leadership void compounded the operational crisis. Gottumukkala — who had come to CISA from a South Dakota state IT role, with close ties to Kristi Noem, and no cybersecurity background — was reassigned to a DHS cost-cutting review division the week before the shutdown. Politico had already reported that during his nine months as acting director he had uploaded sensitive contracting documents to the public version of ChatGPT and failed the polygraph test required to access sensitive cyber intelligence shared with CISA by partner agencies. His lack of cybersecurity experience raised serious questions about his qualifications to lead America's primary cyber defense agency. Federal News Network Security Week

Nick Andersen, the agency's executive assistant director for cybersecurity and a career professional, stepped into the acting director role — CISA's third acting director in a matter of weeks. Sean Plankey, Trump's nominee to permanently lead CISA, a retired Coast Guard officer with genuine cybersecurity credentials, was meanwhile escorted out of DHS headquarters by security after clashing internally with Gottumukkala over contracts. Plankey had his access badge removed and was physically removed from the Coast Guard headquarters in an unprecedented move for a presidential nominee. Federal News Network ABC News

Plankey's Senate confirmation remained blocked — initially by Sen. Rick Scott (R-FL) over a Florida shipbuilding contract dispute, then by Sen. Thom Tillis (R-NC) over the Noem DHS obstruction imbroglio. The leadership chaos created a dangerous vacuum at the precise moment when U.S. cyber defenses needed stable, experienced leadership most. Three Republican senators refused to move forward with Plankey's confirmation for unrelated reasons, leaving CISA without permanent leadership as Iran prepared cyberattacks. CNBC Defense One

Into this vacuum, Iranian state-sponsored hacking groups surged. Cybersecurity experts and intelligence firms told NBC and Nextgov that Iran's IRGC-linked units — APT33 (Refined Kitten) and APT34 (OilRig) — were increasing targeting of U.S. businesses and critical infrastructure sectors including energy grids, water utilities, and financial services. Pavel Gurvich, founder of cybersecurity startup Tenzai, told CNBC: 'From a timing perspective, it's now or never. In that sense, the danger is meaningfully higher.' Iran was explicitly exploiting the American government shutdown to launch cyber operations when U.S. defenses were weakest. CNBC BankInfoSecurity

DHS issued a Critical Incident Report to law enforcement partners warning that the Cyber Islamic Resistance had called for cyberattacks against the United States and Israel. The timing was not coincidental — Iran was explicitly exploiting the American government shutdown to launch cyber operations when U.S. defenses were weakest. Iranian hackers had been probing U.S. critical infrastructure for months but waited for the CISA shutdown to escalate their attacks. ABC News Security Week

On March 3, Iran struck three Amazon Web Services data centers — one in Bahrain, two in the UAE — knocking all three offline and marking the first time a major U.S. tech company's physical cloud infrastructure was explicitly targeted by a foreign power during a U.S. military operation. Iran's state news agency attributed the attacks to AWS's support for U.S. military and intelligence operations. AWS holds classified contracts with the CIA and DoD through GovCloud. The attacks paralyzed banking, government offices, and key industries across the Middle East, with one minute of downtime costing millions in economic damage. CNBC ABC News

The structural lesson exposed by all of this is that CISA's operational capacity is directly tethered to congressional appropriations politics — meaning foreign adversaries can time cyberattacks to coincide with domestic budget fights. Rep. Andrew Garbarino (R-NY), chair of the House Homeland Security Subcommittee on Cybersecurity, said: 'Iranian regime-backed cyber actors continue to pose a serious threat to the United States and our allies, from probing our water utilities to running influence operations that undermine our democracy.' The attacks demonstrated how domestic political disputes directly create national security vulnerabilities. Nextgov BankInfoSecurity

Garbarino emphasized: 'CISA and its skilled personnel need to remain fully operational — and paid — to ensure our nation is ready to deter and respond to cyber threats against critical infrastructure.' His warning highlighted how domestic political disputes directly create national security vulnerabilities. Neither the Republican shutdown blame strategy nor the Democratic demands for immigration enforcement reforms included any emergency carve-out to keep CISA fully funded during the DHS lapse. Defense One Security Week

House Appropriations chair Tom Cole had written a month earlier that CISA's personnel were already 'stretched thin' and that a shutdown would 'hinder the country's ability to protect critical infrastructure and hospitals.' Neither the Republican shutdown blame strategy nor the Democratic demands for immigration enforcement reforms included any emergency carve-out to keep CISA fully funded during the DHS lapse. The failure to protect CISA funding represented a catastrophic breakdown in congressional oversight of national security functions. BankInfoSecurity Nextgov