Iran Just Named 18 American Companies as Military Targets. We Have Files on Six of Them.

Yesterday at 8 PM Tehran time, the Islamic Revolutionary Guard Corps published a list of 18 American technology companies it considers "legitimate military targets." For every assassination of an Iranian leader, an American company will be destroyed. Employees were told to leave their workplaces immediately.

The list: Apple. Google. Meta. Microsoft. Nvidia. Intel. Cisco. HP. Dell. Oracle. IBM. Palantir. Tesla. Boeing. General Electric. JPMorgan Chase. Spire Solutions. G42.

We've been tracking Iranian cyber operations since March 6. We have research folders on six of the named companies. Here's what we know about their exposure.

Cisco — Already Burning

Cisco is on the IRGC's kinetic target list. Cisco is also being blackmailed by ShinyHunters, who claim 3 million Salesforce records, GitHub repositories, and AWS account access. The deadline for Cisco to respond is tomorrow, April 3.

Separately, Cisco's Firepower Management Center — the console that manages their firewalls — was exploited as a zero-day (CVE-2026-20131, CVSS 10.0) for 36 days before Cisco disclosed it. Interlock ransomware used it to hit hospitals and cities, including Saint Paul, Minnesota.

In January, we found a fake Cisco FMC proof-of-concept on GitHub that was actually a webshell — Pattern 38 instance #4. The FMC attack surface has been a recurring theme in our research since the start of the year.

Cisco doesn't need the IRGC. They already have enough problems.

Dell — Chinese Hackers Inside for Two Years

Dell is on the IRGC's list. Dell's RecoverPoint for Virtual Machines has been compromised by Chinese state-backed hackers (UNC6201) since mid-2024. Hardcoded credentials. CVSS 10.0. CVE-2026-22769. Ghost NICs for invisible lateral movement. BRICKSTORM and GRIMBOLT backdoors.

I worked at Dell EMC. RecoverPoint was the disaster recovery crown jewel — the appliance with root access to your entire VM infrastructure. The hardcoded credential wasn't a bug. It was a design choice from a culture that treated security as a compliance checkbox.

Dell now faces threats from two nation-states simultaneously — China sitting inside their product's customer deployments, and Iran threatening their physical facilities. The $67 billion EMC acquisition bought a storage empire and a root-access backdoor that two intelligence services exploited.

Palantir — Named as a Target, Named in Our Research

Palantir holds a $1 billion+ DHS blanket purchase agreement. Their Gotham platform ingests data from every other surveillance vendor in the DHS ecosystem — Motorola, Axon, Genetec. They sit at the top of the intelligence stack.

We identified Palantir during our DHS surveillance ecosystem analysis in March. Their infrastructure has zero LD-JSON structured data (we scored them). Their security.txt is active with signatures and a bug bounty program. They have a mature security org.

But Palantir's DHS role makes them uniquely dangerous as a target. Compromise Palantir and you compromise the aggregation layer — the system that sees everything every other vendor feeds into DHS. That's why they're on the list. Not for their revenue. For their access.

Switzerland already ended their Palantir contract in February over data sovereignty concerns. The IRGC targeting adds another dimension — Palantir's government customers now face the question of whether a company under active nation-state threat is a safe analytics partner.

Oracle — 30,000 Layoffs and a Target on Their Back

Oracle announced up to 30,000 layoffs this week — 18% of their workforce — to fund a $50 billion AI data center buildout. 6 AM termination emails. Senior engineers and PMs cut to pay for GPUs.

Now the IRGC has named them as a military target.

Oracle WebLogic Server has an active CVSS 10.0 vulnerability (CVE-2026-21962) being mass-exploited since January. The people who would patch it are being laid off. The facilities where the servers run are being threatened.

The timing is brutal. You can't defend infrastructure while firing the people who understand it.

Microsoft — The Common Thread

Microsoft appears on the IRGC list. Microsoft is also the common thread in the Stryker attack — Handala (MOIS) weaponized Microsoft Intune to wipe 200,000 devices across 79 countries. The management tool designed to protect device fleets became the weapon that destroyed one.

CISA issued a specific alert on March 18: "Endpoint Management System Hardening After Cyberattack Against US Organization" — referring directly to the Stryker/Intune compromise.

Microsoft's products are the attack surface. Microsoft's infrastructure is the target. The company selling security tools and being exploited through them is now being threatened kinetically by the same nation-state that weaponized their MDM platform.

Apple — DarkSword and the Iran Connection

Apple pushed an emergency iOS 18 security patch this week for the DarkSword exploit. Timing matters — MOIS has historically targeted mobile devices for surveillance. An emergency iOS patch during an active Iran cyber war, followed by the IRGC naming Apple as a military target, connects two dots that may not be coincidental.

Iran's internet has been blacked out for 27+ days. Their cyber operators are working from external infrastructure — satellite connections, foreign VPS, pre-positioned access. Mobile exploitation is a force multiplier when your own internet is down.

What We Track

We've maintained 16 adversary domains under daily DNS surveillance since the conflict escalated. Our STIX feed carries 1,917 Iran-linked IOCs across 28 adversary profiles including:

• Handala Hack Team (MOIS) — Stryker wiper, Patel email breach, DOJ-attributed

• MuddyWater (MOIS) — Dindoor backdoor targeting US networks, Operation Olalampo

• Cotton Sandstorm (IRGC) — destructive operations, influence campaigns

• Educated Manticore — evolving toolset, Middle East targeting

275+ organizations in 46 countries pull our feed. When we index an Iranian IOC, it propagates to every consuming SIEM within 24 hours.

The Convergence

The IRGC list isn't a cyber threat. It's a kinetic threat — destroy facilities, not encrypt data. But the named companies are already under cyber siege from multiple actors:

Six companies. All named as military targets. All already compromised or actively exploited through other vectors. The IRGC threat is the loudest, but it's not the most dangerous. The Chinese APTs, the ransomware gangs, and the supply chain attackers are already inside.

The war you see on TV names countries. The war in the logs names CVEs. Both wars target the same companies.

What To Do If You're On the List

If you work at one of the 18 named companies — or depend on their infrastructure:

1. Take the IRGC threat seriously for physical security. Embassies get threat briefings. Your CISO should too.

2. Assume the cyber threats are independent. The IRGC list doesn't mean Iran is behind Interlock or ShinyHunters. But it means Iran is paying attention to who's already vulnerable.

3. Patch the CVSS 10.0s. Cisco FMC, Dell RecoverPoint, Oracle WebLogic — all maximum severity, all actively exploited, all at companies now under kinetic threat.

4. Monitor for Handala/MuddyWater infrastructure. 16 domains under our surveillance. IOCs in our STIX feed.

5. Point your SIEM at a threat feed that updates daily:

https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY

DugganUSA has tracked the Iran cyber conflict since March 6, 2026. Research folders on Cisco, Dell, Palantir, Stryker, Microsoft, and Oracle. 1,917 Iran-linked IOCs. 28 adversary profiles. 16 domains under daily surveillance. 275+ STIX feed consumers in 46 countries.

The IRGC published a kill list. We published the threat intel. Different lists. Same companies.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →