Iranian Hackers Target Airlines and Oil Companies: What the New Wartime Espionage Campaign Means for You

On May 22, 2026, CNN reported that Iranian operatives are hunting inside the inboxes of American software engineers. The hackers are not breaking down digital doors. They are knocking politely, dressed as recruiters and meeting invitations, during an active war between the United States, Israel, and Iran.

The campaign, detailed in a same-day report by Palo Alto Networks Unit 42, is the work of an Iran-nexus group known as Screening Serpens, also tracked as UNC1549, Smoke Sandstorm, and Nimbus Manticore. Its targets include airlines, a United States oil and gas firm, and organizations in Israel and the United Arab Emirates. The goal is intelligence collection that supports the survival of the Iranian regime under U.S. and Israeli airstrikes.

This article explains the campaign in plain terms and shows why every professional with a LinkedIn profile is now a potential entry point.

How the Attack Works in Plain English

The hackers do not need a zero-day exploit. They need a curious job seeker. Their playbook follows a familiar shape.

• A senior engineer receives a polished message from a "recruiter" representing a well-known airline or technology brand.

• The message includes a job description, often written by artificial intelligence, with cliché-ridden corporate language.

• The target downloads an archive titled Hiring Portal or clicks a link to install a video conferencing tool.

• The installer quietly drops malware that turns off security logging and grants the attacker remote control.

In one variant, the group impersonated a United States airline. In another, the lure was a counterfeit meeting invitation that mimicked a popular video platform.

Why Airlines and Oil Companies

Iran cannot strike the American homeland with missiles or drones. It can, however, strike American keyboards. Compromising aviation and energy firms offers Tehran two strategic prizes.

• Flight visibility. Access to airline systems could reveal flight manifests for military and government travelers heading to the Middle East.

• Market intelligence. Access to oil and gas firms could expose how American companies are weathering a volatile wartime oil market.

In addition, software engineers in these sectors hold privileged access to source code, cloud environments, and partner networks. One compromised engineer can open a door that an entire firewall could not protect.

The Bigger Picture for Practitioners

This campaign does not stand alone. In April 2026, the Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency issued a joint advisory warning that Iran-affiliated actors were exploiting internet-exposed industrial controllers across water, energy, and government facilities. One week before the airline story broke, CNN reported Iranian breaches of fuel tank monitoring systems at American gas stations.

For military, intelligence, and policy professionals, the pattern is unmistakable. Iran is treating cyberspace as a substitute battlefield. The threat is patient, well-resourced, and aimed at people, not perimeters.

Practical Steps to Reduce Your Risk

Defenders can act now without a large budget.

• Train staff to verify recruiter outreach through an independent channel before opening attachments.

• Restrict installation of meeting applications to managed software only.

• Hunt for suspicious scheduled tasks and cloud-hosted command and control domains.

• Brief help desks on social engineering scripts that target credential resets.

Conclusion and How OSRS Can Help

Iran is hiring on LinkedIn, and the salary is your data. The new Screening Serpens campaign shows that asymmetric cyber operations now follow every airstrike and sanction. Therefore, every organization with engineering talent, energy exposure, or aviation ties must treat recruiter messages as a security event.

OSRS helps clients build resilience against these threats through tailored threat-intelligence briefings, social-engineering simulations, executive-protection assessments, and insider-risk programs. To request a confidential consultation, visit www.ogunsecurity.com.

Share this article with your network. Subscribe to the OSRS email list for weekly intelligence briefings.

Enjoyed this article? Stay informed by following us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity insights and expert analyses.

Intelligence. Protection. Strategy.

Author Bio

Dr. Sunday Oludare Ogunlana is Founder and Chief Executive Officer of OGUN Security Research and Strategic Consulting (OSRS), a Professor of Cybersecurity, and a national security scholar who advises global intelligence and policy bodies. He writes on the intersection of state-sponsored cyber operations, critical infrastructure protection, and the human factors that shape modern espionage.