Security investigations by incident responders at FireEye's Mandiant in 2017 found more prolific and sophisticated attacks out of Iran. Iranian attackers in 2012 deployed the data-destruction Shamoon attacks on two Middle East targets including Saudi Aramco, which was the first signs of a more aggressive and evolving Iranian threat, he says. Today, the geopolitical cloud of questions over whether the US will continue the Iranian nuclear deal or reinstitute sanctions against Iran could ultimately elicit more destructive attacks against US financial organizations if things don't go Iran's way. Mandiant now considers Iran nation-state groups on par with other nation-states in terms of the pace and scale of their attacks, including employing Web server attacks that gather multiple victims. Carmakal says it's known that some Iranian groups have access to Western organizations, so the US could be next in line as a target of a destructive-type attack from Iran. That was all APT35 needed to read emails and steal data on Middle East organizations that they later targeted in data-destruction attacks, according to Mandiant.