Iranian hackers have launched sophisticated cyber attacks targeting Israel, Gulf states, and potentially US organizations as military tensions escalate in the Middle East.
Iran has launched a coordinated cyber warfare campaign targeting regional adversaries as military tensions escalate in the Middle East, with security researchers warning that American organizations should prepare for imminent digital attacks.
Digital Probing Precedes Military Action
The cyber offensive began well before the recent US and Israeli missile strikes, with Iranian threat actors conducting sophisticated reconnaissance operations across the region. Mobile app security firm Approov detected a "significant surge in highly sophisticated probing attacks against APIs and mobile applications" starting in early February, according to CEO Ted Miracco.
These reconnaissance missions targeted critical communication infrastructure for regional governments, with attackers "scouting and gauging regional infrastructure vulnerabilities" before the military conflict began. The probing activities ceased on February 27, coinciding with Iran's nationwide internet blackout that preceded the air and sea strikes.
State-Sponsored Malware Deployment
Binary Defense Director of Threat Intelligence JP Castellanos reports that Iran was "in the process of staging malware to target entities in Israel and the Middle East" prior to the military campaign. This staging of cyber weapons before execution represents standard operating procedure for state-sponsored threat actors preparing for conflict.
Check Point researchers identified Iranian-linked groups deploying custom malware, including WezRat - a modular infostealer delivered through spearphishing campaigns disguised as urgent software updates. Some intrusions were followed by WhiteLock ransomware deployments specifically targeting Israeli organizations, though researchers warn this activity could expand to other countries.
Ransomware and Disinformation Campaigns
The Iranian government has a documented history of collaborating with ransomware gangs, and this pattern reemerged during the summer 2025 conflict when state-sponsored actors offered substantial payments for successful infections against US and Israeli targets.
Multiple pro-Iran threat groups have claimed responsibility for compromising industrial control systems across Israel, Poland, Turkey, Jordan, and other Gulf nations. Groups like APT IRAN have alleged cyber-sabotage operations against Jordan's critical infrastructure, while Cyber Islamic Resistance claims to have accessed Israeli internet routers.
However, security experts urge extreme caution regarding these claims, noting that "a significant portion of what you'll see is disinformation designed to amplify fear and uncertainty." Iran has repeatedly used social media to spread fake news and manipulate public opinion during conflicts, making it essential to verify attack claims through independent sources.
Targeting American Organizations
While Binary Defense has not yet confirmed attacks against US organizations, threat analysts emphasize that organizations should treat targeting as inevitable rather than possible. "Threat posture strongly suggests US-linked organizations should be treating this as a when, not an if," Castellanos stated.
Highest-risk organizations include:
- Defense contractors with direct military connections
- Government suppliers and partners
- Organizations with Israeli ties through partnerships or shared infrastructure
- Critical infrastructure operators
- Companies using Israeli-made operational technology
Castellanos specifically warns about supply chain vulnerabilities, citing the 2023 CyberAv3ngers campaign that targeted Unitronics PLCs and HMIs specifically because they were Israeli-manufactured. This demonstrates how equipment origin can become a targeting factor in state-sponsored operations.
Historical Context and Capabilities
Iran's CyberAv3ngers group previously compromised multiple US water systems in 2023 using default passwords on internet-accessible programmable logic controllers. A second wave in 2024 employed custom malware to remotely control water and fuel management systems in both the US and Israel.
Despite these intrusions, Google Threat Intelligence Group chief analyst John Hultquist notes that Iran has "historically had mixed results with disruptive cyberattacks" and frequently exaggerates their impact to boost psychological effects. "Though they can have serious impacts on individual enterprises, it's important to take their claims with a grain of salt."
Expected Attack Patterns
As the conflict continues, security experts anticipate Iran will employ disruptive cyberattacks focusing on "targets of opportunity and critical infrastructure." These operations will likely mirror Iran's cyber activities during the Israel-Hamas war, featuring:
- Intelligence gathering and reconnaissance
- Limited disruption attempts
- Mass phishing campaigns
- Data-wiping malware deployment
- Functionally similar ransomware operations
Google documented a "brief lull" in Iranian cyberespionage during initial military strikes, but digital snooping has already resumed. Additionally, hacktivist fronts tied to the Islamic Revolutionary Guard Corps are making threats about disruptive attacks throughout the region.
Defensive Recommendations
Organizations across all sectors should prepare for sustained elevated cyber activity. Castellanos recommends:
- Ensuring all critical systems are fully patched
- Reinforcing security awareness training for all staff
- Monitoring supply chain vulnerabilities
- Treating targeting as inevitable for high-risk organizations
- Verifying attack claims through independent sources
"Expect elevated activity for the foreseeable future," Castellanos warned, emphasizing that defensive preparations should be treated as urgent priorities rather than future considerations.
Comments
Please log in or register to join the discussion