With the United States entering a widening Middle Eastern conflict following a series airstrikes of airstrikes against nuclear targets in Iran over the weekend, organisations across Europe and North America should be on high alert for the possibility of cyber attacks conducted by threat actors backed by or supportive of Iran.
Iranian threat actors have been highly engaged in attacking Israeli targets since the 7 October 2023 Hamas attacks, but in a series of warnings over the past 48 hours, government officials and cyber experts said that the likelihood of disruptive cyber attacks hitting US and allied targets, including in the UK, where the government has issued statements in support of president Trump’s airstrikes, has increased.
In a bulletin issued on Sunday 22 June via its National Terrorism Advisory System (NTAS), the US Department for Homeland Security said the ongoing Iran conflict was likely to cause an uptick in “low-level” cyber attacks against US networks by pro-Iranian hacktivists, while state-backed operators may also become increasingly active.
“Both hacktivists and Iranian government-affiliated actors routinely target poorly secured US networks and internet-connected devices for disruptive cyber attacks,” the alert said.
The alert also acknowledged that targets perceived to be Jewish, pro-Israel, or linked to the US government or military could be particularly at risk of cyber actions. The alert also warned of the possibility of attacks on critics of the Iranian regime.
“Iran already targets the US with cyber espionage which they use to directly and indirectly gather geopolitical insight and surveil persons of interest,” said John Hultquist, chief analyst at the Google Threat Intelligence Group.
“Persons and individuals associated with Iran policy are frequently targeted through organisational and personal accounts and should be on the lookout for social engineering schemes. Individuals are also targeted indirectly by Iranian cyber espionage against telecoms, airlines, hospitality, and other organisations who have data that can be used to identify and track persons of interest.”
Hultquist added: “Iran has had mixed results with disruptive cyber attacks and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact.
“We should be careful not to overestimate these incidents and inadvertently assist the actors. The impacts may still be very serious for individual enterprises, which can prepare by taking many of the same steps they would to prevent ransomware.”
James Turgal, vice president of global cyber risk and board relations at Optiv – who also spent over 20 years in law enforcement at the FBI – said the possibility of spillover from the conflict into civilian infrastructure was a definite concern.
“You can’t always control the third party or unintended consequences when malware and destructive code, such as wipers or ransomware, are used in offensive operations,” he explained.
“Because of the global interconnectedness of our software supply chain, these destructive attacks may propagate beyond intended targets, affecting global networks or multinational subsidiaries. For example, a cyber attack on a logistics company in Israel could unintentionally impact global shipping operations or foreign suppliers.
Turgal added: “As both sides leverage state-aligned hacker groups, non-state actors may adopt similar tools or feel emboldened to launch their own campaigns globally. This can increase attacks on soft targets like schools, hospitals or small businesses.”
Based on the use of cyber-focused and kinetic military operations seen during the Ukraine war, Turgal said that a similar scenario may now be in play in the Middle East, “with unimaginable unintended consequences” including attacks on Western critical infrastructure targets.
Cyber a “reliable tool of retaliation” for Iran
Ariel Parnes, co-founder and chief operating officer of Mitiga, and a former colonel in Israel’s renowned cyber unit, told Computer Weekly that Iran knows full well the value of offensive cyber operations as a tool of warfare.
“Over the past few years, Iran has used cyber as a reliable tool of retaliation, targeting hospitals, utilities, and government systems across the US, Europe, and the Middle East. These operations aren’t random. They’re calculated, low-cost moves designed to create disruption, project power, and signal intent,” he said.
“Actors like APT34 and APT42, along with affiliated hacktivist fronts, go after both specific industries and the technologies they depend on. That includes energy, finance, and healthcare sectors, and platforms like Microsoft 365, Google Workspace, and cloud-native infrastructure. Their methods center on credential theft, phishing, and abusing misconfigurations – not flashy exploits, but persistent access.”
Parnes added: “In the wake of Operation Midnight Hammer, cyber retaliation should be expected. It is important to emphasise that in some cases, it may already be in motion: pre-positioned access waiting to be triggered, the so-called ‘red button’ play.
“Organisations should act now,” he said. “Raise awareness, tighten posture, improve detection, proactively hunt and exercise your response plans.”
Iran’s ties to Russia
Of additional concern to defenders should be the content of a January 2025 agreement signed between Moscow and Tehran, in which the Iranian government received commitments from the Russian regime to collaborate on cyber security matters.
Although ostensibly this agreement stipulated that this collaboration would help counter cyber criminal activity, the Russian government has long permitted financially-motivated cyber gangs to operate from its territory with impunity and its use of aggressive cyber tactics against key infrastructure targets in Ukraine over the past three years should leave defenders in no doubt that this collaboration could extend to tactical support for Iranian-fronted attacks.
At the same time, the security community is also concerned over the impact of cuts to America’s cyber security budget, especially at the keystone Cybersecurity and Infrastructure Security Agency (CISA) which has been threatened with cuts of $495m and may have to lay off up to 1,000 people.
The prevailing belief is that in slimming down CISA, the US leaves itself and its allies at greater risk of being less effective in mounting a coordinated response to a major, multinational nation-state cyber attack.
