Cybersecurity leaders are on high alert following the United States’ escalating action in the Middle East and are warning that Iran-linked actors could increase cyber activity targeting vulnerable systems and critical infrastructure.
After U.S. strikes on Iran and the killing of Iranian Supreme Leader Ayatollah Ali Khamenei over the weekend, cyber experts said they are watching for everything from disruptive attacks to opportunistic intrusions.
“Iran-linked cyber activity has historically been more opportunistic than highly sophisticated, but that doesn’t make it less dangerous – especially for critical infrastructure,” said Gary Barlet, public sector chief technology officer at Illumio.
“While some level of cyber response is likely amid current tensions, it may not take the form of a highly coordinated, top-tier campaign,” Barlet added. Instead, he said that cyber operations are “an attractive, low-cost way to create psychological and operational effects, and Iran’s broader ecosystem of aligned hacktivist and proxy groups can act independently with DDoS attacks, defacements, or disruptive intrusions.”
Adam Meyers, head of counter adversary operations at CrowdStrike, said that as of Monday morning, the cybersecurity company “has not observed large-scale state-sponsored cyber campaigns,” but has “observed a surge in claimed activity from Iran-aligned and sympathetic hacktivist groups.”
However, Meyers noted that “much of the activity being publicized appears to be claim-driven rather than evidence-backed.” He explained that it is “common during periods of geopolitical escalation to see an increase in opportunistic hacktivism and low-level disruptive activity designed to generate attention.”
Meyers recommended that critical infrastructure and financial sector organizations remain vigilant for activity that surpasses nuisance-level disruption.
According to John Hultquist, chief analyst at Google Threat Intelligence Group, “Iranian cyberespionage has resumed after a brief lull during the initial military strikes.”
“We expect Iran to target the U.S., Israel, and Gulf Cooperation Council countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure,” Hultquist said. “Iran has historically had mixed results with disruptive cyberattacks, and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact.”
He recommended that claims out of Iran are taken “with a grain of salt.”
Meanwhile, researchers at Flashpoint said that a new cyber campaign dubbed “#OPIsrael,” comprised of pro-Russian and pro-Iranian actors, was launched Monday to target critical infrastructure and data exfiltration. While those actors have historically targeted Israel, the Fatimion Cyber Team has targeted Arab states perceived as U.S. allies, according to Flashpoint.
To protect against increased risk of cyber operations, Barlet said that organizations should shore up exposed systems and easy points of entry. That means validating patches, eliminating default passwords, hardening multifactor authentication, reducing exposed services, and closely monitoring logs and alerts.
“The risk isn’t necessarily cutting-edge tradecraft; it’s the impact of exploiting weak fundamentals,” Barlet said.
U.S. defense officials said on Monday that the Pentagon’s involvement in Iran is just beginning. While Defense Secretary Pete Hegseth said that there will be no years-long wars in the region, he expects more to unfold over the coming weeks.
In the meantime, these increasing cyber threats come as much of the Cybersecurity and Infrastructure Security Agency workforce is furloughed during the Department of Homeland Security shutdown. In a statement, Rep. Matt Van Epps, R-Tenn., said that low staffing levels are “putting our nation’s critical infrastructure at risk, especially considering Tehran’s history of retaliatory cyber attacks.”
Secretary of Homeland Security Kristi Noem confirmed in a statement on Monday that federal officials are watching for possible threats.
“I am in direct coordination with our federal intelligence and law enforcement partners as we continue to closely monitor and thwart any potential threats to the homeland,” Noem said.