Iranian hackers have launched spying expeditions, digital probes, and distributed denial of service (DDoS) attacks in the wake of the US and Israel launching missile strikes over the weekend, and security researchers urge organizations to expect more cyber intrusions as the war continues.
Most of the cyber activity so far has targeted Israel and Persian Gulf countries – and some of this began well before military campaigns – but threat intel analysts tell The Register that digital attacks against American organizations are inevitable.
Mobile app security firm Approov noted a “significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments,” according to company CEO Ted Miracco. “We have analytical indications that the presumed Iranian actors were scouting and gauging regional infrastructure vulnerabilities.”
These probes began in early February, he told The Register, and while Approov can’t comment on the specific apps or countries targeted, “we can state that it is in the direct region of conflict,” Miracco said. The probes stopped on February 27, he added, which may be linked to the internet blackout across all of Iran at the start of the war.
Iran also appeared to be “in the process of staging malware to target entities in Israel and the Middle East” prior to the air and sea strikes, according to Binary Defense Director of Threat Intelligence JP Castellanos. “This is pretty common for threat actors to stage their tools before executing.”
DDoS, disinfo, and ransomware
Check Point researchers said that, in the months leading up to the conflict, they observed digital intrusions deploying malware linked to an Iranian threat group it tracks as Cotton Sandstorm (aka Haywire Kitten), affiliated with the Islamic Revolutionary Guard Corps (IRGC).
“The actors routinely use WezRat, a custom modular infostealer delivered via spearphishing campaigns that masquerade as urgent software updates,” the researcher wrote in an Sunday advisory. “In some cases, intrusions were followed by deploying WhiteLock ransomware specifically against Israeli targets, though there is nothing that prevents them from expanding this activity to other countries.”
Iran’s government-backed crews have a history of working with ransomware gangs, and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs.
Also over the weekend, Check Point says Cotton Sandstorm revived its cyber persona, Altoufan Team, after a year of silence, to claim new alleged targets in Bahrain. “This reflects the reactive nature of the actor’s campaigns and a high probability of their further involvement in intrusions across the Middle East amid the conflict,” the security shop wrote.
In addition to Cotton Sandworm, multiple pro-Iran threat groups claim to have compromised industrial control systems in Israel, Poland, Turkey, Jordan, and other Gulf countries.
“For example, APT IRAN has claimed a cyber-sabotage operation against Jordan’s critical infrastructure,” Castellanos said. “Cyber Islamic Resistance has also claimed access to Israel-based internet routers.”
And while Binary Defense hasn’t independently verified the attackers’ claims, “this type of activity is consistent with Iran’s well-documented use of information operations and influence campaigns,” he added. “This is important context because many of these groups are engaging in significant disinformation.”
Be especially cautious about claims of attacks circulating on social media as a significant portion of what you’ll see is disinformation designed to amplify fear and uncertainty, which is itself part of Iran’s playbook
Iran has a history of spreading disinformation and fake news via social media posts to manipulate public opinion, and this type of activity tends to get louder during times of conflict, such as the air strikes launched by the US and Israel last year intended to destroy Iran’s nuclear capabilities.
“Be especially cautious about claims of attacks circulating on social media as a significant portion of what you’ll see is disinformation designed to amplify fear and uncertainty, which is itself part of Iran’s playbook,” Castellanos said.
While Binary Defense hasn’t seen any confirmed targeting of US organizations at this point in the conflict, “threat posture strongly suggests US-linked organizations should be treating this as a when, not an if,” Castellanos noted.
“The organizations we’d consider highest risk are those with direct connections to the US military, such as defense contractors and government suppliers,” he said. “Similarly, organizations with ties to Israel through partnerships, subsidiaries, or shared infrastructure should be on heightened alert.”
He also urges critical infrastructure and other high-value targets to keep a close eye on their supply chains. “Companies using Israeli-made operational technology or industrial equipment could become indirect targets,” Castellanos said. “We’ve seen this playbook before, where the equipment’s origin became a factor in targeting decisions such as the 2023 campaign by CyberAv3ngers which targeted Unitronics PLCs and HMIs because they were Israeli-made.”
In 2023, Iran’s CyberAv3ngers carried intrusions across multiple US water systems, relying on default passwords for internet-accessible programmable logic controllers.
In a second round of attack in 2024, the Islamic Revolutionary Guard Corps-linked crew used custom malware to remotely control US and Israel-based water and fuel management systems.
But aside from posting videos bragging about the intrusions on their Telegram sites, the attackers didn’t really do anything with the access they gained to these critical systems.
“Iran has historically had mixed results with disruptive cyberattacks, and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact,” John Hultquist, Google Threat Intelligence Group chief analyst, told The Register. “Though they can have serious impacts on individual enterprises, it’s important to take their claims with a grain of salt.”
Still, Hultquist said he does expect Iran to target US, Israel, and Gulf Cooperation Council countries using “disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure.”
These attacks will likely resemble Iran’s cyber operations during the Israel-Hamas war, with intel-gathering, limited disruption, and mass phishing campaigns ongoing before the bombing began, followed by data-wiping malware and other disruptive attacks to aid kinetic warfighters. “In many cases, their operations will be functionally similar to ransomware,” Hultquist said.
And while Google documented a “brief lull” in Iranian cyberespionage during the initial military strikes, the digital snoops have already resumed their activities, he added. Plus “hacktivist fronts with ties to the IRGC are making claims and threats about disruptive attacks in the region,” Hultquist said.
As the war continues, on the ground and in cyberspace, organizations can “expect elevated activity for the foreseeable future,” Castellanos said. “Organizations should ensure all critical systems are fully patched and use this moment to reinforce security awareness training with staff.” ®
First Appeared on
Source link
Leave feedback about this