Most of the cyber activity to date has focused on Israel and the Persian Gulf countries – and some of this started well before military campaigns – but threat intelligence analysts say The registry that digital attacks on American organizations are inevitable.
Mobile app security firm Approov noted a “significant increase in highly sophisticated intrusive attacks on APIs and mobile applications that provide critical communications links for regional governments,” according to Ted Miracco, the company’s CEO. “We have analytical evidence that the suspected Iranian actors were exploring and probing the vulnerabilities of the regional infrastructure.”
These investigations began in early February, he said The registryand while Approov cannot comment on the specific apps or countries targeted, “we can say it is in the immediate conflict region,” Miracco said. The probes stopped on February 27, he added, which may be related to the internet outage throughout Iran on the start of the war.
Iran also appeared “to be organizing malware to target entities in Israel and the Middle East” prior to the air and naval strikes, according to Binary Defense Director of Threat Intelligence JP Castellanos. “It is quite common for threat actors to stage their instruments before executing them.”
DDoS, disinfo and ransomware
Check Point researchers said they had made observations in the months leading up to the conflict digital burglaries involving the use of malware affiliated with an Iranian threat group he tracks as Cotton Sandstorm (aka Haywire Kitten), affiliated with the Islamic Revolutionary Guard Corps (IRGC).
“The actors use routine WezRata customized modular infostealer delivered via spearphishing campaigns masquerading as urgent software updates,” the researcher wrote in a Sunday advisory. “In some cases, intrusions have been followed by the deployment of WhiteLock ransomware specifically against Israeli targets, although nothing prevents them from expanding this activity to other countries.”
The Iranian government-backed crews have a history of working with ransomware gangsand we saw state aid ransomware attempts are happening again during the conflict in the summer of 2025, during which a lot of money was paid for infections against American and Israeli organizations.
Also this weekend, Check Point says Cotton Sandstorm has revived its cyber persona, Altoufan teamafter a year of silence, to claim new alleged targets in Bahrain. “This reflects the reactive nature of the actor’s campaigns and a high likelihood of their further involvement in intrusions in the Middle East during the conflict,” the security outlet wrote.
In addition to Cotton Sandworm, several pro-Iranian threat groups claim to have compromised industrial control systems in Israel, Poland, Turkey, Jordan and other Gulf countries.
“For example, APT IRAN has claimed a cyber sabotage operation against Jordan’s critical infrastructure,” Castellanos said. “The cyber-Islamic resistance has also claimed access to Israeli-based internet routers.”
And while Binary Defense has not independently verified the attackers’ claims, “this type of activity is consistent with Iran’s well-documented use of information operations and influence campaigns,” he added. “This is important context because many of these groups engage in significant disinformation.”
Be especially careful with claims of attacks circulating on social media, as a significant portion of what you will see is disinformation designed to increase fear and uncertainty, which is itself part of the Iranian playbook.
Iran has a history of spreading disinformation and fake news via posts on social media to manipulate public opinion, and this type of activity tends to become louder times of conflictsuch as the airstrikes launched by the US and Israel last year, aimed at destroying Iran’s nuclear capabilities.
“Be especially careful with claims of attacks circulating on social media, as a significant portion of what you will see is disinformation designed to increase fear and uncertainty, which is itself part of the Iranian playbook,” Castellanos said.
While Binary Defense has not seen any confirmed attacks on U.S. organizations at this point in the conflict, “the threat posture strongly suggests that U.S.-affiliated organizations should treat this as a when, not an if,” Castellanos noted.
“The organizations we consider most at risk are those with direct connections to the U.S. military, such as defense contractors and government suppliers,” he said. “Similarly, organizations with ties to Israel through partnerships, subsidiaries or shared infrastructure should be extra vigilant.”
He also urged critical infrastructure and other high-value targets to keep a close eye on their supply chains. “Companies that use Israeli-made operational technology or industrial equipment could become indirect targets,” Castellanos said. “We’ve seen this playbook before, with equipment origins becoming a factor in targeted decisions like CyberAv3ngers’ 2023 campaign, which targeted Unitronics PLCs and HMIs because they were Israeli-made.”
In 2023, Iran CyberAv3ngers has spread intrusions across multiple U.S. water systems, relying on default passwords for Internet-accessible programmable logic controllers.
In a second round of attacks in 2024, the crew of the Islamic Revolutionary Guards Corps joined in uses custom malware for remote control of American and Israeli water and fuel management systems.
But aside from posting videos bragging about the breaches on their Telegram sites, the attackers actually did nothing with the access they gained to these critical systems.
“Iran has historically had mixed results with disruptive cyberattacks, often fabricating and exaggerating their effects in an attempt to magnify their psychological impact,” John Hultquist, chief analyst at Google Threat Intelligence Group, told me. The registry. “While they could have serious consequences for individual businesses, it is important to take their claims with a grain of salt.”
Still, Hultquist said he expects Iran to target U.S., Israel and Gulf Cooperation Council countries using “disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure.”
These attacks are likely to happen resemble Iran’s cyber operations during the war between Israel and Hamaswith information gathering, limited disruption, and massive phishing campaigns was underway before the bombardment began, followed by data wipes by malware and other disruptive attacks to aid kinetic warfighters. “In many cases, their activities will be functionally similar to that of ransomware,” Hultquist said.
And while Google documented a “brief lull” in Iranian cyber espionage during the initial military attacks, the digital snoopers have already resumed their activities, he added. In addition, “hacktivist fronts linked to the IRGC are making claims and threats about disruptive attacks in the region,” Hultquist said.
As the war continues, both on the ground and in cyberspace, organizations “can expect increased activity in the near future,” Castellanos said. “Organizations should ensure all critical systems are fully patched and use this moment to strengthen staff security awareness training.” ®
#Irans #cyber #war #begun