When missiles and airstrikes dominate the headlines, the parallel battle in cyberspace often goes unnoticed. That changed on Monday when Britain's National Cyber Security Centre (NCSC) issued a formal advisory telling organisations to review and strengthen their digital defences in light of the rapidly escalating conflict in the Middle East.
The warning is significant not only for British businesses, but for Australian organisations with supply chains, offices, or partnerships in the region. Geopolitical cyber spillover does not respect national boundaries, and Australia's own security agencies have long flagged Iranian state actors as a concern for local infrastructure.
What the NCSC Said
The NCSC's advisory, published Monday, was careful with its language. There is "likely no current significant change in the direct cyber threat from Iran to the UK," the agency said, but added that due to "the fast-evolving nature of the conflict, this assessment may be subject to change." What the agency was less equivocal about was indirect risk: the NCSC assessed there was "almost certainly a heightened risk of indirect cyber threat" for organisations and entities with a presence or supply chains in the Middle East.
Jonathon Ellison, the NCSC's director for national resilience, put the message plainly. "It is critical that all UK organisations remain alert to the potential risk of cyber compromise, particularly those with assets or supply chains that are in areas of regional tensions," he said, adding that organisations are "strongly encouraged to act now" to strengthen their cybersecurity posture.
The practical guidance includes reviewing what systems are exposed to the internet, tightening access controls, and preparing for the full range of Iran-linked tactics. The NCSC urged organisations to "prepare to respond to the risk of collateral impacts from Iran-linked hacktivists" by reviewing previously issued guidance on DDoS attacks, phishing activity, and industrial control systems targeting. Organisations are also urged to enforce multi-factor authentication and ensure offline backups are in place.
The Backdrop: A Near-Total Digital Blackout
The advisory comes against the backdrop of one of the most dramatic convergences of kinetic and digital warfare in recent memory. Coordinated military strikes involving the United States and Israel targeted locations in Iran on 28 February 2026. International media sources confirmed that Iran's Supreme Leader, Ayatollah Ali Khamenei, was killed in the strikes. Iran subsequently launched retaliatory missile and drone attacks across the region.
On 28 February, amid the Israeli-United States strikes, NetBlocks reported internet connectivity in Iran dropping to 4% of ordinary levels. The Iranian government blocked access to the internet, leading to a 97% fall in internet usage. Additional data from Cloudflare Radar showed traffic "close to zero across all major regions," with Tehran, Fars, Isfahan, Alborz, and Razavi Khorasan experiencing a "near-complete shutdown."
Reports also suggest that US and Israeli actors carried out cyberattacks on Iranian internet infrastructure alongside airstrikes, targeting multiple government-aligned Iranian news websites. The popular BadeSaba religious calendar app, with over five million downloads, was also reportedly compromised, displaying alerts urging the armed forces to "give up weapons and join the people."
The NCSC noted that even though most of Iran is dealing with a widespread internet blackout imposed by the Iranian regime, state-sponsored hacking groups are likely still able to attack targets, citing that "Iranian state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity."
How Capable Are Iranian Cyber Actors?
Iran's cyber operators are typically viewed as less advanced than those of major state adversaries in Beijing and Moscow, and their track record reflects that. Most of what has been traced back to Tehran has looked more like spying and digital vandalism than lights-out sabotage. But that assessment comes with an important caveat in the current environment.
Security firm SentinelOne, in a threat intelligence brief, issued a stark near-term assessment. "Given the rapid escalation of geopolitical tensions, we assess that Iranian state-aligned cyber activity is likely to intensify in the near-term based on a long track record of leveraging cyber operations for asymmetric retaliation, coercive signalling, and strategic messaging," the company said.
Iran's cyber history shows both intent and a willingness to cause real damage. Tehran has repeatedly used cyber operations as retaliation, from disabling US financial websites between 2011 and 2013 to wiping data from the Las Vegas Sands casino in 2014. In July 2022, Iranian state hackers launched a destructive attack on Albanian government networks, combining ransomware, extortion, and data-wiping tactics while masquerading as a fictitious hacktivist group.
Cybersecurity firm Sophos noted that Iranian actors typically use password spraying, credential harvesting, and targeted data exfiltration, and warned that destructive malware or ransomware cannot be ruled out during crises. Separately, CrowdStrike told CNBC that it was "already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating denial-of-service attacks."
The Australian Dimension
While the NCSC alert is addressed to British organisations, the relevance to Australia is real. Australia already faces a heightened global cyber threat environment driven by geopolitical tensions in the Middle East, Ukraine, and the Indo-Pacific, and recent global events have shown that organisations must be prepared for state-based actors pre-positioning for disruptive attacks against critical infrastructure.
The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) has previously co-signed joint international advisories warning about Iranian threat actor tactics. The AFP and the ASD's ACSC released a joint advisory describing the "brute force" tactics of Iranian threat actors against critical infrastructure entities. That history suggests Australian businesses with exposure to the region should treat the current moment as a prompt for review, even absent a specific domestic advisory.
The ACSC's most recent annual report found the centre responded to over 1,200 cybersecurity incidents in FY2024-25, an 11% increase, and notified entities more than 1,700 times of potentially malicious cyber activity, an 83% increase from the prior year. The baseline threat to Australian organisations was already rising before this week's escalation.
A Measured Warning, Not a Prediction of Disaster
It is worth being clear about what the NCSC alert does and does not say. It is not a prediction that Iranian hackers are about to take down power grids or financial systems in allied countries. The agency explicitly acknowledged that the direct threat to the UK has not significantly changed. What it is saying is that the speed of events means the picture could shift quickly, and that the cost of preparation is far lower than the cost of being caught unprepared.
Those who argue for a more cautious public posture on these alerts have a point: crying wolf repeatedly can breed complacency, and organisations with thin IT budgets face genuine trade-offs when asked to prioritise security uplift. Small and medium enterprises, in particular, can struggle to act on broad advisories without more targeted guidance about which sectors face the most plausible risks.
The pragmatic read is this: organisations with demonstrable exposure to the Middle East through staff, suppliers, or technology vendors should treat this week as the prompt to do the basics. Reviewing risk posture, increasing monitoring, enforcing multi-factor authentication, ensuring offline backups are in place, and having critical national infrastructure operators revisit contingency plans are all reasonable, proportionate steps. For those with no such exposure, the alert is a reminder that the cyber threat environment is fluid, and that security hygiene is never wasted. The ASD's ACSC remains the primary point of contact for Australian organisations seeking guidance.