Three days into the US–Israel military campaign against Iran, a parallel conflict is taking shape in cyberspace, and security researchers are urging organisations well beyond the Middle East to assume they are already in the crosshairs.
Iranian hackers have launched spying expeditions, digital probes, and distributed denial-of-service (DDoS) attacks in the wake of US and Israeli missile strikes, with researchers urging organisations to expect more intrusions as the war continues. The kinetic campaign began on 28 February, when the United States and Israel initiated coordinated airstrikes across Iran, targeting military installations, missile facilities, nuclear sites, and high-level officials, resulting in the deaths of Supreme Leader Ali Khamenei and several other leaders.
Most cyber activity so far has targeted Israel and Persian Gulf countries, and some of this began well before the military campaigns began. Mobile app security firm Approov told The Register it detected a significant surge in sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments, with analytical indications that the presumed Iranian actors were scouting and gauging regional infrastructure vulnerabilities. Those probes reportedly began in early February, weeks before the first bombs fell.
Iran also appeared to be in the process of staging malware to target entities in Israel and the Middle East prior to the strikes, according to Binary Defense Director of Threat Intelligence JP Castellanos. "This is pretty common for threat actors to stage their tools before executing," he said. According to The Register, Check Point researchers observed digital intrusions deploying malware linked to an Iranian threat group it tracks as Cotton Sandstorm, affiliated with the Islamic Revolutionary Guard Corps (IRGC). The actors routinely use WezRat, a custom modular infostealer delivered via spearphishing campaigns that masquerade as urgent software updates. In some cases those intrusions were followed by WhiteLock ransomware deployed specifically against Israeli targets.
Between 28 February and 1 March, over 150 hacktivist incidents were claimed across open channels monitored by CloudSEK, dominated by DDoS, website defacement, and claimed data-breach operations against government, financial, aviation, and other critical infrastructure targets in the region. Cybersecurity firm Flashpoint told SecurityWeek that Iran is conducting what hackers call "The Great Epic" cyber campaign, with threat groups claiming to have targeted fuel infrastructure in Jordan and industrial control systems in Israel.
Adam Meyers, head of counter adversary operations at CrowdStrike, said the company was "already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks." Meyers noted that in past conflicts, Iran-backed groups have aligned their activity with broader strategic objectives that increase pressure and visibility at targets, including energy, critical infrastructure, finance, telecommunications, and healthcare. A threat actor tracked as Hydro Kitten has also made specific threats targeting the financial services sector.
The threat to Western organisations is not theoretical. Castellanos told The Register that while Binary Defense had not yet confirmed targeting of US organisations, multiple pro-Iran groups are claiming to have compromised industrial control systems in Israel, Poland, Turkey, Jordan, and other Gulf countries. APT IRAN has claimed a cyber-sabotage operation against Jordan's critical infrastructure, and Cyber Islamic Resistance has claimed access to Israel-based internet routers. Those claims have not been independently verified, and deliberate exaggeration is central to Iran's strategy. "Be especially cautious about claims of attacks circulating on social media," Castellanos warned, "as a significant portion of what you'll see is disinformation designed to amplify fear and uncertainty, which is itself part of Iran's playbook."
That caveat matters. John Hultquist, chief analyst at Google's Threat Intelligence Group, told The Register that Iran has "historically had mixed results with disruptive cyberattacks, and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact." Though attacks can have serious impacts on individual enterprises, "it's important to take their claims with a grain of salt," he said.
Still, Hultquist expects Iran to target the US, Israel, and Gulf Cooperation Council countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure. Those attacks are likely to resemble Iran's cyber operations during the Israel-Hamas war, with intelligence-gathering, limited disruption, and mass phishing campaigns ongoing before the bombing, followed by data-wiping malware and disruptive attacks to support kinetic operations.
For organisations assessing their exposure, Castellanos identifies clear risk tiers. Those with direct connections to the US military, including defence contractors and government suppliers, are at greatest risk. Iran has targeted critical infrastructure in US water, energy, financial, and healthcare sectors for many years, most notably CyberAv3ngers' targeting of water systems following the start of the Gaza War in October 2023. Supply chains add another layer: companies using Israeli-made operational technology could become indirect targets, as happened during the 2023 CyberAv3ngers campaign, which singled out Unitronics programmable logic controllers precisely because they were Israeli-made.
The question of Australian exposure is not idle. The Australian Strategic Policy Institute notes that for countries such as Australia, the question is not just who prevails in Tehran militarily; it is whether we could absorb, and continue to function, under such sustained, systemic cyber pressure. ASPI's assessment is that Australia must confront whether its national systems could endure sustained cyber-physical pressure, noting that sophisticated adversaries position inside critical networks long before crises surface, creating what former Australian Signals Directorate director-general Rachel Noble described as "digital dynamite."
Adding to the concern is the condition of America's own cyber defences. The Cybersecurity and Infrastructure Security Agency (CISA) has been operating with sharply reduced staffing due to a funding lapse, prompting warnings that this is a bad time for Washington's cyber agency to be operating with limited staff. The UK's National Cyber Security Centre has already urged British businesses to take precautions, warning all organisations to remain alert to the risk of cyber compromise, particularly those with assets or supply chains in areas of regional tension.
The honest appraisal of Iran's cyber capability sits somewhere between alarmism and dismissal. Iran's IRGC and Ministry of Intelligence operate well-documented advanced persistent threat groups, and their history of targeting water treatment plants, industrial control systems, and financial institutions is real and documented. At the same time, their frequent tendency to overstate operational success means the drumbeat of claimed attacks should be filtered carefully. Historically, periods of direct military escalation in the Middle East have correlated with increased concern about cyber activity from state-aligned and ideologically motivated threat actors; during heightened tensions, Iran-linked actors have shown a willingness to conduct disruptive and psychologically oriented operations.
For Australian businesses with US defence partnerships, Israeli technology in their supply chains, or exposure to Gulf energy markets, the practical guidance is clear and proportionate: patch critical systems, reinforce security awareness training, scrutinise supply chains, and treat unverified claims of infrastructure attacks with caution. The cyber dimension of this conflict is real. Its full scale remains to be seen.