The weekend's expanding conventional war in Iran also saw the U.S.-Israel side and Iran trading cyberattacks, as security experts told SC Media that the continued degradation of Iranian forces has increased the likelihood that Iran and its many proxies worldwide will retaliate via cyberattacks.Iran has targeted critical infrastructure in the U.S. water, energy, financial, and healthcare sectors for many years, most notably the Cyber Av3ngers targeting water systems in the U.S. following the start of the Gaza War in October 2023.While widespread DDoS attacks are anticipated as a symbolic demonstration of power, security experts said the more significant danger from Iranian threat actors stems from wiper malware and the exploitation of internet-accessible industrial control systems.“With conventional military options largely off the table, cyber is Iran's primary asymmetric weapon right now,” said Denis Calderone, chief technology officer at Suzu Labs. “Organizations in energy, water, financial services, and defense should be operating at heightened alert and actively hunting for indicators of pre-positioned access in their environments. Don't wait for the attack to start before you start looking.”
Related reading:
Calderone added that he’s most concerned about APT34, also known as OilRig, Earth Simnavaz, and Helix Kitten, which has grown conspicuously dark during this most recent crisis. The group, active since 2012, targets critical industries such as finance, energy, telecom and government agencies.“Threat intelligence reporting suggests that silence likely means pre-positioning, not inactivity,” said Calderone.Damon Small, a board member at Xcape, Inc., added that while there were reports over the weekend of U.S.-Israeli DDoS cyberattacks on Iranian command structures and state media outlets, reports of internet utilization dropping to 4% in Iran was largely a government imposed “kill switch” by the regime.“This tactic is reminiscent of the 2025 Twelve-Day War,” said Small. “It serves as a defensive ‘digital bunker’ aimed at preventing the dissemination of location data, hindering internal protest coordination, and obscuring events from international scrutiny during kinetic operations. It also serves as freeing up network infrastructure for offensive campaigns against the U.S. and its allies. Consequently, for U.S. forces, every internet-connected device represents a potential ‘front line’ as Iran attempts to inflict psychological damage domestically to compensate for battlefield setbacks.”Matthew Andriani, chief executive officer at MazeBolt, added that recent reports of disruptive cyber activity in Iran are a reminder that DDoS is now a frontline tool in regional conflict, but it cuts both ways."U.S., Israel, and Israel-linked organizations are equally exposed to retaliatory high-volume and application-layer attacks during periods of heightened tension," said Andriani. "It's no longer just about the volume of the attack traffic, it's the sophistication of these AI-controlled attacks that presents the real challenge to mitigate."Ted Miracco, chief executive officer at Approov, said while much of the public focus is on the conventional military strikes, the digital battlefield was simmering for weeks. Miracco said in two weeks leading up to this weekend’s events, his team observed a significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments."These weren't random attempts, they were determined, highly 'deft' maneuvers designed to evade initial defenses," said Miracco. "Our threat analytics suggest the presumed Iranian actors were mapping regional infrastructure vulnerabilities.”Randolph Barr, chief information security officer at Cequence Security, pointed out that Iran has historically demonstrated a strong capability in cyber operations, often leveraging credential theft, social engineering, and access via federated identity systems.“What makes their tactics especially dangerous is their tendency to abuse federated and third-party access, essentially exploiting trusted relationships and integrations to move laterally and persist undetected,” said Barr.Barr said security teams should focus on the following:“Cyber conflict is no longer hypothetical,” said Barr. “It’s strategic and targeted. Organizations need to prepare not just for a direct hit, but for sophisticated campaigns that exploit the gaps between identity, access, and trust.”
- Review federation controls and third-party integrations: Ensure identity federation (SSO, SAML, OAuth) has been hardened and validate that third-party applications only have the minimal access required.
- Implement MCP-style continuous session validation: Move beyond one-time authentication and continuously verify trust throughout a session.
- Simulate geopolitical threat scenarios: Test the company’s incident response and business continuity plans against scenarios involving nation-state tactics, particularly those aligned with Iran’s known behaviors
