Cyber lessons from the recent escalation of tensions in the Middle East

COMMENTARY: Today, we face a crisis with Iran around its nuclear capabilities. But in the wake of this uncertain phase we’re now in, it’s also important to remember that Iran’s cyber capabilities have become a central pillar of its warfare strategy, designed to compensate for its conventional military limitations and expand its regional influence.

Following the Stuxnet attack in 2010, which exposed vulnerabilities in its nuclear infrastructure, Iran launched a concerted effort to build cyber power. It established entities like the Supreme Council on Cyberspace and the Cyber Defense Command and began cultivating state-sponsored groups such as APT33, APT34, APT35, and APT42.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

These collectives carry out not just traditional espionage activities, but also sabotage and disinformation operations targeting the U.S., Israel, and their allies in sectors such as finance, healthcare, energy, and water.

Iranian-linked cyber operations have evolved from website defacements and DDoS attacks to ransomware campaigns and attempted physical sabotage. Notable examples include Operation Ababil’s disruption of U.S. banks (2011–2013), the Shamoon malware attacks on Saudi Aramco, attempts to poison Israeli water supplies in 2020, and the 2021 intrusion targeting Boston Children’s Hospital.

Iran’s cyber strategy often blends ideological motives with real-world disruption and psychological warfare. Google’s Threat Intelligence Group has linked Iranian actors to 80% of all state-backed phishing campaigns against Israel in the lead-up to the October 7, 2023, Hamas attack, along with ransomware and “hack-and-leak” campaigns designed to erode public trust.

Fast-forward to today’s crisis

Tensions surged in June 2025 with the launch of Operation Midnight Hammer, the largest U.S. B-2 bomber raid in history. The U.S. dropped 14 bunker-buster bombs on Iran’s Fordo, Natanz, and Isfahan nuclear sites, aiming to cripple Tehran’s nuclear program.

The strike, which included support from Tomahawk missiles and over 125 aircraft, reportedly caused severe structural damage. While Iran responded kinetically, with missile strikes on U.S. assets in Qatar, the cyber domain remains a most unpredictable and potentially destabilizing front in this escalating conflict.

The U.S. Department of Homeland Security recently issued a formal alert warning that Iranian-backed cyber threat actors, from intelligence-linked hackers to pro-Iranian hacktivists, pose an elevated risk to U.S. critical infrastructure.

While there’s no public evidence of a large-scale incident yet, Industry Information Sharing and Analysis Centers (ISACs), including the IT-ISAC and Food and Ag-ISAC, have urged companies in important vertical sectors to adopt a heightened “Shields Up” posture. This warning comes amid reduced federal cyber visibility following staffing changes at CISA, underscoring the importance of inter-sector collaboration.

Iran’s tactics include port scanning and VPN exploits that target exposed services like Pulse Secure and Fortinet VPNs like CVE-2019-11510 and CVE-2020-12812. These efforts aim to gain footholds in government and corporate networks, and launch phishing campaigns that impersonate journalists and scholars and deliver credential-harvesting links or malware via Excel files with malicious macros and PowerShell payloads.

They also include PLC exploitation that targets water treatment facilities, attempting to manipulate chlorine levels via exposed PLCs using weak or default credentials, as well as hack-and-leak and ransomware operations that use ransomware not for ransom, but for disruption and psychological impact.

These methods target the exact kinds of vulnerable systems that underpin American life: small water utilities, rural hospitals, regional transit, and aging energy grids. The concern isn’t only about disruption, but about the potential presence of persistent access and latent capabilities within these networks, a concept referred to as the “red button.” In essence, Iran may already be inside some systems, waiting for the moment when triggering an attack aligns with its strategic objectives.

It’s not simply a question of geopolitical rivalry. It’s a national resilience challenge. Iran’s approach blends physical conflict with coordinated, sustained digital aggression, and recent developments suggest the Iranians are willing to escalate.

U.S. and allied organizations must act accordingly. To reduce exposure and improve cyber resilience, organizations should take immediate action:

Raise awareness: Ensure leadership and staff understand the nature and intent of Iranian cyber operations.

Tighten posture: Review and patch known vulnerabilities, especially in VPNs, industrial control systems, and remote access protocols.

Improve detection: Ensure up-to-date detection and monitoring capabilities that align with TTPs frequently used by Iranian threat actors.

Proactively hunt: Conduct threat hunts focused to uncover potential dormant access to networks and environments.

Exercise response plans: Rehearse real-world cyberattack scenarios involving critical infrastructure to test readiness and coordination.

Collaborate actively: Encourage real-time information sharing across industry peers and with government agencies and ISACs to improve early warning, response, and resilience.

The red button may already be wired into many of our environments - make sure that if it’s ever pushed, nothing happens.

Ariel Parnes, co-founder and COO, Mitiga

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.