Critical Infrastructure Security, Network Security, Vulnerability Management

Four ways security teams can protect against Iranian cyberattacks

Iran Flag Digital Binary Code Cyberpunk Technology Concept

COMMENTARY: Iranian sleeper cells operating inside the United States are once again making headlines — surfacing not just in the press, but in high-level congressional hearings and briefings with the attorney general.

Behind closed doors, classified threat streams are reportedly blinking red. But this raises a familiar question: if the threat is so dire, why didn’t we see a direct response after the 2020 killing of General Qassem Soleimani?

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The calculus has changed today. The stakes are different now — and for the Islamic Revolutionary Guard Corps (IRGC), what remains in the playbook may no longer be about patience or posturing. It’s more about projection through fear.

The recent U.S. and Israeli strikes on Iranian nuclear infrastructure have reactivated a known, but evolving strategy. Tehran’s response will unlikely come through conventional force alone. Instead, retaliation will likely unfold through asymmetric means: cyber operations, disinformation campaigns, and proxy-enabled violence. These activities are often executed far from the Middle East, and with just enough ambiguity to slow a coordinated response.

For business and security leaders in both the public and private sectors, there’s a clear message: these events are not just a regional escalation. It’s now multidomain confrontation with global implications.

Organizations large and small need to understand the converged nature of Iran's threat — and prepare for its full spectrum.

The digital front: disruption below the threshold

Iran has long leaned on its cyber capabilities as a retaliatory tool. State-backed actors such as APT35, APT33, and CyberAv3ngers have targeted critical infrastructure, government agencies, and private sector entities across the U.S. and its allies. Their methods are varied, including credential harvesting, phishing campaigns, wiper malware, and, increasingly, ransomware disguised as criminal activity.

The 2012 Shamoon attack on Saudi Aramco and the more recent targeting of U.S. water utilities by CyberAv3ngers reveal a pattern — one in which Iran exploits vulnerabilities to create psychological and operational disruption without triggering formal conflict. These aren't isolated incidents; they are strategic signals. In the wake of recent strikes, we can expect a new wave of similar activity, particularly against energy, logistics, and financial networks.

Organizations must ask: are we monitoring for lateral movement between IT and OT systems? Are our executives and high-net individuals being targeted digitally Or physically? Iran doesn't need to breach a network to win — it only needs to erode trust in the systems that underpin our economy and governance.

The disinformation campaign

Alongside its digital capabilities, Iran continues to refine its use of information operations to shape global narratives. Whether working independently or in alignment with Russian actors, Tehran pushes disinformation through state media, bot networks, and increasingly through AI-generated content and deepfakes.

These campaigns aim to erode public confidence, exacerbate social divisions, and erode Western legitimacy. Following strikes on its infrastructure, Iran will likely amplify narratives portraying the U.S. and Israel as aggressors, leveraging images of civilian harm and geopolitical instability to stir dissent.

From a corporate perspective, this means disinformation campaigns targeting executives, companies, or entire sectors aren't just reputational risks: they are strategic threats. Security leaders must ensure that communications, legal, and security teams are aligned to detect and counter these narratives quickly.

Proxies, plots, and covert reach

Iran's physical threat capability has been anchored in its asymmetric warfare doctrine — a strategy that lets Tehran project power while avoiding direct conventional conflict. At the heart of this approach lies Unit 840, a covert branch of the IRGC's Quds Force that specializes in extraterritorial operations, including assassinations, kidnappings, and intimidation of dissidents and foreign officials.

Unit 840 operates through geographically segmented departments targeting the Middle East, Europe, Asia, and the U.S. It has been linked to assassination plots in the UK, Germany, Cyprus, and the U.S. since 2022. It has a clear mission: export repression, suppress dissent, and send strategic signals through targeted physical actions.

This threat gets reinforced by Iran's proxy network — from Hezbollah in Lebanon (although the Hezbollah leadership in Beirut has been decimated) to the Houthis in Yemen and Shia militias in Iraq and Syria. These groups serve as Tehran's extended arm, capable of launching drone and missile attacks, disrupting shipping lanes, or carrying out localized terror operations under a veil of deniability.

Iran also exploits geography as a pressure tool. The Strait of Hormuz and the Red Sea remain vulnerable to naval swarms, mining, and missile strikes — a tactic used not just to impose military costs, but to spike oil prices and sow global economic instability. Combined with advances in drone and missile technology, Iran has evolved its capabilities to reinforce both asymmetric and conventional deterrence.

A converged response for a converged threat

Iran doesn't think in silos. Its retaliation strategy blends cyberattacks with narrative shaping, proxy violence, and covert physical threats to create friction and confusion. We must have an equally integrated  response.

Organizations — particularly those in critical sectors such as energy, logistics, and finance — must stress-test their readiness across multiple domains to ensure they are prepared for any potential disruptions. That includes the following:

  • Conduct integrated threat simulations that link cyber incidents with physical and reputational consequences.
  • Ensure executive protection includes monitoring digital footprints, social engineering awareness, and media manipulation scenarios alongside traditional "guns, gates, and guards" strategies for security C-suite and high-net personnel.
  • Build joint incident response plans that bridge IT, physical security, legal, and communications teams.
  • Participate in real-time intelligence exchanges with both public-sector and private-sector partners.

Iran’s asymmetric doctrine was designed to achieve strategic effect without provoking conventional retaliation. That includes deploying covert units like Unit 840 to stage physical attacks while simultaneously executing cyber operations and narrative warfare to blur attribution and delay response.

While Tehran often exaggerates the success or precision of these actions, that distortion is part of the strategy — intended to create uncertainty, provoke restraint, and inflate perceived reach. The real danger lies not only in what Iran can do, but in what its adversaries believe it might.

In an era where perception, access, and disruption are all weaponized, the advantage belongs to those who can respond with speed, clarity, and convergence. This isn’t just about resilience: it’s about relevance in an age of hybrid threats.

Chuck Randolph, senior vice president, strategic intelligence and security; Fred Burton, strategic advisor, 360 Privacy

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds