When conflict escalates in the Middle East, the battlefield is never limited to geography. It extends into energy grids, government networks, transportation systems, and financial infrastructure.The current war involving Iran is no exception. While missiles and airstrikes dominate headlines, the parallel cyber dimension may prove equally consequential, particularly for regional governments, critical infrastructure operators, and U.S. state and local agencies connected through global supply chains.Cyber is no longer just a supporting capability. It is an active part of the battlefield.Their model blends state operators, contractors, and proxy or "patriotic" hacking groups. This creates volume, plausible deniability, and rapid surge capacity.Iranian proxies and Iranian-aligned groups proactively targeted those sympathetic with Israel in the 12-day war in 2025, for instance, according to the STRIKE research. The research revealed that the Iranian hacking group known as Imperial Kitten had developed planning or tasking cycles that operate in sync with conflict flashpoints.In periods of heightened geopolitical tension, DDoS and ransomware-style disruptions tend to increase because they create visible disruption without crossing strategic red lines.Iran is not alone in blending cyber-operations alongside kinetic, physical military operations. For example, Russian government-linked hackers have frequently launched hacking operations in concert with or as a prelude to physical conflict.In 2026, cyber-operations act as a transmission mechanism between geopolitical conflict and everyday life, converting strategic competition into tangible disruption across critical infrastructure, commerce, healthcare, and public trust.This is where clarity becomes decisive. The question isn't whether the cyber front will expand. It's whether organizations can shrink their attack surfaces faster than adversaries can exploit them.
The strategic backdrop: Why Iran's history matters
Iran has long had a layered security model designed to preserve internal control while projecting asymmetric power abroad. The Islamic Revolutionary Guard Corps (IRGC) evolved into not just a military organization, but an intelligence, economic, and cyber force multiplier.A defining moment came in 2010 with the Stuxnet operation that targeted Iran's Natanz nuclear facility. The malware in the attack sabotaged centrifuges, disrupting Iran's nuclear program.The attack demonstrated that offensive cyber operations could create physical consequences. For Iran, it reinforced a lesson: Cyber capabilities provide deniable, scalable retaliation without immediate conventional escalation.Since then, Iran has invested heavily in building offensive cyber capacity both directly and through aligned proxy actors.SecurityScorecard's STRIKE Threat Intelligence Team revealed that during the 12-day war in 2025, Iranian state actors, proxies, and hacktivists ideologically aligned with Iran orchestrated cyberattacks against perceived adversaries, complete with reconnaissance, recruitment, defacement, data theft, data dumps, phishing, and malware delivery.Iran's cyber capabilities: Asymmetric by design
Iran does not need to match larger powers technically across every domain. Its strategy is focused, opportunistic, and disruptive.Iran-linked actors are widely associated with:- Credential harvesting and password spraying at scale
- Exploitation of internet-facing infrastructure (VPNs, email gateways, remote management tools)
- Distributed denial-of-service (DDoS) campaigns for signaling and disruption
- Data theft paired with timed leaks and influence amplification
- Selective use of destructive malware or "wipers"
Where the cyber spillover lands
When regional war escalates, the cyber effects rarely stay contained. They can cause a cascade of unexpected problems for both civilians and military personnel.Energy and Gulf infrastructure
Energy facilities, refineries, shipping terminals, and pipeline logistics are high-value symbolic and economic targets. Even limited disruptions can generate market volatility and public anxiety. For instance, U.S. officials have previously linked Iran to the 2012 Shamoon cyberattack on Saudi Aramco, which delayed oil production.Government agencies and public services
State and municipal networks are frequently softer targets than national defense systems. Citizen portals, law enforcement networks, health systems, and emergency management platforms all become attractive avenues for disruption.State and local agencies cannot assume that distance equals insulation. State and local agencies don't get to opt out of geopolitics. In 2023, during the Israel-Hamas war, an Iran-aligned group, the Cyber Av3ngers, claimed responsibility for targeting an Israeli electric contractor. When tensions in the region escalate, ransomware crews, hacktivists, and state operators all look for the easiest door into adversaries' systems, often through third parties.Transportation and aviation
Airports, maritime logistics systems, and cross-border freight platforms offer leverage. Disruption to reservation systems, port operations, or customs processing can have cascading economic consequences.Third-party and supply-chain exposure
Perhaps the most significant risk vector is indirect. It is leveraged through third parties, managed service providers, SaaS platforms, identity systems, file-sharing software, and remote IT tools that connect multiple agencies and critical infrastructure entities.A single compromised vendor can ripple across dozens of organizations simultaneously. In wartime conditions, attackers pursue the path of least resistance.The leadership challenge: Operating in the "fog of cyber"
During geopolitical escalation, leaders face three immediate questions:- What is our most exposed piece of infrastructure today?
- Which third parties increase systemic risk?
- What risk can we reduce within the next 72 hours?
