In recent weeks, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the National Cyber Security Centre (NCSC) have all issued warnings about the growing risk of cyber activity attributed to Iranian-aligned actors. Their message is clear: the geopolitical situation is volatile, and organisations should assume they may be in scope for retaliation. The agencies all highlight similar weaknesses being repeatedly exploited: unpatched vulnerabilities, weak identity controls, and exposed remote‑access services.
They also warn of credential‑based intrusions, brute‑force attempts, and ransomware‑style disruption. As a result, they’re urging organisations to act now to secure their perimeters. This includes patching against widely exploited CVEs, enforcing strong multi‑factor authentication, locking down web‑facing systems, and improving monitoring for suspicious authentication activity. Across all three agencies, the guidance converges on a simple truth: vigilance and basic cyber hygiene remain the most effective defences against Iranian‑linked operations.
But what does Iran’s likely retaliation and survival strategy really mean for cyber defenders?
Iran’s expanding cyber capabilities
At its core, it is about regime survival, broadening attacks, spreading conflict, and creating economic and political costs for adversaries. While Iran is not a tier 1 cyber power – in the same way as Russia or China are – it has developed a network of state‑sponsored proxies capable of causing significant disruption.
These groups are known to target financial services, critical national infrastructure, and operational technology environments. Some are known to focus on operational technology (OT) and ICS/SCADA systems and are increasingly adept at using sophisticated phishing and authentication compromise to gain footholds.
Recent reporting on destructive cyber incidents affecting global organisations, in some cases attributed by security researchers to Iranian-aligned actors, demonstrates how destructive Iranian offensive cyber operations can be. There have also been reports suggesting possible Russian support to Iranian cyber operations, further blurring the lines between nation-state capabilities and criminal outsourcing.
Proxies, partnerships and the blurring of criminal and state activity
The uncomfortable reality is that hostile nation states already behave as if they are in an active cyber conflict with Western economies. They are often more coordinated in their use of cyber operations than the countries they target, exploiting weaknesses in global supply chains through multi‑stage, persistent attacks.
Iran is assessed to have multiple proxy groups that can be activated to conduct indirect or deniable state operations – making “official” operations harder to track and counter. These actors excel at multi‑stage social engineering, long‑dwell persistence using legitimate tools, and blending state operations with organised crime. They are opportunistic, rely heavily on known vulnerabilities, and are detectable through behavioural patterns. They tend to be noisier and less technically sophisticated than some peer threats but are still capable of causing significant disruption.
We should therefore expect ongoing instability and disruption, with a greater use of criminal groups as proxies. This hybrid model obscures attribution and accelerates the convergence of state‑backed and financially motivated attacks.
Since early February, activity assessed to be linked to Iranian-aligned actors has included targeted intrusions across banking, aviation, aerospace, and defence. The pattern reflects deliberate, targeted intrusions rather than opportunistic scanning.
Priority defensive actions
From a defensive standpoint, organisations should immediately take several actions:
Strengthen ICS and OT environments now – if applicable. Attackers are hunting for low‑hanging fruit: insecure internet‑facing PLCs, unchanged default passwords, and flat networks. They should take these systems offline where possible, secure exposed interfaces, and strictly segment OT from IT.
Block unused remote monitoring and management (RMM) tools at both the endpoint and network levels. If they are not actively required, they should not be available to attackers. If the organisation does rely on them, they should enforce strong multi-factor authentication MFA without exception. Many recent intrusions have involved the abuse of legitimate RMM tools, so waiting for malware alerts is too late.
Ensure they have immutable, offline backups and validate them regularly. We are witnessing destructive ransomware deployed with the primary goal of political retaliation and reputational damage, rather than financial gain. As a result, we have seen an uptick in destructive wipers disguised as ransomware. Resilient architecture is critical to withstanding these attacks.
Test their ability to recover from a destructive wiper scenario – not just a traditional ransomware event. Too many organisations discover that their backups were accessible too late (and therefore corruptible), during an attack.
Ultimately, resilience is the golden thread that brings effective cyber defence together. The combination of geopolitical tension, proxy activity, and destructive tooling means organisations must assume disruption is a realistic scenario. Hardening identity, securing remote‑access pathways, segmenting networks, and protecting backup systems are essential steps in the current threat environment.
Resilience over prevention: preparing for the next wave
The threat landscape is evolving rapidly, shaped by an evolving geopolitical situation and increasingly opportunistic criminal ecosystems. As per the guidance from CISA, the NSA, and the NCSC, businesses should increase vigilance, strengthen their basic cyber hygiene, and assume you may be in scope.
In an era where nation states and criminal groups operate in the same shadows, resilience is the most powerful defence.
