There’s no denying that regimes in Iran can carry out various cyber attacks against the USA, EU nations and others as the conflict continues, or morphs into an uneasy truce. Here’s some analysis;
Matt Hull – VP of Cyber Intelligence and Response at global cyber security firm NCC Group – on the cyber threats resulting from the conflict.
“The expectation of immediate, high-profile cyber attacks on U.S. organisations rests on a flawed assumption about how cyber operations are used in conflict. In practice, states rarely open with visible, disruptive attacks against civilian or commercial targets.”
“Instead, early-stage cyber activity tends to prioritise disinformation generation, intelligence collection, access development, and operations that directly support military objectives. These activities are deliberately low-visibility, often conducted through state-aligned or proxy groups to preserve deniability. The absence of widely reported incidents should not be interpreted as a lack of activity, but rather as an indication that much of it is occurring below the threshold of public detection.”
“There are also practical constraints shaping Iran’s approach. Recent U.S. and Israeli actions have likely physically degraded elements of its cyber capability or at least forced a more cautious, selective posture. That typically results in operations that are more targeted, coordinated, and less overt than many initial predictions suggested. We saw similar shifts when Russia invaded Ukraine, where Russian cyber capability was partly degraded due to individuals being ‘sent to the front lines’.”
“That said, activity is already evident. Pro-Iranian group Handala has claimed responsibility for an attack against U.S. medtech firm Stryker, and broader intelligence indicates a shift towards more disruptive and destructive operations linked to the conflict. The formation of the Electronic Operations Room (EOR) is particularly notable, as it appears to be coordinating multiple hacktivist groups. This creates a force-multiplying effect where lower-level attacks generate noise and provide ‘cover’ for more sophisticated operations to take place.”
“There’s also a risk in focusing too heavily on what hasn’t happened. Large-scale, visible attacks are only one measure of impact. Persistent access, supply chain compromise, and identity exploitation can deliver strategic advantage without ever triggering a headline.”
“Organisations should not simply judge their level of preparedness on whether a major incident has already occurred. A more effective approach is to assume that access is being developed now and focus on resilience rather than prevention alone. That includes ensuring critical operations can function independently of corporate networks, tightening control over identities and remote access pathways, scrutinising supply chain dependencies, and preparing for scenarios where core communications or connectivity are disrupted.”
“In short, the current lack of large-scale public incidents says more about the nature and timing of cyber-kinetic operations in conflict than it does about Iran’s capability or intent.”
Be the first to comment