Despite a current downturn in cyber activity following US-Israeli military strikes on Iran, experts anticipate that Iranian groups will eventually resort to destructive wiper attacks.
Although the US and Israel’s conflict with Iran is now five days old, initial dire forecasts for Iranian cyber-retaliation have not yet materialized. However, given Iran’s established robust cyber capabilities, experts caution that this calm is probably short-lived.
Over the weekend, both the UK’s National Cyber Security Centre (NCSC) and Canada’s Centre for Cyber Security (CCCS) released broad alerts regarding the dangers presented by Iranian cyber operations. In contrast, the US Cybersecurity and Infrastructure Security Agency (CISA) has not refreshed its most recent warning, which dates back to October.
The NCSC commented that “there is almost certainly a heightened risk of indirect cyber threat for those organizations and entities who have a presence, or supply chains, in the Middle East,” acknowledging the self-evident nature of this caution.
The Canadian CCCS was more specific, predicting, “Iran will very likely use its cyber program to respond to the joint US and Israel combat operations against Iran.” It advised organizations to focus on more severe threats like ransomware and destructive wiper attacks, rather than being distracted by common DDoS attacks and other minor cyber incidents.
These widespread warnings highlight the issue of alert fatigue: with cyberattacks being a constant danger, how can organizations discern which threats require immediate attention? Does the onset of physical warfare fundamentally alter this landscape, or merely adjust the timing of anticipated attacks?
Advanced Persistent Threats (APTs) and Wiper Malware
While cybersecurity firms frequently highlight Iranian threats, the general view is that Iran’s cyber-retaliation has remained unexpectedly subdued up to this point. Experts suggest this could be a transitional phase resulting from disruptions to Iran’s energy and internet infrastructure.
Currently, active groups fall into three interconnected classifications: those primarily focusing on Middle Eastern infrastructure, those targeting Western entities (encompassing specialized advanced persistent threat, or APT, groups), and smaller proxy groups operating outside Iran with unpredictable targets.
As reported on March 2 by Palo Alto’s Unit 42, “State-aligned cyber units may be acting in operational isolation, which could result in deviations from previously established patterns. Additionally, Iranian command and control degradation may also lead to tactical autonomy for cells outside of Iran.”
The most immediate and significant threat is Distributed Denial of Service (DDoS) attacks. However, these have not manifested on a large scale; Cloudflare CEO Mathew Prince even posted on X on Sunday that Iranian-associated DDoS activity had decreased. This situation exists despite CrowdStrike identifying that the Hydro Kitten group had threatened the US banking sector with DDoS, causing some temporary outages.
Radware, a security firm, identified 149 DDoS attacks between February 28 and March 2, seemingly linked to Iran, with most directed at governmental organizations in the Middle East. The company noted that almost all these incidents were orchestrated by only three hacktivist groups: Keymous+, DieNet, and Conquerors Electronic Army.
A more urgent concern is destructive ‘wiper’ attacks. A notable historical example is the notorious Iranian Shamoon malware from 2012, which eradicated data from 30,000 workstations at Saudi Aramco, an oil company. Although subsequent attack attempts have also focused on the energy sector, the risk in wartime is that any target, whether in the US or elsewhere, could become fair game.
Anomali, a security vendor, issued a warning, stating, “Iran’s wiper arsenal includes 15+ families (ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, PartialWasher).”
Primary worries revolve around prominent Advanced Persistent Threat (APT) groups linked to the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), both known for their history of cyberattacks. These include APT35/APT42 (also known as Charming Kitten or Phosphorous) and APT33 (Elfin Team). Interestingly, APT34 (OilRig), usually one of Iran’s most active APTs, has shown no activity for a week, leading Anomali to suggest, “This likely indicates covert pre-positioning, not inactivity.”
Tenable, a cybersecurity firm, has provided a valuable overview of key Iranian threat groups, detailing their respective tools, techniques, and procedures.
Targeted Sectors and Necessary Responses
Adrian Cheek, a senior cybercrime researcher at the Canadian threat intelligence company Flare, states that critical infrastructure — encompassing defense and government supply chains, financial services, energy, and healthcare — faces the highest risk.
Cheek noted, “Water, energy, and healthcare sectors are currently the most exposed. These sectors combine high targeting priority with weak baseline security, particularly in operational technology environments. Financial services face high targeting priorities but generally have stronger defenses.”
Iranian cyber groups are expected to initially exploit identified vulnerabilities within operational technology and industrial control systems. He advised, “Every US multinational with Gulf region operations should brief regional personnel on heightened physical and cyber threats. Implement phishing-resistant MFA (FIDO2/WebAuthn) where possible. Remove unmanaged Remote Monitoring and Management (RMM) tools.”
Cheek further advised that organizations must promptly monitor for wiper malware, verify that endpoint systems are configured to identify Shamoon variants, and apply patches to VPNs and other edge devices, which are frequent targets for Iranian attacks.
Dean Valentine, CEO of application security company ZeroPath, highlighted the significant uncertainty surrounding AI’s potential impact on such conflicts. He explained, “The advent of frontier models with strong cybersecurity capabilities lowers the floor for participation in destructive cyberattacks. Before this year there were only a few countries that were heavily active in cyberspace. Now any country or criminal organization can get a team of 5 to 10 not-particularly-skilled engineers together and do major damage.”
He cautioned that even as US and Israeli attacks have significantly diminished Iran’s offensive cyber capabilities, AI is discreetly empowering more geographically dispersed groups with powerful disruptive tools.
“All of this means that in the near future poor countries like Iran are probably going to be much more capable of lashing out, by taking down large fractions of our internet infrastructure,” he concluded.
Initially published by CSO, this article is presented here.
