The war in Iran was less than 24 hours old when it produced a historic first: the deliberate targeting of commercial data centers. On March 1st, Iranian drones hit three Amazon Web Services (AWS) facilities in the United Arab Emirates and Bahrain, disrupting core cloud infrastructure and knocking out finance apps and enterprise tools not only across the Gulf, but also far away from the region. The attacks showed that physical distance from a conflict zone is no guarantee of insulation from the impacts of kinetic warfare.
For most organizations, however, the more immediate risk plays out in cyberspace and involves all manner of threat actors. Within hours of the US-Israel ‘Operation Epic Fury’ (‘Operation Roaring Lion’) on February 28th, Iran-nexus cyber-actors mobilized in large numbers – Palo Alto Networks’ Unit 42 counted more than 60 active pro-Iranian hacktivist groups. Also within hours, cybersecurity agencies in the United Kingdom and Canada both warned about heightened threat levels. Before long, similar warnings were echoed by Europol and the US Department of Homeland Security.
Threats and threat actors
The outbreak of a kinetic conflict often broadens both the volume and the cast of cyber-actors involved. Hacktivist activity – noisy and often wrapped in bluster and bravado – often surges first. Advanced Persistent Threat (APT) operations involving reconnaissance and initial access run in parallel or closely behind. Once footholds are established and targets are mapped, the stage is set for whatever the operation was actually designed to accomplish, be it espionage, disruption, sabotage or other goals.
The lines aren’t necessarily clear-cut, of course, and some tactics can be deployed in tandem: a website defacement or distributed denial-of-service (DDoS) attack that looks like a nuisance-level hacktivist operation might be a deliberate distraction from an actual attack that’s quietly exploiting the target through a different vector.
Iran-nexus groups rank among the most active and resourceful state-aligned groups worldwide, and their offensive cyber-capabilities and toolsets have matured recently. The threat is especially acute for organizations with supply chain relationships in the Middle East or other ties to the region, not to mention those with cloud dependencies there.
The CyberAv3ngers group’s campaign against water and wastewater utilities in the US and other countries in 2023 illustrated how that targeting logic is operationalized. The ominous message that the bad actor left on compromised systems – “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target” – read like hacktivist output, but the group was quickly found to be operating under Iranian state direction. This blurring of hacktivist identity and state-aligned operations, whose roots may well go back to the Saudi Aramco incident in 2012, has a name, too: “faketivism.”
Operational overlaps among distinct groups run even deeper than that, however. ESET researchers have previously documented close links between several Iran-aligned APT actors. Notably, MuddyWater has worked closely with Lyceum, a subgroup of OilRig, as well as probably acted as an initial access broker (IAB) for other Iran-aligned groups.
Muddying the waters further, several pro-Russian hacktivist groups have now apparently joined the fray in support of Iran, and there are reports of Iran-linked groups engaging with IABs on Russian cybercrime forums. This effectively expands both the available tools and the range of reachable targets. Critical infrastructure is one of the most coveted ‘trophies’ by all manner of adversaries, and recent ESET telemetry shows that Iran-aligned actors disproportionately target entities that operate in engineering and manufacturing.
Also, whenever the goal is retaliation, destruction tends to take priority over, say, ransomware-fueled extortion. Data-wiping malware is a consistent feature of modern conflict-adjacent operations – Russia-aligned groups have demonstrated this pattern repeatedly in Ukraine.
When it comes to attacks that give bad actors a lot of bang for their buck, supply chain compromise typically reigns supreme. Back in 2022, ESET Research documented how the Iran-aligned Agrius group deployed a destructive wiper called Fantasy through a supply-chain attack that abused an Israeli software developer, hitting targets in various verticals and well beyond Israel. The blast radius of a supply-chain attack could reach organizations that were never directly targeted and have no obvious connection to the conflict.
A related risk concerns managed services providers (MSPs) and their customers. Also in 2022, ESET documented a campaign where the adversary compromised an MSP in order to gain access to their end targets. They didn’t need to infiltrate their targets directly; instead, they let the MSP’s access pathways do the legwork for them. The campaign was orchestrated by the MuddyWater cyberespionage group, recently a powerhouse in Iranian APT circles that has undergone a notable evolution.
Once known for loud, automated attacks, MuddyWater is now increasingly leaning towards more stealthy and refined operations involving ‘hands-on-keyboard’ activities in targeted environments. Much like some other Iran-aligned collectives, MuddyWater has also pivoted to the tried-and-tested technique of abusing legitimate Remote Monitoring and Management (RMM) software. That way, the group can blend into legitimate network traffic and complicate detection.
The group is also known to favor internal spearphishing from already-compromised inboxes – emails from a colleague’s account rather than an external sender – with a high success rate, for obvious reasons. Spearphishing attachments and links have long been the most popular initial access techniques among most Iran-aligned APT groups, including OilRig and APT33. However, exploitation of known software vulnerabilities isn’t unheard of, either, as seen in a recent Ballistic Bobcat campaign.
MuddyWater remains very much active in 2026 – last month, security researchers at Broadcom’s Symantec and Carbon Black identified the group in the networks of multiple US entities, including an airport, a bank, and a software firm with ties to Israel. Still, the overall volume of offensive cyber-activity from Iran-aligned actors generally is so far no match to the flurry of activity observed by ESET researchers after the attack on Israel on October 7th, 2023. This may partly be a by-product of Iran’s largely self-imposed, near-total internet blackout.
At any rate, as Google’s Threat Analysis Group (TAG) also said in its analysis of cyber-activity around the Israel-Hamas war, “cyber capabilities […] are a tool of first resort.” This observation remains relevant today – and was exemplified by the first major cyberattack, on March 12th, since the war began. A data-wiping attack, courtesy of pro-Iranian hacktivist group Hamdala, on US-based medical technology company Stryker, reportedly caused the company’s systems to shut down globally.
Staying resilient: where to focus
Threats range from opportunistic DDoS and defacement campaigns to targeted data-wiping incursions and cyberespionage with long dwell times, all the way to supply-chain damage that wouldn’t spare organizations with no direct connection to the conflict. The measures outlined below will be familiar to most security teams. The focus is on where Iran-aligned actors have historically found the weak spots.
Know what’s exposed
Start with identifying and securing anything internet-facing: remote access, web applications, VPN gateways, and internet-connected OT/ICS devices if your organization operates such systems. Default credentials should be changed on all devices. If a device doesn’t support strong authentication, consider whether it should be connected to the public internet at all.
The CyberAv3ngers’ campaign in 2023 targeted programmable logic controllers (PLCs) that still had factory-default passwords. CISA’s advisory discusses the specific techniques used and is worth reviewing in detail if your organization runs industrial control systems.
Limit the attack surface
OT/ICS environments pose a specific challenge: devices deployed decades ago without security requirements in mind and rarely ever inventoried. Default credentials and internet exposure are the most obvious problems, but the wider issue is that many of these systems were never designed to be secured after deployment.
Disconnect OT/ICS devices from the public internet wherever operationally feasible. Wherever possible, apply all available patches, as vulnerable internet-facing devices remain one of the most reliable entry points available to attackers. Where that’s not possible, enforce network segmentation between IT and OT environments and establish behavioral baselines for industrial protocols so that anomalous traffic can trigger alerts.
Close the gaps
Most Iranian state-sponsored groups have made identity compromise their consistent focus. A joint CISA/FBI/NSA advisory from October 2024 documented a year-long campaign in which Iranian actors used password spraying and multi-factor authentication (MFA) push-bombing (flooding users with login requests until someone approves one) to breach organizations across healthcare, government, energy and IT. Once inside, they modified MFA registrations to lock in persistent access and sold harvested credentials on criminal forums.
To counter the threat, enforce phishing-resistant MFA across all external-facing systems, and audit existing MFA configurations for unauthorized registrations.
Audit your supply chain and third-party access
Audit all third-party and other remote access pathways. With groups like CyberAv3ngers specifically hunting for Israeli-made OT equipment, review whether any of your equipment falls into that category.
If you rely on MSPs, inquire about how they secure their remote access tools and whether they’ve reviewed their own exposure in light of the conflict. MuddyWater’s exploitation of the SimpleHelp tool at MSPs showed that your provider’s security posture is effectively part of your attack surface.
Watch out for phishing
As MuddyWater and other groups often rely on human-centered approaches, most notably spearphishing messages from compromised internal accounts, employees need to verify all requests through separate channels, particularly those involving credentials, access changes, urgent “security updates” and anything referencing the current conflict.
Adversaries use common AI tools not only to generate nuanced phishing lures, but also for other steps throughout the attack lifecycle, including to research vulnerabilities and support malware development.
Map your cloud dependencies
Map which software-as-a-service (SaaS) providers you depend on and find out where their infrastructure is hosted. Even if you don’t run workloads in the Middle East, your providers might. Following the AWS strikes, multiple vendors, including Snowflake and Red Hat, issued failover advisories, thus effectively reminding their customers that regional cloud disruptions propagate through the supply chain in ways that aren’t always visible until something breaks. AWS, for one, has explicitly advised customers with Middle East workloads to migrate them.
Prepare for destruction, not just theft
During conflict-adjacent operations, state-aligned actors tend to favor wipers over ransomware. Either way, make sure that at least one copy of critical backups is offline and air-gapped, rather than just replicated to another cloud region that might share the same underlying dependencies.
Test whether your disaster recovery plan covers a full-region cloud outage, because most plans are built around single-zone failures. Importantly, verify that your backups actually restore, because wiper and other malware sometimes targets backup systems specifically.
Everything is fair game
The threat picture will continue to shift as the conflict develops. Hacktivist noise may intensify or fade, while APT operations tend to move more slowly and surface later. The organizations that fare best in this environment are generally those that had already closed the basic gaps before the threat became acute. If basic work (such as an asset inventory) is still outstanding, the current situation is grounds enough to accelerate it.
If your organization has access to best-of-breed threat intelligence and research, now is the time to keep a close eye on it.
