Iranian cyber shift raises risk to Western infrastructure

Cybersecurity experts warn that Iranian state-aligned hackers may be shifting from reconnaissance to potentially destructive operations against Western and allied infrastructure, as Middle East tensions raise the risk of wider cyber escalation.

Specialists tracking Iranian activity say recent kinetic strikes have coincided with an extended period of digital probing and espionage. Critical infrastructure, financial services, government networks, and mobile applications have all come under scrutiny.

Researchers and security leaders point to a mix of familiar tactics-distributed denial-of-service (DDoS), ransomware, and spear phishing-alongside quieter preparations aimed at persistent access and disruptive impact.

Iranian advanced persistent threat (APT) groups, including Seedworm and APT34, and affiliated proxies such as CyberAvengers, are central to these concerns. Security professionals say organisations in North America, Europe, and the Gulf should treat the coming period as a heightened threat window.

Threat intelligence shared with industry indicates intensified Seedworm activity-also known as MuddyWater-against finance, aviation, software, and nonprofit organisations in the US and Canada. Researchers have reported new backdoors, including a tool named Dindoor, and the use of cloud infrastructure to move stolen data.

Incident responders and application security firms also report extensive targeting of the mobile and API layers that underpin government and commercial services.

API probing

Ted Miracco, Chief Executive Officer at Approov, said his company saw a marked rise in sophisticated attacks on application interfaces in the run-up to recent military events.

"A silent prelude to attacks has been conducted via API probing. While much of the public focus is on the military strikes, the digital battlefield has been simmering for weeks. In the fortnight leading up to this weekend's events, Approov observed a significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments. These maneuvers were designed to evade initial defenses. We have analytical indications that the presumed Iranian actors were scouting and gauging regional infrastructure vulnerabilities. Fortunately, by deploying over-the-air (OTA) software updates to the apps and new policies to the cloud, we were able to harden these apps before the probes could turn into full-scale service interruptions or data breaches," Miracco said.

"Groups like the CyberAvengers have already proven that our water and power systems are vulnerable through the hardware and mobile interfaces that control them. Depending on who is in power, we could expect a 'scorched earth' approach next. Currently, Iran's domestic cyber infrastructure is in a defensive crouch following the massive digital blackout. As they regain control, they will likely move from probing or persistence to destruction. This means moving beyond standard DDoS attacks to wiper malware and API-based disruptions that could cripple the mobile apps global users rely on for everything from banking to emergency alerts. The sophistication we saw in the Gulf suggests they are capable of striking once they recover their footing. It will only matter who gives the orders, as whatever penetrations they could pull off were completed before the first strike occurred."

Asymmetric tactics

Practitioners working with critical infrastructure operators say US security teams are bracing for a mix of disruptive and psychological operations, rather than immediate large-scale destruction.

"During open conflict, Iran has historically favored asymmetric cyber tactics. These tactics are deniable, disruptive, and psychologically impactful rather than overtly destructive. U.S. critical infrastructure-especially water utilities, energy operators, healthcare systems, telecommunications, the media, and regional government networks-could experience increased attacks," said Jacob Warner, Director of IT, Xcape, Inc.

"These include DDoS campaigns, ransomware attacks, spear phishing, and disruptive intrusion attempts aimed at undermining public confidence. Groups like CyberAv3ngers have previously targeted poorly secured industrial control systems (ICS), indicating a continued interest in operational technology (OT) environments with low cybersecurity maturity. We might also see website defacements, data leaks, or influence operations intended to heighten domestic political and social tensions," Warner said.

"The Iranian regime has a history of suppressing pro-democracy communications by throttling Internet bandwidth, blocking major platforms, and shutting down mobile data networks during unrest. For private sector organizations, resilience should be the priority: patch vulnerable systems, enforce multi-factor authentication, segment OT from IT networks, and practice incident response playbooks," he said.

"Lastly, users everywhere need to be reminded to be aware of unsolicited emails so that they can avoid compromising their organizations through susceptibility to phishing," Warner added.

Hidden access

Some analysts are more concerned about quiet access than overt attacks, arguing that the relative silence of some Iranian espionage units during the current crisis may signal activity that is harder to detect.

"Recent trends have most analysts keeping focus on DDoS and ransomware right now, and those are real concerns. But what's been concerning us more is the stuff we can't see. Iran's most capable espionage group, APT34, has gone completely quiet during the most significant crisis in their country's modern history. We worry that it might just mean they're getting ready," said Denis Calderone, Principal and CTO, Suzu Labs.

"Since it appears that conventional military options are increasingly off the table, cyber is what Iran has left. Even with their own internet down, pre-positioned implants and operators based outside Iran can still execute. If you're in energy, water, financial services, or defense, assume you're a target. Start hunting for anomalous access in your environment now. Don't wait for something to break," Calderone said.

"European organizations need to pay attention too. Iran's cyber operations don't stop at US borders, and proxy groups operating on Iran's behalf are even less predictable in their targeting. When the motivation is retaliation and the conventional military is gone, cyber operators cast a wide net," he said.

"The immediate concern for European critical infrastructure is wiper malware. We're already seeing reports of wiper deployments against Western financial and energy firms from Iranian proxy groups. Although many have traditionally targeted Israel, there's no reason to assume the targeting won't expand. If you're in energy or critical infrastructure, treat this as a heightened threat period. Review your incident response plans, make sure your backups are isolated and tested, and watch closely for unusual activity in OT environments. This is not a drill," Calderone said.

Domestic blackout

Iran's internal internet restrictions remain a parallel feature of the conflict. External monitoring groups report connectivity at low single-digit levels of normal during recent unrest, affecting civilian communication and cybersecurity visibility.

"There is a significant possibility that Iran's Islamic regime would respond to US and Israeli military strikes with large-scale cyberattacks, particularly given its inability to match the conventional military capabilities of the US and Israel. Cyber operations may be viewed by the regime as a more attainable and potentially effective means of retaliation than military confrontation," said Hom Bahmanyar, Global Enablement Officer, Ridge Security, Inc.

"Based on the regime's past practice of imposing internet shutdowns to restrict the flow of information during internal crises or unrest, such as the January crackdown on protesters, the current nationwide blackout-and the reduction in connectivity to 4% reported by NetBlocks-is likely a deliberate government response to make it harder for pro-democracy forces to communicate with the outside world, rather than the direct result of Israel's cyberattacks on their infrastructure," Bahmanyar said.