War today plays out on the ground, in the air – and in cyberspace. On the back of the ongoing conflict in the Middle East, we’re seeing increased cyber activity linked to events in the region. There’s no sign of secret weapons or unprecedented new techniques. For risk managers and cyber insurers, that means familiar threats in a more volatile context, and a strong need to get the basics right.
What’s changed – and what hasn’t
When geopolitical tensions rise, cyber activity follows. In this conflict, Iranian state-aligned and affiliated groups are using cyber operations as another way to respond.
What’s important is perspective.
As highlighted by Google’s Threat Intelligence Group, we shouldn’t expect an entirely new class of attacks, but more frequent use of techniques we’ve seen over the past few years.
They are seeing:
- DDoS attacks and website defacements
- Hacking and “hack-and-leak” operations
- Social engineering and phishing campaigns
- Malware, ransomware and, in some cases, destructive wiper tools
The threat is real, but it’s not unknown. Controls designed for these known techniques are still highly relevant – especially as attempts increase and targeting patterns shift.
Who’s behind the activity?
Iran can call on a broad ecosystem of cyber actors.
- Hacking groups and sympathetic collectives
As of 6 March, more than 70 groups and collectives had publicly signal-led support for Iran. They’re primarily known for data leaks, defacements and disruptive DDoS attacks, often targeting websites, apps, APIs and other public-facing assets of organizations perceived to support the U.S. and Israel. So far, the most reported impact has been disruption and nuisance, not largescale destruction.
- Iranian Advanced Persistent Threat (APT) groups
Groups such as APT33, APT42 and MuddyWater have a track record of more sophisticated campaigns. They combine spear phishing, social engineering, malware, ransomware, data exfiltration, and wipers. Recent research has found evidence of Iranian actors embedded in some U.S. corporate networks. At the same time, many new campaigns would still need to be built largely from the ground up, and bombardment and connectivity issues inside Iran are limiting some activity for now.
We’re likely to see continued cyber activity linked to the conflict, and spillover to organizations far from the front line.
From cyber space to physical damage
One of the most striking developments is the link between ground operations and digital resilience.
Iranian drones have hit several AWS data centers in the region, causing disruption to digital operations for organizations relying on those facilities, though contingencies are likely to have been put in place in advance to maintain operations. More broadly, digital infrastructure – from data centers to telecoms – is now clearly a potential target for military combat.
That has two key implications. Regional disruption can quickly become a global business continuity issue. Meanwhile, disaster recovery and resilience plans are no longer theoretical – they’re being tested in real time.
For cyber insurance, this is exactly where coverage and services converge: outage-driven business interruption, cloud and technology dependencies, and the strength of an organization’s incident response and continuity planning.
Who’s most exposed?
Historically, Iran-aligned actors have focused on U.S. and Israeli interests, including critical infrastructure, energy, defense, telecommunications and financial services in the region and beyond. Today, we see three broad groups of potential targets:
- U.S. and Israeli organizations
Especially those in critical infrastructure and key sectors, or with strong strategic or supply chain links to the parties directly involved. These organizations should maintain heightened monitoring and resilience measures against largescale DDoS, ransomware, and potentially destructive malware.
- Local and global organizations in the wider region
Companies in countries seen as historic U.S. supporters – including Kuwait, Qatar, Bahrain and Saudi Arabia – face elevated risk, including opportunistic attacks. Large tech providers such as Google, Microsoft, Oracle and Amazon operate facilities in the region and are exposed to disruption, with potential knock-on effects for their clients.
- Organizations elsewhere seen as “supporting enemies”
Iran backed actors targeted European organizations during the 2015 nuclear negotiations, and the Albanian government in 2022. Similar patterns could emerge whenever countries or organizations are perceived to act against Iranian interests.
Direct political involvement isn’t the only driver of risk. Perception, sector, partnerships and geography all matter – and are key factors in exposure assessment.
What businesses should do now
Most organizations don’t need entirely new security stacks. They need to make sure existing controls are active, effective, and well tested.
In this environment, we recommend that businesses:
- Maintain strong situational awareness through internal teams and trusted threat intelligence sources.
- Keep security operations centers on heightened alert for phishing, social engineering, credential harvesting and DDoS attempts.
- Verify that core controls are working – including MFA, EDR/MDR solutions and email filtering.
- Keep asset inventories current and apply security patches promptly.
- Ensure incident response and crisis management plans are up to date, rehearsed and ready to activate.
- Raise awareness among employees, especially support and frontline teams, with focused guidance on conflict-themed phishing and impersonation attempts.
These measures don’t just reduce the likelihood and impact of a loss. They also demonstrate good cyber hygiene, which is increasingly important for securing and maintaining cyber insurance on sustainable terms.
Stay vigilant, not alarmed
We’re likely to see continued cyber activity linked to the conflict, including opportunistic attacks and potential spillover to organizations far from the front line.
We aren’t facing a new category of unstoppable cyber weapons. We’re facing more frequent use of well understood techniques by determined threat actors in a tense geopolitical environment.
The key is to stay vigilant, not alarmed.
This article draws on publicly available reporting and open‑source information. As with all open‑source material, some details may evolve or be subject to further verification.
