As military tensions rise between Iran, Israel, and the United States, security experts warn of an increasing number of cyberattacks that could affect businesses and individuals worldwide.
While bombs and missiles threaten the Middle East, the digital consequences may land on networks, endpoints, and offices far from the battlefield. Researchers at Palo Alto Networks’ Unit 42 caution that Iranian state-sponsored actors are likely to expand operations against Western targets as geopolitical pressure grows.
Independent analysis from EclecticIQ has also recorded a significant uptick in cyber incidents following recent escalations in the region, which are currently under a fragile ceasefire. Unit 42 warns, however, that renewed hostilities could spur a broader wave of attacks from both government-backed groups and unaffiliated hacktivists.
From AI to espionage: Iran’s evolving cyber toolkit
Earlier this week, UK Prime Minister Sir Keir Starmer urged businesses to strengthen cybersecurity in light of the Middle East escalation and persistent threats from other adversarial states, such as Russia. Speaking at a NATO summit, he emphasised that countries like Iran and Russia conduct cyber operations regularly and that such actions should be treated as attacks on national security.
One worrying trend is how quickly these threat actors adapt. Rather than relying solely on traditional techniques, Iranian groups increasingly incorporate new tools—including generative AI—to improve the quality and legitimacy of phishing campaigns and to amplify the psychological impact of destructive operations tied to current events.
Over recent years Iranian cyber operators have broadened their reach. Security teams have observed them using AI to write persuasive phishing messages and to craft believable fraudulent documents tied to reputable organisations, tactics used in tandem with malware to infiltrate and compromise systems.
In one example, operatives created a fake German modelling agency website not to recruit talent but to harvest sensitive information from visitors. In another case, a group tracked as Agent Serpens (also referred to in some reports as Charming Kitten) produced convincing counterfeit documents impersonating the RAND Corporation, and paired those fabrications with malware aimed at compromising targets’ devices.
What a digital conflict with Iran can look like
Unit 42’s findings point to concrete examples of destructive campaigns. Last year, a group targeted Israeli schools and technology firms, not only exfiltrating personal data and intellectual property but also deploying “wiper” malware designed to destroy files and render systems unrecoverable.
Security experts outline four likely cyber scenarios as tensions persist:
- State-sponsored Iranian hackers will escalate targeted operations—ranging from convincingly forged emails aimed at diplomats to destructive malware attacks on businesses with ties to American interests.
- Pro-Iran hacktivists may conduct disruptive operations and influence campaigns, including coordinated denial-of-service attacks that knock websites offline and social media efforts to spread misleading narratives.
- Opportunistic cybercriminals will exploit the chaos with financially motivated phishing and fraud campaigns that leverage public fear and curiosity about the conflict.
- Other nation-states could exploit the confusion by launching attacks while attempting to attribute them to Iran, a false-flag tactic that has precedent; for example, Russia previously leveraged Iranian infrastructure in 2019 to expand access to compromised networks.
Unit 42 groups these Iranian-linked activities under the “Serpens” constellation, noting that individual clusters have distinct specialities. Some, like Agent Serpens, focus on surveillance and targeting of activists and journalists critical of the Iranian government. Others—labelled Industrial Serpens in Unit 42 reporting—engage in disruptive operations such as ransomware or data-wiping campaigns that align with broader state objectives.
Despite differences in tradecraft and goals, these groups share increasing sophistication and resources. They are not casual hobbyists; they represent organised, capable operations with the potential to cause severe operational and reputational harm to organisations and individuals.
Researchers have already documented roughly 120 hacktivist groups engaged in activities related to the current tensions. Their most common tool is denial-of-service attacks that can render websites and online services offline, while destructive malware—such as data wipers—remains a growing and dangerous trend.
Protecting yourself from the crossfire
What practical steps can organisations and individuals take to avoid becoming collateral damage?
Security professionals recommend a calm, practical approach focused on fundamentals. Keep systems and applications patched, enforce strong authentication, maintain reliable backups, and train employees to recognise and report phishing attempts. Basic hygiene still prevents many attacks.
Organisations should prioritise protection of internet-facing assets—public websites, VPN gateways, remote access services, and cloud infrastructure—as these are primary entry points for attackers. Implement network segmentation, multi-factor authentication, and real-time monitoring to detect anomalies quickly.
Prepare for reputational risk as well. Threat actors may falsely claim responsibility for breaches to harass or embarrass targets, or to spread political narratives. Having a clear incident response and communications plan helps organisations respond quickly, contain technical issues, and mitigate reputational damage from false allegations.
Most of all, avoid complacency. As cyber operations evolve alongside kinetic conflict, vigilance and timely response to unusual network activity can reduce the risk of becoming the next high-profile victim.
See also: Salt Typhoon: Chinese hackers compromise Canadian networks
Interested in learning more about cybersecurity and cloud technology from industry leaders? Consider attending the Cyber Security & Cloud Expo, which runs events in Amsterdam, California, and London alongside related conferences covering digital transformation, IoT, blockchain, and AI & big data.
Explore other upcoming enterprise technology events and webinars powered by TechForge.