US companies and critical infrastructure facilities are on alert for a surge in disruptive cyber threats from Iran-affiliated groups and traditional ransomware criminals as US attacks against Iran continue to reverberate across the Middle East.
Cyber threat intelligence researchers say they’re already seeing an uptick in cyber operations in the region and are cautioning organizations, from flagship American brands to defense-adjacent businesses and critical infrastructure entities, against looming cyber threats in the US. At the same time, they’re urging a dose of skepticism as Iranian-affiliated groups have a history of exaggerating the scale of their attacks.
The researchers and lawyers anticipate Iranian retaliation against US entities in the short and long term via mostly low-level, but public-facing attacks, such as defacing company websites or overwhelming public servers to disrupt services. The Iran-affiliated groups will likely be seeking to send a message, as opposed to stealing sensitive information, the cyber professionals said. The escalation of conflict in the Middle East should spur organizations to review cyber incident response plans, share threat intelligence with other companies and government agencies, and aim to fix unpatched vulnerabilities, they say.
“They want to make a little bit of a show of it. It’s not about a long term material impact, but they want to be able to point and say, ‘Look at big brand X, this US brand. We took them down.’ And they’ll be bombastic in how they talk about it,” said Alexandra Rose, head of government partnerships and director of the counter threat unit at Sophos, an AI-powered cyber solutions provider. “If you are a flagship American brand, you’re synonymous here with the US. Those are additional considerations.”
The risk of elevated cyber threats comes as a lapse in funding for the last three weeks has shut down many operations at the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency, which is responsible for protecting critical infrastructure. DHS Secretary Kristi Noem said in a statement she is in “direct coordination with our federal intelligence and law enforcement partners” as the department continues to “closely monitor and thwart any potential threats to the homeland.”
Elevated Cyber Threats
Cyber threat intelligence researchers say they’re already seeing an increase in cyber activity and claims of cyber attacks in the Middle East, giving US entities a glimpse of the threats they may face.
Government entities, critical infrastructure, financial services, and defense-adjacent commercial entities face the highest risk of elevated threats in the coming days and weeks, cyber threat researchers from Sophos said Sunday in a cyber advisory.
Iran-affiliated groups have a history of retaliating against perceived political slights via a range of methods, said Cynthia Kaiser, senior vice president of the Ransomware Research Center at Halcyon, an anti-ransomware solutions provider and former FBI cyber official. Over the last 15 years, they’ve disabled financial services websites, erased data from targeted companies, and defaced websites following the death of a senior Iranian military leader.
“That was the immediate,” Kaiser said. “For years after that, we saw them really hearkening back to their desire to retaliate with their other cyber operations, and it became a driving force for them.”
Hacktivist groups with ties to the Islamic Revolutionary Guard Corps, the country’s security force, are already making claims and threats about attacks in the region, John Hultquist, chief analyst at
“We expect Iran to target the US, Israel, and Gulf Cooperation Council countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure,” he wrote, adding that many operations will be similar to ransomware attacks.
The types of threats US entities could face may vary, but cyber professionals largely expect low-effort attacks with the most visible impact. Hacktivists—ideologically motivated actors—or proxy groups may pursue website defacement campaigns, for example. Other affiliated groups may go after unresolved vulnerabilities or capitalize on credentials they’ve already stolen.
“Attacks from Iran are generally more focused on sending a message or creating an effect versus stealing information,” said Fran Faircloth, partner at Ropes & Gray LLP.
‘Grain of Salt’
Despite calls for heightened scrutiny, some cyber professionals are also calling for healthy skepticism toward the scale of potential cyber operations against the US. The ongoing conflict in the Middle East could delay the bulk of retaliation efforts, while Iran-affiliated groups may also over-sell cyber threats posed to US entities.
“Iran has historically had mixed results with disruptive cyberattacks, and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact,” Google’s Hultquist wrote. “Though they can have serious impacts on individual enterprises, it’s important to take their claims with a grain of salt.”
Cyber threat intelligence professionals say some hacktivist groups are already ramping up exaggerated—if not fabricated—claims of cyber disruption in the region. This means companies should ensure their incident response plans include steps to handle external communications.
“What we often see missing from that incident response plan is including their marketing PR teams to say, ‘How are we going to message this externally?’” Kaiser said. “When you’re dealing with a country or groups that you know mix the lies with the real, it’s really important to think how quickly and where you can be transparent about what did or didn’t happen.”
The potential for cyber misinformation also puts renewed focus on the importance of timely and accurate information sharing between both private sector companies and government entities.
“These are these moments where community and industry information sharing is extremely important,” said Michael Irwin, chief information security officer at Odyssey Logistics, a supply-chain logistics provider.
He added, “The key is, you look at a group validation of what people are seeing.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.