Ransomware groups are increasingly being used as proxy weapons in geopolitical cyber warfare, enabling nation-states to exert pressure on their adversaries while maintaining plausible deniability. What used to be financially motivated cybercrime and targeting can now influence operations and cause operational disruption. While the change has been incremental, it has been unmistakable. Criminal groups, ideological hacktivists, and state-aligned adversaries are converging and sharing environments, infrastructure, tactics, techniques, and procedures (TTPs), access brokers, and, at times, even strategic objectives.
Operations linked to Iran demonstrate the sprawl between cybercrime, espionage and industrial sabotage as ever closer. A recent investigation exposed claims by pro-Iran hackers that they altered on-the-ground conditions to target critical wheat reserves, demonstrating how cyber activity can directly affect food security and industry. Once the contact is made, these adversaries can choose how and when to attack.
At the same time, a March 2026 Trellix assessment of Iranian cyber capability described the growing sophistication of Iran’s cyber ecosystem, including use of affiliated groups and ransomware-style operations that blur the distinction between state-directed campaigns and criminal activity. Meanwhile, Check Point Research found Iranian-linked actors targeting internet-connected cameras across the Middle East, highlighting how cyber operations are increasingly synchronized with physical conflict environments.
The broader trend mirrors patterns explored in The Guardian’s examination of hybrid conflict and covert operations, where proxy actors, deniable operations, and infrastructure disruption are becoming central features of modern geopolitical confrontation. For OT security teams, ransomware is no longer just extortion. It is increasingly a mechanism of strategic coercion.
This comes as cyber adversaries are rapidly integrating generative AI into offensive operations across the attack lifecycle. In recent findings, Google found that threat actors linked to China, Russia, Iran, and North Korea are using large language models such as Gemini to accelerate reconnaissance, vulnerability research, phishing, malware development, privilege escalation, and post-compromise activity. Attackers were also observed researching publicly disclosed vulnerabilities, evading detection systems, automating operational tasks, and targeting government and enterprise environments.
Rise of ransomware in geopolitical cyber conflict
Industrial Cyber reached out to experts across industrial cybersecurity sector to examine how the cyber dimension of the U.S.-Israel-Iran conflict has evolved, and when ransomware groups emerged as a meaningful instrument within it.
“The cyber dimension of the U.S.-Israel-Iran conflict has expanded rather than shifted away from espionage,” Georgianna Shea, chief technologist at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation (CCTI) and director of its Transformative Cyber Innovation Lab (TCIL), told Industrial Cyber. “Espionage remains active, but it now operates alongside sabotage, influence operations, destructive malware, hack-and-leak campaigns, hacktivist personas, ransomware, and OT targeting.”
She noted that the important change is not that single-tool attacks disappeared. “It is that the tempo and coordination of complex attacks have increased. Actors combine access operations, malware, ransomware, public personas, leaked data, and OT disruption to create political, psychological, financial, and operational pressure.”
“Ransomware became meaningful in this conflict around 2020 and 2021 as cover for destructive or coercive activity,” Shea added. “By 2023, it was functioning more clearly as a coercive tool. After October 2023, conflict activity increasingly intersected with critical infrastructure targeting, ransomware-as-a-service ecosystems, PLC targeting, and OT disruption.”
Cyber activity in the U.S.–Israel–Iran conflict follows a pattern where geopolitical escalation drives increased cyber operations, Abdul Alamri, principal threat intelligence analyst at Dragos, told Industrial Cyber. “This typically results in more intrusion attempts, disruption activity, and influence operations involving state-aligned groups, hacktivist personas, and criminal actors, including ransomware.”
Noting that there has been limited observable activity directly attributable to Dragos-tracked threat groups with demonstrated OT-impact capability, Alamri added that, in contrast, hacktivist personas have increased targeting of industrial organizations across the United States, Israel, and the GCC, often through high-visibility claims lacking technical evidence or confirmation.
“However, not all activity can be dismissed as noise. Select incidents demonstrate credible enterprise-level disruption, such as activity attributed to Handala Hack, Iranian-linked by government and security vendor sources, and also tracked by Dragos as TAT26-14,” Alamri detailed. “The Stryker incident illustrates how, as publicly reported, compromise of identity and endpoint management infrastructure enabled disruption at scale without direct OT interaction.”
Another interesting point Alamri touched on was that ransomware has become a significant instrument, as its role expands beyond financial extortion. “The RaaS model enables affiliates to operate independently, allowing ransomware to be deployed opportunistically or aligned with broader narratives. Cases such as Pay2Key reflect this shift, with activity aligned to geopolitical timelines.”
He added that despite increased ransomware activity and claims, Dragos has not observed confirmed ransomware-driven OT disruption. “The primary risk remains indirect, driven by enterprise compromise affecting operational continuity, visibility, and recovery.”
Saltanat Mashirova, senior manager for OT cybersecurity at CPX, told Industrial Cyber that the cyber dimension of the US–Israel–Iran conflict has evolved significantly since early 2026, coinciding with the escalation of physical hostilities. Iran-aligned cyber actors, including APT groups like MuddyWater and APT33, have increasingly targeted critical infrastructure.
By March 2026, Mashirova highlighted that ransomware emerged as a tool for strategic escalation, as groups like DragonForce exfiltrated sensitive data from industries such as energy and medical devices. “This shift marked a move from disruptive tactics to monetization. State-aligned actors have increasingly leveraged criminal groups, obscuring attribution and amplifying the impact of their attacks, using critical infrastructure as a prime target within hybrid warfare tactics.”
“The cyber dimension has moved from espionage and disruption into a continuous pressure campaign against civilian and industrial systems. But it is important to say clearly: This is not new,” Amit Hammer, CEO at Salvador Technologies, told Industrial Cyber. “We have already seen direct attempts to impact critical infrastructure years ago. A good example is April 2020, when there was an attempt attributed to Iranian actors to disrupt Israel’s water infrastructure. That was an early signal that cyber operations were moving beyond intelligence gathering into attempts to create real-world operational impact.”
He added that since then, the activity has intensified and become more systematic. “After October 2023, we saw a sharp increase in coordinated cyber and influence operations targeting Israel and its partners. Ransomware became strategically meaningful when it developed from being mainly a criminal business model into a useful instrument of disruption. In OT environments, the real impact is not only encryption; it is operational downtime, safety implications, and the inability to recover quickly.”
How Iran blends state cyber operations with criminal ransomware activity
The executives examine how Iranian state actors are leveraging criminal ransomware groups in practice, and how this approach differs from the way U.S. or Israeli-aligned actors operate in the space.
“Iranian actors use ransomware groups as gray-zone instruments. They broker victim access, use criminal infrastructure for tooling and deniability, and disguise coercive operations as ordinary extortion,” Shea said. “CISA, FBI, and DC3 reported that Iran-based actors provided network access to ransomware affiliates, including NoEscape, RansomHouse, and ALPHV/BlackCat. The difference is partly operational. As an assessment, U.S. activity generally appears to stay within formal military, intelligence, law enforcement, sanctions, and advisory channels.”
She added that Iranian-linked activity is closer to irregular warfare, using proxies, criminal markets, concealment, and ambiguity to create effects without clean attribution.
“Threat groups that have been identified by various sources as Iranian-aligned leverage ransomware ecosystems indirectly rather than through clearly attributable, centralized tasking,” Alamri said. “Pay2Key is a relevant example. Dragos assesses with moderate confidence that groups such as PARISITE intended to use ransomware capabilities and their criminal reputation to support a pro-Iran narrative during periods of escalation.”
He added that ransomware is not always the primary objective but can be introduced after access is established or layered onto existing footholds. The RaaS model enables affiliates to operate independently using shared tooling, without clear visibility into their intent or alignment.
“Ransomware activity across the Middle East has increased, including groups such as Everest, APT73/Bashe, The Gentlemen, INC Ransom, and Crypto24,” according to Alamri. “From a victimology perspective, targeting increases during escalation periods, particularly against infrastructure-adjacent sectors. However, there is no confirmed evidence that these groups are directly aligned with or tasked by the Iranian regime.”
Iranian state actors use criminal ransomware groups like DragonForce and Handala as proxies for cyberattacks, Mashirova said, adding that these groups conduct extortion campaigns targeting critical sectors like energy and healthcare, while also engaging in cyber disruption, hack-and-leak operations, and DDoS attacks. “This approach allows Iran to exert pressure and disrupt adversaries’ operations while maintaining plausible deniability. The use of ransomware by these groups adds a financial element to their strategic goals, complicating the attribution of the attacks.”
Hammer outlined that almost all leading operators are moving from prevention only to resilience – this has become a clear shift. “They assume compromise is possible and ask: can we keep operating, can we recover safely, and can we recover fast enough?”
He detailed that in Israel, the conflict tempo has made this mindset very practical. “Operators in ports, energy, chemicals, and manufacturing understand that OT recovery is not the same as IT recovery. You cannot simply restore a file server and call it done. You need clean, bootable, tested recovery for HMIs, engineering stations, SCADA servers, and legacy assets.”
At the plant level, Hammer mentioned that the shift is very clear: from trying to stop every attack to ensuring operational continuity no matter what. The organizations that are prepared are the ones that can restore operations instantly and keep production running, always.
Cyber targeting trends reshape industrial risk calculations
The executives examine the industrial sectors and OT environments most at risk, and what targeting patterns tell us about strategic intent.
Shea observes that the most exposed sectors are water and wastewater, energy, fuel systems, transportation, manufacturing, government services, and healthcare.
“The most exposed OT environments are internet-facing PLCs and HMIs, remote access pathways, engineering workstations, historians, and serial-to-Ethernet conversion boundaries that expose Level 0/1 devices to routable networks,” she added. “The Level 0/1 issue has two parts. First, sensors, actuators, drives, and conversion devices are trusted inputs to the control system. Second, many were not designed with authentication, logging, or cyber forensics. The strategic intent is coercive disruption and pre-positioned escalation capability, including the ability to manipulate physical process inputs without producing the network evidence defenders expect.”
“Manufacturing remains the most exposed sector, followed by transportation and logistics and the broader ICS ecosystem, including engineering firms, system integrators, and equipment manufacturers,” Alamri said. “These sectors are consistently targeted due to low tolerance for downtime and reliance on enterprise systems.”
He added that targeting is focused on enterprise and OT-supporting environments rather than control systems, including ERP platforms, virtualization infrastructure, engineering systems, and remote access services.
“Key sectors exposed to cyber threats include government services, energy, telecommunications, healthcare, and water systems,” according to Mashirova. “Iranian-affiliated actors have increasingly targeted OT environments like PLCs and SCADA systems in these sectors, exploiting vulnerabilities in systems with direct internet exposure.”
She emphasized that the targeting of critical infrastructure suggests a strategic intent to disrupt essential services, weaken adversaries’ resilience, and amplify the effects of kinetic military actions. “Energy infrastructure, in particular, remains a focal point for exerting geopolitical leverage.”
Hammer identified that the most exposed sectors are manufacturing, energy, water and wastewater, logistics, maritime ports, chemicals, and utilities. “The targeting pattern tells us the intent is not random. Attackers are looking for environments where a small cyber event creates a large operational consequence: production stops, cranes stop, water systems are disrupted, or energy generation is interrupted.”
Cybercriminals and nation-states grow harder to distinguish
The executives focus on how threat intelligence teams distinguish between state-directed campaigns and opportunistic criminal activity, and where that line remains blurred.
Threat intelligence teams use pattern-based attribution: capability thresholds, infrastructure overlap, geopolitical timing, victim selection, tooling, and whether effects serve strategic objectives or ordinary profit, Shea said. “The line blurs because Iranian actors use criminal infrastructure and hacktivist personas, while both state and criminal actors use living-off-the-land techniques to evade detection.”
Citing the Shamir Medical Center case, she added that it shows the attribution problem: an attack initially attributed to an Eastern European ransomware group was later attributed by Israeli officials to Iran. “In OT, the blur is worse because sensor or actuator manipulation can appear as equipment failure, process instability, or operator error.”
“The distinction is based on targeting, timing, infrastructure overlap, and operational behavior,” Alamri distinguishes. “State-aligned activity typically aligns with geopolitical events and strategic sectors, while ransomware activity more often follows access availability and monetization opportunities.”
However, he added that the line remains blurred. “Shared tooling, access brokers, and RaaS models allow different actors to operate on similar infrastructure and tradecraft. Affiliates may target geopolitically relevant victims without confirmed alignment, while state-aligned groups can leverage criminal ecosystems indirectly. As a result, attribution relies on confidence levels and behavioral patterns rather than clear separation.”
Mashirova highlighted that threat intelligence teams distinguish state-directed attacks by their sophistication, targeting precision, and alignment with geopolitical events. State-sponsored campaigns often target critical sectors and employ advanced techniques such as credential harvesting and SCADA manipulation.
However, she added that the line is increasingly blurred as criminal groups, such as Handala, operate similarly to state actors by leveraging ransomware for data theft and extortion. This overlap complicates attribution, requiring deeper analysis of tactics, infrastructure, and operational behavior to differentiate between criminal activity and state-aligned efforts.
Noting that the line is blurred, Hammer said that a ransomware crew can be financially motivated and still serve a strategic purpose. “A hacktivist persona can be a front. CyberAv3ngers is a good example of that, as CISA described it as an Iranian IRGC-affiliated cyber persona targeting critical infrastructure.”
Are governments doing enough on industrial cyber defense?
Lastly, the executives address what U.S. and Israeli industrial operators are doing differently in response to the threat, and whether governments are providing the intelligence and regulatory support needed to operate at conflict tempo.
“U.S. operators are disconnecting internet-facing PLCs, tightening remote access, improving segmentation, and treating CISA advisories as operational baselines even when compliance is voluntary,” Shea said. “Israel operates closer to a wartime model, but Cyber Dome should not be overstated. Israel describes it as a multi-layered, proactive, AI-enabled defense concept, not a guarantee of protection.”
She added that the “recent Iranian-linked camera compromises and data-wiping incidents show that attacks still got through. The gap is Level 0/1 measurement integrity. Operators should add cryptographic inventories, stronger remote-access key management, firmware-signing reviews, PQC-ready refresh requirements, and SCADA-lab validation.”
“Industrial operators and governments are increasingly recognizing ransomware as a prominent threat,” Alamri assessed. “While efforts remain uneven, they are improving compared to previous years. Recent incidents show that ransomware can create significant financial and operational impact without directly targeting OT. There is an increasing shift toward prioritizing resilience over prevention, with a focus on identity hardening, securing remote access, improving IT–OT segmentation, and ensuring the recoverability of critical systems.”
He added that government support is improving but remains inconsistent. Intelligence is often high-level and not always actionable, and regulatory frameworks are not fully aligned with the pace required to operate at conflict tempo.
“CISA has released guidance emphasizing the need to isolate OT networks from the public internet, implement multifactor authentication (MFA) for remote access, and strengthen incident detection capabilities,” Mashirova said. “CISA also advises the disconnection of vulnerable PLCs from public-facing networks and the adoption of secure gateways and firewalls for remote access, mitigating exposure to external threats.”
She identified that governments, including those in the Gulf region, are playing a crucial role by offering intelligence sharing and regulatory frameworks designed to help operators stay ahead of emerging threats. “Frameworks, such as CISA’s Cybersecurity Performance Goals (CPGs), provide necessary guidance and best practices to respond effectively at conflict tempo. However, as cyber threats continue to evolve rapidly, there remains a need for continuous adaptation and cross-sector collaboration to ensure defense mechanisms stay up to date.”
Hammer noted that almost all leading operators are moving from prevention only to resilience – this has become a clear shift. “They assume compromise is possible and ask: can we keep operating, can we recover safely, and can we recover fast enough?”
In Israel, he observed that the conflict tempo has made this mindset very practical. Operators in ports, energy, chemicals, and manufacturing understand that OT recovery is not the same as IT recovery. “You cannot simply restore a file server and call it done. You need clean, bootable, tested recovery for HMIs, engineering stations, SCADA servers, and legacy assets.”
“At the plant level, the shift is very clear: from trying to stop every attack to ensuring operational continuity no matter what,” according to Hammer. “The organizations that are prepared are the ones that can restore operations instantly and keep production running, always.”
