Iranian state media says Tehran has responded negatively to US diplomatic overtures – Copyright AFP Prakash MATHEMA
There has been a rise in U.S.-directed cyberattacks tied to the Iran conflict, unsurprising given the level that the conflict is escalating to.
Moshe Hassan, VP of Research & Innovation at Upwind, closely tracks Iran-linked cyber activity and assesses how hacktivist groups typically operate during periods of geopolitical escalation. He also considers what kinds of attacks may come next, and where defenders should be focused right now.
Hassan tells Digital Journal how these groups tend to operate, how they intersect with nation-state activity, and the tactics and sectors most likely to be at risk.
Digital Journal: What broader trends are you seeing in how cybercrime and nation-state activity are converging right now?
Moshe Hassan: I think we’re already seeing cybercrime increasingly overlap with nation-state cyber operations. Iran is known for having dozens of independent APT groups, and with the rise of AI-enabled tools becoming widely accessible, we should expect more attempts by independent hackers to create impact – often driven by ideology, attention-seeking, or opportunistic goals.
We believe both smaller APT groups with cybercrime motivations and independent actors will broaden targeting. That can include personal targets “in the wild” (personal email/social accounts of executives and high-profile staff) and public-facing interfaces of well-known companies – especially brands that are government-adjacent or highly visible to the public.
CISOs should increase awareness and protections around high-profile personas and accounts, including leadership, comms teams, and employees tied to government-related services delivered by private companies. We expect B2B organizations to see more targeting through social engineering and social media, while B2C companies should be prepared for higher-volume disruption attempts in their environment.
Based on what we’ve seen historically in the Middle East threat landscape, actors may try to leverage access and assets gained from prior compromises to maximize impact – creating confusion, fear, or reputational harm. We also expect quick-win campaigns that aim for outsized impact (e.g., defacement, DDoS, extortion, impersonation/deepfake content).
My focus would be on two questions:
- Are we a likely target based on our business relationships, sector visibility, geography, or connections to critical industries (e.g., energy/critical infrastructure)?
- Are our external-facing systems and identity controls strong enough—and can we tolerate and recover quickly from disruption like defacement or DDoS?
If either is “yes,” it’s time to tighten boundaries: harden identity (especially privileged/high-profile users), reduce exposed attack surface, accelerate patching, and ensure incident response + communications playbooks are ready.
DJ: How do hacktivist groups aligned with Iran typically operate during geopolitical escalation?
Hassan: During a geopolitical escalation, there are two main phases. The first is the first two weeks, when the hackers are using all of their arsenal of red buttons and intelligence produced prior to the escalation, mostly focusing on affecting the upcoming aspects of the war and gathering helpful intel, maybe causing local chaos to disrupt governments.
The second phase is the post-usage phase, where the attackers are more opportunistic because the market is focused on recovery and strengthening the perimeter. I can share that during my service [IDF], we had several incidents every day in the first 7 days of a conflict, but over the next 14 days, it would be reduced to a few a week, until about 3 a week. On the other hand, I can share that the longer the conflict is active, the more low-tech APTs focused on phishing have small successes that can change the average.
DJ: How do these groups interact with or amplify nation-state cyber operations?
Hassan: Basically, nations will want to trigger them, first through money or by defrauding them to take a stand. The other part is active APTs by the government, and the last are just radicals taking the law into their own hands.
DJ: What kinds of activities may organizations see next?
Hassan: In this kind of conflict, the DDoS options are not severe because the Iranian infrastructure is under continuous kinetic attacks that are disrupting massive traffic from going out. They might use DDoS services, but the financial issues might also disrupt that. We believe defacement of third-party apps will be number one, second is old data leakage, which is kind of the defacement, and also civilian surveillance through public cameras and unsecured IoT devices.
DJ: What should defenders be watching for?
Hassan: First is phishing and human-made mistakes; those are the areas where they have had most of their success so far. Second is unsecured hardware like network routers and switches; old hardware or IoT devices are at critical risk. Finally, public interfaces that have massive user interaction or might be left aside, like an old form.
Click Here For The Original Source.
