The war in Iran was less than 24 hours old when it produced a historic first: the deliberate targeting of commercial data centers. On March 1st, Iranian drones hit three Amazon Web Services (AWS) facilities in the United Arab Emirates and Bahrain, disrupting core cloud infrastructure and knocking out finance apps and enterprise tools not only across the Gulf, but also far away from the region. The attacks showed that physical distance from a conflict zone is no guarantee of insulation from the impacts of kinetic warfare.
For most organizations, however, the more immediate risk plays out in cyberspace and involves all manner of threat actors. Within hours of the US-Israel ‘Operation Epic Fury’ (‘Operation Roaring Lion’) on February 28th, Iran-nexus cyber-actors mobilized in large numbers – Palo Alto Networks’ Unit 42 counted more than 60 active pro-Iranian hacktivist groups. Also within hours, cybersecurity agencies in the United Kingdom and Canada both warned about heightened threat levels. Before long, similar warnings were echoed by Europol and the US Department of Homeland Security.
Threats and threat actors
The outbreak of a kinetic conflict often broadens both the volume and the cast of cyber-actors involved. Hacktivist activity – noisy and often wrapped in bluster and bravado – often surges first. Advanced Persistent Threat (APT) operations involving reconnaissance and initial access run in parallel or closely behind. Once footholds are established and targets are mapped, the stage is set for whatever the operation was actually designed to accomplish, be it espionage, disruption, sabotage or other goals.
The lines aren’t necessarily clear-cut, of course, and some tactics can be deployed in tandem: a website defacement or distributed denial-of-service (DDoS) attack that looks like a nuisance-level hacktivist operation might be a deliberate distraction from an actual attack that’s quietly exploiting the target through a different vector.
Iran-nexus groups rank among the most active and resourceful state-aligned groups worldwide, and their offensive cyber-capabilities and toolsets have matured recently. The threat is especially acute for organizations with supply chain relationships in the Middle East or other ties to the region, not to mention those with cloud dependencies there.
The CyberAv3ngers group’s campaign against water and wastewater utilities in the US and other countries in 2023 illustrated how that targeting logic is operationalized. The ominous message that the bad actor left on compromised systems – “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target” – read like hacktivist output, but the group was quickly found to be operating under Iranian state direction. This blurring of hacktivist identity and state-aligned operations, whose roots may well go back to the Saudi Aramco incident in 2012, has a name, too: “faketivism.”
Operational overlaps among distinct groups run even deeper than that, however. ESET researchers have previously documented close links between several Iran-aligned APT actors. Notably, MuddyWater has worked closely with Lyceum, a subgroup of OilRig, as well as probably acted as an initial access broker (IAB) for other Iran-aligned groups.
Muddying the waters further, several pro-Russian hacktivist groups have now apparently joined the fray in support of Iran, and there are reports of Iran-linked groups engaging with IABs on Russian cybercrime forums. This effectively expands both the available tools and the range of reachable targets. Critical infrastructure is one of the most coveted ‘trophies’ by all manner of adversaries, and recent ESET telemetry shows that Iran-aligned actors disproportionately target entities that operate in engineering and manufacturing.
Also, whenever the goal is retaliation, destruction tends to take priority over, say, ransomware-fueled extortion. Data-wiping malware is a consistent feature of modern conflict-adjacent operations – Russia-aligned groups have demonstrated this pattern repeatedly in Ukraine.
When it comes to attacks that give bad actors a lot of bang for their buck, supply chain compromise typically reigns supreme. Back in 2022, ESET Research documented how the Iran-aligned Agrius group deployed a destructive wiper called Fantasy through a supply-chain attack that abused an Israeli software developer, hitting targets in various verticals and well beyond Israel. The blast radius of a supply-chain attack could reach organizations that were never directly targeted and have no obvious connection to the conflict.
A related risk concerns managed services providers (MSPs) and their customers. Also in 2022, ESET documented a campaign where the adversary compromised an MSP in order to gain access to their end targets. They didn’t need to infiltrate their targets directly; instead, they let the MSP’s access pathways do the legwork for them. The campaign was orchestrated by the MuddyWater cyberespionage group, recently a powerhouse in Iranian APT circles that has undergone a notable evolution.
Once known for loud, automated attacks, MuddyWater is now increasingly leaning towards more stealthy and refined operations involving ‘hands-on-keyboard’ activities in targeted environments. Much like some other Iran-aligned collectives, MuddyWater has also pivoted to the tried-and-tested technique of abusing legitimate Remote Monitoring and Management (RMM) software. That way, the group can blend into legitimate network traffic and complicate detection.
The group is also known to favor internal spearphishing from already-compromised inboxes – emails from a colleague’s account rather than an external sender – with a high success rate, for obvious reasons. Spearphishing attachments and links have long been the most popular initial access techniques among most Iran-aligned APT groups, including OilRig and APT33. However, exploitation of known software vulnerabilities isn’t unheard of, either, as seen in a recent Ballistic Bobcat campaign.
MuddyWater remains very much active in 2026 – last month, security researchers at Broadcom’s Symantec and Carbon Black identified the group in the networks of multiple US entities, including an airport, a bank, and a software firm with ties to Israel.
Hey there! Have you heard about the recent cyber-activity from Iran-aligned actors? Despite their efforts, the overall volume of offensive cyber-activity is still not as intense as what was seen after the attack on Israel in October 2023. This could be due to Iran’s internet blackout.
Google’s Threat Analysis Group emphasized that cyber capabilities are often the go-to tool in conflicts. Recently, a major cyberattack by the pro-Iranian group Hamdala caused a global shutdown of systems at a US-based medical technology company.
To stay resilient in the face of such threats, it’s crucial to focus on securing internet-facing devices, limiting attack surfaces, closing security gaps, auditing supply chains, watching out for phishing attempts, mapping cloud dependencies, and preparing for data destruction.
As the threat landscape continues to evolve, organizations need to be proactive in addressing security vulnerabilities. If you have access to top-notch threat intelligence, now is the time to stay vigilant and informed.
Stay safe and keep an eye on your cybersecurity measures! sentence: “The cat chased the mouse through the house.”
Rewritten sentence: “Through the house, the cat pursued the mouse.”
