Iran Cyberattacks Surge: US, Israel & Gulf States at Risk | Ghacks Technology News
Following recent escalations in the Middle East, Iranian-linked hacking groups have demonstrably increased their cyber activity, targeting organizations across the region and raising concerns about potential spillover effects for US entities. This surge in activity includes reconnaissance scans, espionage operations, and distributed denial-of-service (DDoS) attacks, signaling a coordinated campaign alongside ongoing physical conflict. While initial activity has focused on Israel and Persian Gulf nations, cybersecurity researchers are urging US organizations to proactively prepare for potential attacks.
Probing for Weaknesses: API and Mobile App Reconnaissance
Security firm Approov detected a rise in sophisticated probing attacks originating from Iranian actors beginning in early February 2026. These attacks specifically targeted Application Programming Interfaces (APIs) and mobile applications used by government entities in the region. APIs are sets of rules and specifications that allow different software applications to communicate with each other, making them a valuable target for attackers seeking access to sensitive data or systems. The probing activity abruptly ceased on February 27th, coinciding with a widespread internet blackout within Iran, likely disrupting the attackers’ operations. This suggests a deliberate effort to map out potential vulnerabilities before the outbreak of open military hostilities, a common tactic known as pre-positioning – quietly installing tools and gaining access for later, more disruptive attacks. JP Castellanos, threat intelligence director at Binary Defense, explained that this pre-staging allows attackers to “launch more disruptive attacks later.”
A Multifaceted Attack Strategy: DDoS, Ransomware, and Disinformation
Researchers at Check Point have identified intrusions attributed to Cotton Sandstorm, also known as Haywire Kitten, a hacking group believed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). This group has been observed employing WezRat, an information-stealing malware, delivered through spearphishing emails disguised as urgent software updates. These campaigns have, in some instances, been followed by ransomware attacks targeting Israeli organizations. Ransomware encrypts a victim’s data, demanding payment for its release.
Beyond active intrusions, analysts have also noted the reappearance of older, previously dormant online personas claiming successful hacks of industrial control systems in Israel, Jordan, Turkey, Poland, and several Gulf states. However, experts caution that many of these claims are likely exaggerated or deliberately fabricated as part of a broader disinformation campaign. As one analyst noted, “Iran has historically mixed real intrusions with inflated or fabricated claims to amplify psychological impact.” This tactic aims to create confusion, sow discord, and potentially mask the true extent of their cyber capabilities.
US Organizations: Heightened Risk and Potential Targets
Currently, there have been no publicly confirmed cyberattacks targeting US organizations directly linked to this recent escalation. However, researchers widely believe that such attacks are increasingly probable. Sectors considered to be at the highest risk include defense contractors and government suppliers, organizations with close ties to Israel or shared infrastructure, critical infrastructure providers like energy and water utilities, and companies utilizing Israeli-made industrial technology.
Past incidents demonstrate Iran’s interest in targeting US critical infrastructure. Iranian hackers have previously compromised water systems and other operational technology (OT) networks within the US, often exploiting default passwords and deploying custom malware. While these earlier attacks resulted in limited physical damage, they underscored the attackers’ ability to penetrate sensitive systems. The Cybersecurity and Infrastructure Security Agency (CISA) provides resources and guidance for organizations to improve their OT cybersecurity posture; more information can be found on their website: https://www.cisa.gov/ot-security.
A Long-Term Cyber Campaign: Espionage, Disruption, and Information Warfare
Experts characterize the current situation as a sustained, long-term cyber campaign encompassing espionage, disruption, ransomware-style attacks, and information warfare. A significant component of this campaign is expected to be the proliferation of disinformation, particularly on social media platforms through the apply of automated bots. Individuals should anticipate an increase in dramatic, often unsubstantiated, claims regarding sabotage and damage to infrastructure.
Mitigation and Preparedness: Strengthening Cyber Defenses
To mitigate the risk of cyberattacks, security firms recommend a series of proactive measures. These include promptly patching critical systems to address known vulnerabilities, rigorously reviewing user access controls and eliminating unused or default accounts, closely monitoring third-party and supply-chain risks, and strengthening phishing awareness training for employees. Phishing attacks rely on deceiving individuals into revealing sensitive information or clicking on malicious links.
The potential for disruption extends beyond immediate data breaches. Attacks on industrial control systems, for example, could have cascading effects on essential services. The US Department of Energy has published guidelines for protecting the energy sector from cyber threats: https://www.energy.gov/cybersecurity.
Looking Ahead: Continued Cyber Operations and Escalating Tensions
Researchers generally agree that cyber operations will continue in parallel with the ongoing physical conflict. Organizations in the US, Israel, and Gulf states are advised to treat the threat as immediate and not merely theoretical. The situation remains fluid and unpredictable, and the potential for escalation is high.
The current wave of cyber activity highlights the increasingly intertwined nature of physical and cyber warfare. As geopolitical tensions continue to rise, organizations must prioritize cybersecurity and adopt a proactive, defense-in-depth approach to protect their systems and data. Further analysis of Iranian cyber tactics and techniques will be crucial for developing effective countermeasures and mitigating the risk of future attacks. The ongoing conflict will likely drive further innovation in both offensive and defensive cyber capabilities, creating a constantly evolving threat landscape.
Organizations should establish a clear incident response plan, regularly test their defenses, and maintain open communication with cybersecurity partners and government agencies. Staying informed about the latest threat intelligence and best practices is essential for navigating this complex and challenging environment. The National Institute of Standards and Technology (NIST) provides a comprehensive framework for improving cybersecurity risk management: https://www.nist.gov/cyberframework.