Fractional CISO working on laptop
Threat Intelligence

The Cyber Dimension of the US-Israel-Iran Conflict: A CISO's Guide

11 March 202610 min read

Since the outbreak of military conflict on 28 February 2026, Iranian-aligned groups have launched sporadic cyber campaigns against US, Israeli, and allied targets. For CISOs, this represents both an acute threat and a reminder of long-standing vulnerabilities that demand attention.

What We've Seen So Far

The opening weeks of the conflict have witnessed an increase in Iranian cyber activity. Most notably, the Iran-linked group Handala - believed by threat intelligence firms to be a front for the state-sponsored actor Void Manticore - claimed responsibility for a highly disruptive attack on Stryker, a Fortune 500 medical technology company. The group alleges it wiped over 200,000 servers and devices across 79 countries and exfiltrated 50TB of data.

Other observed activity includes:

  • Infrastructure targeting: Attempts to compromise cameras in Middle Eastern countries to improve missile targeting capabilities
  • Data centre attacks: Operations against regional data centres hosting military communications infrastructure
  • Industrial facilities: Attacks on Israeli industrial targets, a Saudi school, and Kuwaiti airport systems
  • Critical infrastructure: Continued targeting of US water treatment facilities and power stations

    • Why Iranian Capability Appears Diminished

    Despite this activity, security experts note that Iranian cyber operations have not reached the scale many anticipated. Several factors explain this:

    Military strikes on command infrastructure: Physical attacks on Iranian military facilities have likely disrupted command and control networks used to coordinate cyber operations.

    Internet disruptions: Widespread internet outages across Iran have hampered the ability of state-sponsored groups to operate effectively.

    Resource constraints: Sanctions and economic pressure have limited Iran's ability to invest in cyber infrastructure and talent at the same pace as peer adversaries like Russia and China.

    However, experts caution against complacency - Iranian actors will be adapting their tactics to work around these constraints.

    Iranian-Aligned Groups Outside Iran

    A significant factor in this conflict is the mobilisation of proxy and aligned groups operating outside Iranian territory:

    Handala/Void Manticore: This group exemplifies the blurred lines between hacktivism and state sponsorship. While publicly presenting as pro-Palestinian activists, Handala employs sophisticated wiper malware and operational techniques characteristic of state-backed actors. Since the conflict began, they have claimed attacks on Israeli military weather servers, security feeds in Jerusalem, and multiple commercial targets.

    Russian collaboration: CrowdStrike has detected a surge in activity from Russian hackers supporting Tehran. A group called Z-Pentest claimed responsibility for disrupting US networks, including CCTV camera systems. This represents a concerning escalation - the pooling of Russian and Iranian cyber capabilities against common adversaries.

    Pro-Palestinian hacktivists: Ideologically motivated actors across the Middle East and beyond have joined the fray, conducting denial-of-service attacks and website defacements. While less sophisticated, these actors can overwhelm target organisations through volume.

    Historical Modus Operandi

    Iranian cyber operations have evolved considerably over the past decade. Understanding their typical approaches helps anticipate future activity:

    Destruction Over Profit

    Unlike ransomware gangs motivated by financial gain, Iranian groups prioritise disruption and data destruction. The Stryker attack exemplifies this - wiper malware designed to render systems inoperable rather than extract ransoms. This makes attribution and motivation clearer, but also means victims face pure destruction without the option of payment recovery.

    Critical Infrastructure Focus

    Iranian actors have consistently targeted so-called "soft targets" - organisations with limited security resources but high public impact. US water treatment facilities have faced repeated intrusion attempts. Healthcare systems, local government, and educational institutions feature prominently in targeting. The calculus is simple: these targets offer easier entry while still generating the chaos and public concern Tehran seeks.

    Information Operations

    Beyond technical intrusions, Iranian groups excel at information warfare. Notable campaigns include:

  • Impersonating American activists to covertly encourage anti-Israel protests on US college campuses
  • Operating fake news websites and social media accounts to spread disinformation before major elections
  • The 2024 Trump campaign email compromise, where Iranian hackers infiltrated campaign systems and attempted to disseminate stolen materials
  • Psychological warfare through Telegram channels where attackers openly discuss targets and coordinate campaigns

    • Social Engineering Sophistication

    Iranian groups demonstrate particular skill in phishing and social engineering. The 2024 attempts to compromise WhatsApp accounts of both Trump and Biden showcase their willingness to target high-profile individuals directly. More commonly, they exploit trust relationships and topical lures - COVID-19-themed phishing in 2020, election-related lures in 2024, and now conflict-themed attacks.

    What CISOs Should Consider

    For most organisations, the fundamentals of good security remain unchanged. However, the current threat environment demands renewed attention to specific controls:

    Immediate Priorities

    Patch management acceleration: Iranian actors actively exploit known vulnerabilities. The gap between patch release and installation is your window of maximum risk. Prioritise external-facing systems and those with elevated privileges.

    Identity hygiene: Remove stale accounts immediately. Iranian groups frequently leverage forgotten service accounts and dormant user profiles for persistence; preferring to log in rather than hack in. Enforce multi-factor authentication universally - no exceptions for executives or legacy systems.

    Network segmentation: Assume breach. Ensure that compromise of a single endpoint cannot readily propagate across your environment. Isolate critical operational technology networks from corporate IT.

    Backup integrity: Given the prevalence of wiper attacks, verify that your backups are truly recoverable. Air-gapped or immutable backups are essential. Test restoration procedures regularly.

    Heightened Monitoring

    Geopolitical indicators: Organisations with defence industry connections, Israeli business relationships, or critical infrastructure status should operate at elevated alert levels. Monitor threat intelligence feeds for indicators of compromise associated with Handala, Void Manticore, and related groups.

    Telegram and dark web monitoring: Iranian groups increasingly coordinate in public channels. Understanding the discourse can provide warning of impending campaigns.

    Supply chain exposure: The Stryker attack demonstrates that supply chain partners of defence contractors face elevated risk. Review your third-party security posture and contractual security requirements.

    Is This Business as Usual?

    In many respects, yes. The controls that protect against Iranian actors protect against ransomware gangs, Chinese espionage, and insider threats alike. Defence in depth, least privilege, and robust incident response capabilities are universal requirements.

    However, several factors warrant particular attention during this period:

    Motivation asymmetry: Unlike financially motivated attackers who may accept partial success, ideologically driven actors often seek maximum disruption. They have patience and persistence that profit-driven criminals may lack.

    Collateral damage risk: Organisations without obvious defence or Israeli connections may still face targeting. Iranian actors often cast wide nets, and proxy groups may lack the sophistication to distinguish primary from secondary targets.

    Escalation potential: The involvement of Russian groups alongside Iranian actors represents a concerning trend. The cyber conflict may expand as other state actors enter the fray.

    Physical-cyber convergence: The attempt to compromise regional cameras for missile targeting illustrates how cyber operations directly enable kinetic warfare. This blurring of domains creates novel risks for organisations operating in affected regions.

    The Bottom Line

    For CISOs, the US-Israel-Iran conflict serves as both an acute threat warning and a validation of security fundamentals. The groups currently active against Western targets have operated for years. Their techniques are known. Their indicators of compromise are catalogued.

    The question is not whether your organisation could withstand an Iranian cyber attack. The question is whether you have implemented the basic controls that render such attacks unsuccessful. Patch your systems. Remove stale accounts. Segment your networks. Verify your backups. Train your staff to recognise phishing.

    These are not exciting measures. They are effective ones. And in the current threat environment, they are more critical than ever.

    The cyber war is already underway. Your preparation determines whether your organisation becomes a casualty or a footnote.

    Share this article

    Seeking Security Insights for Your Business?

    Our fractional CISOs can help you implement the strategies discussed in this article. Book a call to discuss your security needs.

    Book a Call