Iran Conflict – Increased Likelihood of Cyberattacks

THE THREAT

On February 28th, 2026, the United States and Israel conducted major attacks against Iran, dubbed Operation Epic Fury and Operation Roaring Lion. Attacks against Iran will likely result in increased cyber activity from pro-Iranian threat actors against Israel, the United States, and their allies.

Operation's Epic Fury and Roaring Lion involved targeting Iranian air defenses, military sites, and leadership. Following these military operations, Iran responded with kinetic strikes against Israel, and other US allies hosting American troops in the region. Cyber-attacks from pro-Iranian groups have also been identified, targeting organizations within Isreal and the United States, but details are limited.

Opportunistic threat actors may seek to take advantage of this conflict by either masquerading as Iranian actors, utilizing the conflict as a lure in their campaigns. Organizations that operate in the region, and those with connections to Israel or the United States must evaluate their threat model and consider implementing stricter security controls due to the heightened risks.

What we're doing about it

• eSentire MDR for Network has detections in place for vulnerabilities that have been targeted by Iranian threat actors in the past, with examples including CVE-2024-21887, CVE-2024-3400, and CVE-2025-55182
• eSentire's Threat Response Unit (TRU) actively tracks Iranian-based threats
  • eSentire maintains detections for known Iranian associated Tactics, Techniques, and Procedures (TTPs)
• eSentire's Threat Response Unit (TRU) continues to monitor for new information related to Iranian-based threat actors and will develop additional detections across the eSentire platform as actionable intelligence becomes available

What you should do about it

• Deploy Endpoint Detection and Response (EDR) solutions to all supported assets
• Conduct Phishing and Security Awareness Training (PSAT) to educate users on how to identify and report malicious content
• Ensure all externally facing systems are fully patched and running the latest updates
  • Iranian-linked APT groups have been known to target vulnerabilities within products such as Palo Alto Networks PAN-OS, GlobalProtect VPN, Citrix NetScaler, Check Point Security Gateways, BIG-IP F5 devices, and React Server
• Enforce a strict password policy across the organization and implement Multi-Factor Authentication (MFA) where possible
  • Additionally, Conditional Access policies should be applied to restrict access to trusted and managed devices
• Additional Recommendations for Organizations in Critical Infrastructures Sectors:
  • Implement network segmentation to isolate critical systems and limit lateral movement
  • Check programmable logic controllers (PLCs) for default or weak passwords and update them accordingly
  • Refer to CISA's advisory on IRGC-Affiliated Cyber Actors targeting PLCs across multiple sectors for further guidance and additional recommendations

Additional Information

Iranian state-sponsored threat actors are known to target critical infrastructure, energy (oil & gas), water & wastewater, in addition to various government and private sector organizations, such as telecommunications, financial, healthcare, and academic. These groups utilize a variety of initial access methods, which include, but are not limited to,exploiting vulnerabilities in Internet facing assets, social engineering, and bruteforce attacks. Iranian state-sponsored APT groups primarily conduct espionage and influence-motivated campaigns. Tools deployed in these campaigns include malware (Remote Access Trojans), Remote Monitoring and Management (RMM) tools, ransomware, and destructive wipers. At this time, it is unclear whether Iranian state-sponsored APTs remain capable of coordinating sophisticated response actions, due to the attacks against the country's infrastructure. Pending available capabilities, there is a high probability that these groups will target US and Israeli government, military, and supporting industries.

Following Operation Rising Lion, which involved the US and Israel targeting Iran in June 2025, an uptick in pro-Iran hacktivist activity was identified, which targeted organizations within Israel and the United States. In March 2026, the Islamic Cyber Resistance, an Iranian-linked hacktivist group, reportedly announced a recruitment campaign of "cyber experts and resources" for what was referred to as "the great epic battle". Flashpoint identified that the Handala Group had targeted Industrial Control Systems (ICS) within Israel, along with disrupting manufacturing and energy distribution in the country. Flashpoint also indicated that the Fatimiyoun Electronic Team was conducting attacks against "Western financial and energy firms" to deploy wiper malware. On February 28th, CrowdStrike warned that Iran-aligned groups were identified conducting reconnaissance and Distributed Denial-of-Service (DDoS) attacks. Based on historic trends, eSentire's Threat Intelligence team assesses with moderate confidence that pro-Iranian hacktivist groups will continue to target US-affiliated organizations in retaliatory cyber operations.

Iran has also made threats against ships traversing the Strait of Hormuz, which sees approximately 20% of the world's gas and oil shipped through it. There have been reports of attacks on oil tankers in the Strait of Hormuz over the weekend, however it is unclear who is responsible. Long term area denial of the Strait has the possibility of causing large impacts on the global economy.

References:
[1] https://www.centcom.mil/MEDIA/PRESS-RELEASES/Press-Release-View/Article/4418396/us-forces-launch-operation-epic-fury/
[2] https://en.idi.org.il/articles/63607
[3] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
[4] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
[5] https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups
[6] https://www.reuters.com/world/middle-east/israel-takes-name-iran-operation-bible-verse-2025-06-13/
[7] https://socradar.io/blog/cyber-reflections-us-israel-iran-war/
[8] https://www.jpost.com/defense-and-tech/article-888468
[9] https://www.bankinfosecurity.com/western-cybersecurity-experts-brace-for-iranian-reprisal-a-30890
[10] https://www.washingtoninstitute.org/policy-analysis/profile-fatemiyoun-electronic-squad
[11] https://www.cybersecuritydive.com/news/iran-hackers-threat-level-us-allies/813494/
[12] https://www.businessinsider.com/fight-iran-spread-oil-tankers-vessels-strait-of-hormuz-2026-3