Understanding Iran-Aligned Cyber Activity Amid the Current Conflict
- 2 days ago
- 4 min read
The ongoing conflict involving Iran, Israel, and the United States has triggered a surge of cyber activity that highlights how closely digital operations now track with real world events. Iran-aligned actors, many operating from outside the country, are using AI-driven influence campaigns, exploiting exposed edge devices, and launching disruptive attacks that create confusion across networks and social platforms. At the same time, loosely aligned hacktivist groups are amplifying the noise with high volume DDoS, defacements, and opportunistic intrusions.
In this blog post, we outline the key cyber trends emerging from the conflict, including the rise of proxy hacktivism, AI-driven influence efforts, and the exploitation of exposed edge devices and examine what these developments mean for organizational security in an increasingly volatile landscape.
Proxy Groups and Hacktivists Drive the Majority of Activity
With Iran experiencing an extended internet blackout, much of the cyber activity attributed to “Iranian” actors is being carried out by external proxy groups and aligned hacktivists. These collectives, including pro-Iranian, pro-Palestinian, and pro-Russian groups, have been responsible for a surge in:
Distributed Denial of Service (DDoS) attacks
Website defacements
Data wiping and pseudo-ransomware incidents
Opportunistic exploitation of unpatched systems
Their operations vary widely in sophistication. Some attacks are low-level and disruptive, while others abuse trusted IT access or service provider relationships to penetrate downstream environments. Targets have ranged from financial institutions and media outlets to energy companies, transportation services, and government entities.
This activity is not tightly coordinated and is not geographically restricted. While most incidents have affected the Middle East and the US, the opportunistic nature of these groups creates a very real risk of spillover into Europe and other allied regions.
AI-Enabled Influence Operations Accelerate Narrative Manipulation
A significant shift in recent weeks has been the increased use of generative AI to power influence campaigns. Iran-aligned actors are deploying networks of AI-generated personas, deepfakes, and fabricated content to push misleading narratives, spread questionable “breaking news,” and erode situational clarity during fast moving events.
This tactic greatly increases the speed and reach of disinformation efforts. This means that monitoring social platforms and verifying information becomes even more critical during geopolitical crises.
Neglected Edge Devices Are Being Used in Support of Kinetic Operations
One of the most concerning patterns emerging from this conflict is the exploitation of poorly secured edge devices, especially internet-exposed cameras. Many of these edge devices often are connected both internally to the network as well as the internet, making them an excellent bridge for attacks.
Both Iran-aligned groups and Israeli operations have been observed accessing compromised camera systems to gather reconnaissance and support kinetic strikes. Incidents involving maritime vessels, urban CCTV feeds, and other exposed infrastructure illustrate how “forgotten” devices can become enablers of real world operations.
This highlights a persistent challenge: devices considered low priority from a security perspective often end up being the easiest entry points for threat actors with much larger objectives.
Notable Absence of Large Scale Iranian APT Activity - For Now
While proxy groups remain active, well known Iranian Advanced Persistent Threat (APT) groups have been unusually quiet. There are several possible explanations, including connectivity limits caused by the blackout or simply a strategic choice to operate with greater stealth.
However, past activity attributed to these actors, including campaigns we've researched and reported on publicly, demonstrates that these groups possess both the capability and intent to conduct more sophisticated operations when conditions allow.
Regardless of the reason, the lack of visible activity should not be interpreted as a reduction in capability or intent. Historically, advanced groups tend to move quietly and strike when conditions favor maximum impact, often taking a long time to prepare, plan and execute attacks.
Key Trends in Tactics, Techniques, and Procedures
Across actors and campaigns, several recurring themes have emerged:
Compromise of IT service providers (Supply-Chain) leading to downstream access via legitimate remote management tools
Phishing across multiple platforms, from email to messaging apps to social networks
Heavy targeting of edge devices, particularly cameras and IoT infrastructure
Use of legitimate administration tools for stealthy persistence and lateral movement
Botnet-powered DDoS attacks aimed at causing confusion or masking higher impact intrusions
Opportunistic exploitation, such as SQL injection and unpatched internet-facing systems
These patterns reinforce how diverse and uneven the capabilities of participating groups are, increasing uncertainty for defenders.
What This Means for Organizations
The evolving conflict underscores several realities about modern cyber risk:
1. High-volume hacktivist noise is here to stay
During periods of geopolitical tension, disruptive attacks often increase and can obscure more targeted campaigns.
2. Edge devices pose real operational risk
Unpatched cameras, IoT systems, and vendor managed hardware should be treated as part of the core risk surface.
3. AI is transforming the information environment
Organizations should expect rapid waves of misleading content during crises, complicating incident response and broader situational awareness.
4. Stealthy state actors may still be active behind the scenes
Absence of evidence is not evidence of inactivity, especially with actors known for patient, long-term access.
5. Geographic boundaries are increasingly irrelevant
Even if your organization operates far from the conflict, indirect or spillover targeting remains a credible possibility.
Preparing for What Comes Next
While strong cyber hygiene remains foundational, today’s threat environment demands more adaptive defenses. Organizations need tighter identity security, better visibility and segmentation of edge devices, and careful oversight of third‑party access. They must also be prepared to navigate both technical intrusions and fast‑moving information threats. As geopolitical tensions continue to shape the cyber landscape, the convergence of cyber operations and influence campaigns should be expected — and planned for.
Sources
NetBlocks – Internet blackout reporting
Check Point Research – Iranian cyber capabilities
https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities
Palo Alto Unit 42 – Iranian cyberattacks 2026
https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
DarkReading – Pro‑Iran cyberattacks
https://www.darkreading.com/threat-intelligence/war-pro-iranian-actors-cyberattacks
GossiTheDog reporting
Graphika – Influence operations analysis
https://graphika.com/reports/everything-everywhere-all-at-once
AWS Threat Intelligence – Bridging cyber and kinetic operations
CNN – Reporting on US/Israel operations
https://edition.cnn.com/2026/03/03/middleeast/us-israel-plot-kill-iran-khamenei-latam-intl
BBC – Reporting on pager‑based attacks
NTT Security – Analysis of an Iranian APT’s E400 PowGoop Variant
https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant
