Iran Retaliation Cyber Risk After U.S. and Israeli Strikes
Coordinated U.S. and Israeli strikes on Iranian targets have raised expectations of Iranian state-aligned cyber retaliation against U.S., Israeli, and allied interests. Reporting and vendor intelligence assessments warn that Iran has historically paired kinetic escalation with cyber operations ranging from low-level disruption (website defacements and DDoS) to higher-impact activity (ransomware-style disruption, hack-and-leak operations, espionage, and destructive/wiper malware), with likely targeting pressure on government, critical infrastructure, defense, financial services, academia, and media. The situation is described as fast-moving, with no definitive public attribution yet tying major new cyber campaigns directly to the latest strikes.
Separately, multiple reports highlight unrelated security issues: GreyNoise observed large-scale reconnaissance and SSL VPN enumeration against SonicWall SonicOS devices via commercial proxy infrastructure—activity consistent with precursor targeting that often precedes credential attacks and ransomware intrusions. CISA also issued updated technical details on RESURGE, a stealthy implant used in zero-day exploitation of Ivanti Connect Secure via CVE-2025-0282, including passive C2 behavior and TLS-fingerprint-based authentication/evasion; Mandiant linked the exploitation to China-nexus activity (UNC5221). Other items in the set include a generic IoT security pitfalls article, a weekly security roundup, and a conference write-up, none of which materially advance the Iran-retaliation storyline.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
CISA, NSA, and UK NCSC warn of growing Iranian cyber threat
CISA, the NSA, and the UK NCSC issued a warning that Iranian-aligned cyber activity poses a growing risk amid geopolitical tensions and urged organizations to assume they could be targeted. The advisory highlighted exploitation of unpatched vulnerabilities, weak identity controls, exposed remote access, credential attacks, ransomware-style disruption, and risks to sectors including critical infrastructure and OT/ICS.
FINRA warns member firms of heightened Iranian cyber threat
FINRA issued a cybersecurity alert to member firms warning of heightened risk from Iranian state-sponsored and Iran-aligned cyber actors amid Middle East tensions. The notice said FINRA was not aware of significant Iran-related attacks on the financial sector as of March 16, 2026, but urged firms to harden defenses and report incidents to regulators and law enforcement.
Astaara publishes analysis of Iranian cyber capability
Astaara's analysis on Iranian cyber capability was published, indicating continued public assessment of Iran's cyber posture after the regional escalation. No further details were available in the provided reference.
Halcyon reports MuddyWater preparing Operation Olalampo
Halcyon said it observed Iranian state-linked group MuddyWater preparing an operation dubbed Operation Olalampo targeting the Middle East, Turkey, and Africa, with overlaps to a separate campaign tracked as RedKitten. The report framed this as part of heightened post-strike cyber risk and warned of possible destructive and disruptive retaliation by Iran-aligned actors.
Experts warn U.S. defenses may be strained during retaliation risk
Nextgov reported expert concerns that likely Iranian cyber retaliation could test U.S. domestic defenses, especially as CISA's warning and coordination capacity may be constrained by staffing and funding issues. The article highlighted elevated risk to critical infrastructure and operational technology, including internet-facing ICS and PLC environments.
SentinelOne warns of heightened near-term Iranian cyber risk
SentinelOne published an intelligence brief assessing with high confidence that Iranian state-aligned cyber activity is likely to intensify against organizations in Israel, the United States, and allied nations. The company said it had not yet attributed significant malicious cyber activity directly to the current events and had no indication it or its customers were being specifically targeted at publication time.
Reports emerge of reduced internet connectivity in Iran
Amid the military escalation, reports indicated reduced internet connectivity in Iran, though the cause was described as uncertain. Commentators suggested cyber, electronic, or signals-intelligence activity may have played a role.
Iran launches attacks across the region after the strikes
Following the strikes, Iran carried out attacks across the region, further escalating tensions. Analysts cited this escalation as increasing the likelihood of near-term state-aligned Iranian cyber operations.
U.S. and Israeli strikes hit Iranian targets
Coordinated U.S. and Israeli strikes against Iranian targets triggered a new phase of regional escalation and renewed concern about associated cyber activity. Multiple references describe these strikes as the catalyst for expected Iranian cyber retaliation.
Sysdig warns June 2025 strikes could spur Iranian cyber activity
Sysdig published a threat bulletin warning that the June 22, 2025 U.S. strikes on Iranian nuclear infrastructure could trigger increased cyber operations by Iranian state-sponsored APTs and pro-Iranian hacktivists. The report highlighted risks to cloud and Linux environments and identified groups including APT35, APT33, and Pioneer Kitten.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
[FORECAST] Iran-Linked Cyber Risk Is Real. The Evidence Bar Is Harder (Updated: 2026-05-14)
blog.alphahunt.io
Open sourceIranian Cyber Threats, Geopolitics and the New Cyber Reality | SecuritySenses
securitysenses.com
Open sourceCybersecurity Alert - Heightened Threats From Iranian Cyber Actors | FINRA.org
finra.org
Open sourceIranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates
halcyon.ai
Open sourceStrikes on Iran will test US cyber strategy abroad, and defenses at home - Nextgov/FCW
nextgov.com
Open sourceSentinelOne Intelligence Brief: Iranian Cyber Activity Outlook
sentinelone.com
Open sourceSysdig Threat Bulletin: Iranian Cyber Threats | Sysdig
webflow.sysdig.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US–Israel Cyber Operations Against Iran and Expected Iranian Retaliation
Reporting described a major escalation in **cyber warfare tied to US and Israeli military operations against Iran**, with claims of widespread disruption inside Iran alongside information operations. One account said Iran experienced a near-total digital blackout (connectivity dropping to ~4% of normal), outages affecting government services and communications, and media/PSYOPS-style intrusions (e.g., defacements/injections on pro-regime sites, hijacked messaging via a widely installed prayer app, and interference with broadcast feeds). The same narrative framed the activity as part of a coordinated campaign (described as *Operation Roaring Lion* / *Epic Fury*) and positioned it as a continuation of long-running US–Israel vs. Iran cyber escalation. Threat intelligence and security firms warned that **Iran-linked actors were already mobilizing for reprisal activity** against Israel and potentially Western/allied targets. Cited reporting said Anomali assessed multiple Iranian groups (including **MuddyWater**, **APT42**, and **APT33**) as “activated and retooling,” while noting an unusual lack of visibility into **APT34** that it interpreted as possible covert pre-positioning rather than inactivity. Flashpoint was cited as observing Iran-linked **Handala Group** activity targeting Israeli **industrial control systems (ICS)** and claiming disruption to manufacturing/energy distribution, alongside claims of data theft affecting an Israeli healthcare organization; the overall guidance was to expect heightened Iranian cyber operations in the wake of kinetic strikes.
Mar 21, 2026
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026
Iran-linked MuddyWater intrusions and heightened retaliation risk after U.S.-Israeli strikes
Following the Feb. 28, 2026 U.S.-Israeli strikes on Iran, reporting indicates a **heightened risk of Iranian retaliatory cyber activity** against U.S. and allied organizations, with expected operations spanning **ransomware, DDoS (including as cover for deeper intrusions), data leaks from prior exfiltration, and aggressive social engineering** (e.g., fake job offers and malicious attachments). Likely target sets highlighted include **critical infrastructure**, **banking**, and environments involving **industrial control systems/PLCs**, with emphasis on disciplined execution of security fundamentals (patching, log review, and tighter email/attachment handling) rather than overreliance on automation. Separately, **MuddyWater** (*Seedworm*), an Iran-linked APT, was reported active in multiple U.S. organizations since early Feb. 2026, with activity increasing after the strikes. Symantec and Carbon Black researchers described targeting that included a **U.S. bank**, an **airport**, a **non-profit**, and the **Israel operation of a U.S. software company** supplying the defense/aerospace sector, and identified a previously unknown backdoor, **Dindoor**, observed in several victims; **Dindoor executes via `Deno`** (a JavaScript/TypeScript runtime). Commentary in the reporting also warned to assume potential **pre-positioning** in high-value targets and recommended proactive hunting for signs of persistent access before activation.
Mar 21, 2026