Heightened Cyber Risk to US Financial Services and Critical Infrastructure Amid Iran-US Conflict
US financial services and critical infrastructure operators have moved to heightened vigilance amid escalating Iran–US conflict, with industry groups and analysts warning that geopolitical shocks often correlate with increased cyber activity. Reuters reporting cited by teiss says US intelligence assesses Iran-aligned hacktivists could conduct low-level attacks against US networks—particularly DDoS—and that banks are increasing monitoring and resilience measures given the sector’s role in payments, clearing/settlement, and market infrastructure.
Separate threat research argues the conflict environment increases the likelihood of ICS/OT-focused activity, emphasizing that US critical infrastructure presents an attractive retaliation surface due to civilian impact and a large internet-exposed OT footprint. CloudSEK highlights rapid activation of numerous hacktivist groups after late-February 2026 strikes and points to prior public reporting on long-dwell intrusions and campaigns affecting ICS devices; a SecuritySenses episode similarly describes state-linked hacktivist activity targeting OT (including Unitronics PLCs) and broader spillover effects beyond the region. Other items in the set—an ISC/SANS guest diary on opportunistic scanning and a Dark Reading piece on higher attack volumes in Latin America—do not describe the Iran-related escalation and are not directly part of this specific event narrative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
U.S. intelligence warns of likely low-level Iran-aligned cyberattacks
A U.S. intelligence assessment cited on 2026-03-05 said Iran-aligned hacktivists could carry out low-level attacks such as DDoS against U.S. networks. The warning contributed to elevated concern across the financial sector.
U.S. financial firms raise cyber alert level amid Iran conflict
By 2026-03-05, U.S. banks and other financial services firms were reported to be on heightened alert for possible cyberattacks as war involving Iran escalated. Industry groups and advisors increased monitoring and emphasized operational resilience in anticipation of Iran-aligned hacktivist activity.
Retaliatory cyberattacks reportedly impact financial infrastructure
As the conflict evolved in June 2025, retaliatory cyber activity was said to affect financial infrastructure in addition to industrial targets. This marked an escalation from influence operations and OT targeting into the financial sector.
Unitronics PLCs and OT systems reportedly targeted worldwide
The same June 2025 campaign reportedly expanded to operational technology, including Unitronics PLCs used in water and industrial facilities. The effects were described as spreading beyond the Middle East, with U.S. water utilities among the targets and IT/OT connectivity and supply-chain weaknesses cited as attack paths.
Iran-linked hacktivists launch psyops and SMS spoofing campaigns
During the June 2025 escalation, groups including Cyber Avengers and Handala were reported to conduct psychological operations and mass SMS spoofing as part of coordinated influence and disruption activity. These actions were presented as state-linked hacktivist operations accompanying the broader conflict.
Operation Rising Lion triggers cyber escalation tied to Iran
In June 2025, a kinetic operation referred to as "Operation Rising Lion" was followed by a sharp cyber escalation that some analysts described as Iran's "12 days of cyber war." The campaign was framed as a hybrid conflict blending physical strikes with cyber operations.
ICBC ransomware attack disrupts some U.S. Treasury trade settlements
In 2023, a ransomware attack on ICBC's U.S. broker-dealer unit disrupted settlement of some U.S. Treasury trades. The incident was cited as a prior example of how cyberattacks can affect financial market operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
The Price of Neglect: Critical Infrastructure and the Political Economy of Chronic Underinvestment - Center for Cyber Diplomacy and International Security
cybercenter.space
Open sourceA Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran-US Conflict AND THE SCALE OF THE RISK | CloudSEK
cloudsek.com
Open sourceteiss - News - US banks on high alert for cyberattacks as Iran war escalates
teiss.co.uk
Open sourceEp. 48 - Iran's 12 Days of Cyber War: How Missiles Triggered a Global OT Hacking Campaign | SecuritySenses
securitysenses.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint **U.S.–Israel strikes on Iran** (described as *Operation Epic Fury*), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early **DDoS campaigns against Israeli government sites** expanding into a wider coalition of **pro-Iranian, pro-Palestinian, and Russian-aligned** groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on **critical infrastructure**; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links. U.S. state and local governments were separately warned by **MS-ISAC** to expect heightened “low-level” activity—particularly **DDoS**—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Apr 22, 2026
Iran–Israel–U.S. Escalation Drives Heightened Iranian-Linked Cyber Threats to Healthcare and Critical Infrastructure
Security experts warned that the escalating **U.S./Israel conflict with Iran** could spill into increased cyber activity by Iranian sympathizers, proxies, and hacktivist groups, with **healthcare** highlighted as a particularly exposed target due to its operational sensitivity and historically weaker security posture. Expected activity includes **DDoS**, **ransomware**, **wiper/destructive malware**, and **data theft**, with the risk extending beyond Iran’s own connectivity because many hacktivist operations rely on globally distributed infrastructure. A separate critical-infrastructure-focused advisory tied the heightened risk to the outbreak of open conflict and referenced *Operation Lion’s Roar* strikes on Iranian military and nuclear sites, warning that **Iranian state-affiliated APTs** may increase **espionage and disruptive attacks** against foreign networks and **industrial control systems (ICS/OT)** as part of a broader hybrid campaign. The guidance emphasized that defenders should plan for both opportunistic and state-directed activity affecting civilian infrastructure (e.g., energy and transportation) and prioritize resilience measures appropriate for critical infrastructure environments.
May 4, 2026
Middle East Conflict Drives Cyber and Infrastructure Risk Warnings
Escalating conflict involving **Iran** has renewed attention on the cyber dimension of regional warfare, with warnings that attacks can extend beyond conventional military targets to government networks, critical infrastructure, transportation, and financial systems. One analysis highlights Iran’s long-standing investment in asymmetric cyber operations through state actors, proxies, and aligned hacktivists, citing activity during the 2025 conflict that included reconnaissance, phishing, defacements, data theft, data dumps, and malware delivery against perceived adversaries. A separate briefing describes alleged kinetic strikes on data centers supporting an AWS region in the Middle East, causing outages that affected consumer applications, payment services, banks, and enterprise SaaS providers in the UAE and Bahrain, while exposing how data sovereignty requirements can block rapid workload migration during a crisis. By contrast, commentary on a U.S. executive order targeting cyber-enabled fraud and transnational criminal organizations addresses organized cybercrime policy rather than the Iran-related conflict and should be treated as a different topic.
Apr 16, 2026