Heightened Malicious Cyber Activity Linked to the Iran Geopolitical Situation

(!) Threat Notice

The recent escalation of military conflict involving Iran has been accompanied by increased cyber activity linked to the situation.

Modern conflicts routinely extend into the cyber domain, with a mix of state-aligned activity, hacktivism, opportunistic cybercrime, and misinformation.

01 What Happened?

In late February 2026, military conflict between Iran, Israel, and the United States escalated following coordinated strikes against Iranian military and leadership targets.These events marked a transition into a hybrid conflict, combining military action with cyber and electronic operations.As part of the escalation:

• Iran experienced a widespread disruption to internet connectivity.
• Iranian government services, media outlets, and elements of critical infrastructure were disrupted or taken offline.
• The cyber domain became an active parallel front to the physical conflict, with cyber operations occurring alongside missile and drone strikes.

This type of hybrid escalation is consistent with previous regional conflicts, where cyber activity is used for disruption, signalling, retaliation, and influencing operations.

02 What Are We Seeing Now?

Threat intelligence reports show increased cyber activity linked with the conflict, mostly involving:

• Disruptions like denial-of-service and website defacement.
• Numerous hacktivist claims, often unverified or exaggerated.
• Conflict-themed cybercrime such as phishing, scams, and malware.
• Quick registration of domains used for phishing, fake news, donation scams, or malware.

Overall, the activity is largely opportunistic, unsophisticated, and not highly targeted.

03 What Could Change Next?

If the conflict persists or worsens, intelligence suggests:

• More hacktivist disruptions, especially against high-profile or symbolic targets.
• Greater collateral cyber impact on organisations with regional presence or complex supply chains.
• Cybercriminals exploiting the situation for personal gain by leveraging public attention and emotion.
• A move toward more targeted attacks if state-aligned actors face fewer operational restrictions.

Cyber activity remains unpredictable and will likely change quickly as the physical conflict evolves.

04 Why Does This Matter To You?

Geopolitical conflicts often raise cyber risks for organisations, even if they are not directly involved. For example:

• There is usually a surge in phishing and social engineering attacks linked to ongoing events.
• It becomes harder to tell apart real incidents from misinformation or false reports.
• Opportunistic attacks on internet-facing services are more likely during times of increased global scrutiny.

Such situations tend to benefit attackers who depend on timing, distraction, and large-scale operations rather than advanced technology.

05 What Can You Do?

• Maintain awareness of authentication abuse, brute-force activity, and abnormal traffic patterns.
• Reinforce staff vigilance around conflict-themed phishing and scam content.
• Ensure monitoring and alerting for externally exposed services is functioning as expected.

Based on current observations, no emergency changes to security posture are required for most organisations.

06 Where Can You Find Out More?

The following sources informed DEFEND’s assessment and provide additional context on the situation:

• New Zealand NCSC | Alert for malicious activity in response to Irian situation
• UK NCSC | Advises organisations to take action following conflict in the Middle East
• SOCRadar | Cyber Reflections on the U.S., Israel, and Iran Conflict
• Palo Alto Networks Unit 42 | Escalation of Cyber Risk Related to Iran
• Zscaler ThreatLabz | Middle East Conflict Fuels Opportunistic Cyber Attacks