There’s no doubt that Iran is currently getting the worst of the fighting between it and the armed forces of the United States and Israel.
That said, the country is still capable of striking back, both with what must be a dwindling supply of missiles and drones, as well digital attacks.
And as those stocks of kinetic options drop, cyber warfare – despite massive internet disruption in Iran – may very well become the country’s best avenue of retaliation.
However, Gary Barlet, Public Sector CTO at cyber security firm Illumio, does not expect any cyber response to be particularly well-coordinated.
“I expect activity, but not necessarily a highly coordinated, top-tier campaign,” Barlet said.
“Cyber remains an attractive option because it’s low-cost, fast to deploy, and can create outsized psychological and operational effects.”
It’s not just government- or IRGC-backed hackers that are expected to cause mischief. Many pro-Iran hacktivist groups, from within the region and elsewhere around the world, are also becoming involved.
“Those groups aren’t impacted in the same way by kinetic strikes or domestic disruptions, and they often step up during moments like this with things like DDoS campaigns, defacements, or disruptive intrusion attempts.”
These groups are also largely opportunistic, relying upon un-patched systems, exposed credentials, and poor segmentation to achieve their goals and carry out attacks, particularly on critical infrastructure targets, where older operational technology may offer a unique opportunity. Cyber, Barlet said, is a highly viable way for such groups to “lash out”.
“None of that is particularly advanced, but in critical infrastructure environments, it doesn’t need to be. Even basic access can create disruption, especially if attackers are able to move laterally or sell that access to other actors,” Barlet said.
“That’s why the fundamentals matter so much right now – reducing exposed services, locking down credentials, and making sure a compromise can’t spread unchecked.”
This, Barlet said, is the moment ensure all critical systems are thoroughly locked down and to be vigilant for any unusual activity.
“Validate patches, eliminate default passwords, tighten MFA, and pay closer attention to logging and alerts. Assume someone may get in – and make sure they can’t turn a foothold into a larger incident,” Barlet said.
“For critical infrastructure, especially, containment and resilience matter far more than chasing the illusion of perfect prevention.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.