Following the outbreak of direct conflict between Iran and Israel in June 2025, SecAlliance published an analysis of Iran’s cyber strategy, unpicking key drivers of Iranian operations, the structure of its state-sponsored cyber apparatus and Tehran’s broader cyber capabilities.
Within our various intelligence-sharing communities, there has been a lot of discussion concerning the potential cyber implications of the June 2025 Israel-Iran conflict. Many organisations have questions regarding the likely targets of Iranian cyber activity, how significant this activity is likely to be and what form it might take. Looking at each of these questions in turn:
· Israel is the most likely target for Iranian cyber activity.
· Cyber operations are unlikely to impact Western entities.
· Asymmetric capabilities indicate cyber operations are unlikely to significantly alter the cyber threat landscape.
The Israeli state, its security forces and Israeli society more generally are almost certainly the highest priority targets for Iran at the time of writing.
Cyber-enabled espionage attacks against military and political/governmental targets are almost certainly ongoing. Cyber-enabled intrusion and sabotage efforts targeting the Israeli military (especially missile defence systems) and broader critical national infrastructure (CNI), including transport networks, utilities and financial systems, are also highly likely. The nature of Israeli kinetic targeting in Iran, such as strikes on oil export infrastructure and state media, indicates that Iranian attempts to retributively target broader Israeli economic and social interests are likely. However, the comparative capabilities of both sides and Israel’s position as a ‘hard target’ with effective and sophisticated cyber defence mechanisms in place indicate that the likelihood of notable success in such attacks is very low.
There is a strong possibility that Iranian cyberespionage and sabotage operations may extend to states which Iran assesses to be assisting Israel (most notably Jordan), or which Tehran considers to be hostile to its interests (such as Saudi Arabia and the UAE). These countries are assessed to be significantly less well-prepared than Israel to counter Iranian cyber threats, and therefore arguably present the most realistic mechanism through which Iran could effectively wield its limited cyber capability in this conflict.
At the time of writing, an increase in Iranian targeting of North America, Europe and the West more broadly is unlikely. Iran’s already-ongoing small-scale, relatively targeted and generally less sophisticated cyber-enabled espionage and intrusion operations targeting the West are unlikely to alter as a result of the developing conflict and will likely continue on a similar scale and tempo. Additional targeting of Western business interests unrelated to Israel or other areas of interest to Iran (such as nuclear discussions and policy) is unlikely, although this situation may change over time depending on developments like potential US support of Israel. Once again, however, the limited scale and sophistication of Iran’s offensive cyber operations mean that even when intent is present, capability is limited.
SecAlliance assesses that cyber-enabled activity is unlikely to significantly alter either the conflict or the wider cyber threat landscape. This assessment is based on the following premises:
1. SecAlliance assesses Iran’s offensive cyber capabilities to be limited in scale and sophistication compared to other cyber-capable nation-states and in relation to the defensive capabilities of its likely targets, namely Israel.
2. As events have escalated into kinetic exchanges, the utility of cyber-enabled operations has decreased. The likelihood of Iran seeking to or being able to achieve comparable, strategically significant effects through cyber-enabled sabotage operations is low.
3. If Iran had some form of reserve capability, such as zero-day vulnerabilities or pre-positioned access to a target network, it is likely that such a resource would have already been exploited during the period of heightened tensions ongoing since February 2024 or in the immediate vicinity of the first exchange of strikes in June 2025.
4. Control over Iran’s intelligence infrastructure has been subject to significant degradation by Israel. Ongoing kinetic operations are likely to further erode Iran’s intelligence capabilities, including cyber-focused operations.
A comprehensive breakdown of the MITRE ATT&CK TTPs deployed by Iran state-linked advanced persistent threat (APT) groups is available to our clients on the ThreatMatch platform. Some broad themes are worth noting:
· Iranian APT groups are currently highly unlikely to have access to a comprehensive catalogue of zero-day vulnerabilities and have limited pre-positioned network access, which would facilitate imminent targeting. Whilst their targeting of OT technologies with bespoke malware is growing, it is still nascent.
· In general, Iranian APT groups are highly reliant on social engineering as a means of initial access, with credible spear-phishing campaigns and targeted LinkedIn-based social media approaches being commonplace. Such attacks are often indirect, leveraging trusted relationships within supply chains in order to create credible lures.
· A ‘worst-case’ scenario would likely involve the deployment of wiper malware, in a similar style to the 2012 ‘Shamoon’ attacks against Saudi oil company Aramco. While Iran would likely seek to deploy purpose-built wiper malware in such an attack, consideration should also be given to the potential for Iran to deploy ransomware variants to achieve similar destructive and disruptive objectives.
· The Iranian regime has consistently leveraged proxy operators or hacktivist/’faketivist’ personas to achieve state objectives. SecAlliance analysts will explore hacktivist and state-aligned activity in part two of this blog series.
SecAlliance provides detailed and timely analysis to clients via our dedicated ThreatMatch platform and bespoke intelligence outputs. For more information, please contact info@secalliance.com
* ‘Significant’ is included here to discount the high-volume, low-impact DDoS activity conducted by hacktivist entities which are acting in support of Iran. The second part of this blog series will examine the nature and extent of pro-Iranian hacktivist activity over the past week.
