On 22 June, the US launched ‘Operation Midnight Hammer’ and struck three Iranian nuclear facilities, marking a significant escalation of the conflict. On the evening of 23 June, Iran responded with strikes against the US Al Udeid Air Base in Qatar, after which a ceasefire was tentatively agreed. While this situation is still developing, SecAlliance analysts offer insight into potential developments and responses from Iran and how these actions could alter the cyber threat landscape.
Iran is unlikely willing to risk further escalation and will likely refrain from outright offensive activity at this time. However, further, asymmetric and cyber-enabled responses by Iran remain a realistic possibility. Possible options include:
Iranian state actors: Iranian state actors are unlikely to target the US or allied nations with offensive cyber-enabled activity. SecAlliance assesses that Iran’s current cyber capability is somewhat lower when compared to other actors like Israel and the US. The lack of a significant cyber attack on Israeli entities following multiple flashpoints indicates Iran lacked pre-existing network footholds and the capacity to engage in such an operation at this time. Israeli kinetic operations targeting senior leaders, regime figures and intelligence and military personnel have also likely eroded Iran’s capabilities, while threats from Israel and the US of pursuing regime change within Iran also indicate that Tehran will focus its existing capabilities on consolidating domestic control and surveillance against domestic and diaspora populations. With a ceasefire tentatively in place, Iran is also unlikely willing to risk further escalation with the US that would be caused by a destructive cyber attack targeting US interests. Public and private sector entities in the US and allied nations should nevertheless recognise the potential for Iranian intrusion efforts over the medium to longer term.
Hacktivism: Hacktivist operations targeting the US and allied entities are highly likely. This spectrum of activity ranges from low-level hacktivist collectives limited to high-frequency but low-sophistication DDoS disruptions to proxy groups capable of compromising networks and conducting defacements and other activity. Such groups pose a greater threat to entities linked to Israel or with notable Israeli components present in their supply chain. Hacktivist personas can offer the Iranian state an element of plausible deniability while conducting headline-grabbing attacks to demonstrate the capability to respond to the US strikes and consolidate domestic legitimacy.
OCGs: There is a realistic possibility of OCGs intensifying targeting of Israeli or Israeli-linked entities and deploying ransomware, stealing and selling data or advertising initial network access, capitalising on general interest in this area to generate attention, traffic and profit. In general, the conflict, escalation and US involvement is likely to be utilised by OCGs and other threat actors in social engineering and phishing campaigns targeting a wide variety of users.
Other states: High-level Iranian allies like Russia and China are unlikely to directly engage in the conflict. There is a realistic possibility of covert Russian support to Tehran and its proxies in the form of intelligence-sharing, but more coordinated operations are unlikely.
Wider Implications: SecAlliance clients should also be mindful of potential supply chain disruption as a result of the conflict, particularly relating to services provided by Israeli companies.
Blocking of the Strait of Hormuz: Such an action would significantly disrupt commercial and oil shipping and further globalise the conflict.
Utilisation of proxy forces: Iran’s main proxy forces—Hezbollah, Houthi militants and Iraqi Shia militants—have been significantly weakened by recent Israeli actions against them. However, they retain significant residual capability. Given the degradation of the Iranian Revolutionary Guard Corps (IRGC) command-and-control infrastructure, there is the potential that these groups may choose to act independently, increasing the risk of inadvertent escalation.
Sabotage attacks: There is the potential for pro-regime individuals living outside of Iran’s borders to conduct attacks. Such attacks could range from comparatively sophisticated, pre-planned and targeted attacks against individuals, critical national infrastructure (CNI) facilities or entities associated with the conflict to untargeted to ad-hoc, unplanned and indiscriminate attempts to inflict mass casualties.
Disinformation and influence operations: Pro-Iranian networks are almost certain to continue generating and distributing disinformation aimed at shaping narratives and perceptions of the conflict. While most campaigns are likely to be directed at the Israeli population, similar activity targeting global users and pushing pro-Iranian, anti-Israel and anti-US narratives is also likely.
SecAlliance provides detailed, timely and relevant intelligence analysis to clients via our dedicated ThreatMatch platform. For more information on ThreatMatch services, please contact info@secalliance.com
