In the early hours of 13 June 2025, Israel launched a series of military strikes on Iran, targeting nuclear facilities and resulting in the deaths of several high-ranking leaders within Iran’s military. This escalation marked a pivotal moment in the longstanding rivalry between the two nations, further pushing the conflict from proxy confrontation and covert destabilisation into open and highly visible hostilities. While the physical consequences of the Israeli strikes have dominated headlines, these events also signal the imminent possibility of Iranian cyber operations, both as a tool for Iranian retaliation and as a front for wider strategic competition.
Cyber conflict between Iran and Israel is not new; both states have spent the past decade engaging in cyber espionage, sabotage, influence campaigns, and attacks on critical infrastructure. However, by raising the stakes in the conflict, these strikes intensify Iran’s motivation to respond not just militarily, but digitally—since cyberattacks offer Tehran a means to strike back without risking further direct military escalation. As international attention remains fixed on the fallout from the airstrikes, the cyber domain is poised to become an even more prominent battleground, raising concerns for governments, enterprises, and ordinary citizens far beyond the region.
Against this backdrop, understanding Iran’s cyber strategy allows us to unpack possible responses to conflict. Below, we examine the key drivers of Iranian cyber operations, the structure of its state-sponsored cyber apparatus, and the broader global implications for the escalation of both a physical and cyber conflict between Israel and Iran.
Since the 1979 Islamic Revolution, the Iranian state has aimed to safeguard the ruling regime. This defence extends to countering perceived threats from Western governments, regional adversaries, domestic dissidents, and the Iranian diaspora (many of whom oppose the regime). As a result, Iranian cyber efforts frequently target opposition groups and foreign states to collect strategic intelligence. This motivation also underpins the regime’s pursuit of a nuclear programme, which has made it both a target of cyber attacks and a perpetrator of retaliatory cyber operations.
Iran’s economic development faces considerable obstacles due to Western sanctions, which restrict trade and international cooperation. In response, Iranian cyber actors have engaged in stealing data, intellectual property, and technological know-how to advance the country’s scientific and industrial sectors.
Preserving the principles of the Islamic Revolution remains central to the regime. Thus, Tehran uses cyber tools—such as surveillance, spyware, and data theft—to monitor and suppress internal dissent, as well as to target activities it views as culturally or morally subversive, as witnessed during widespread protests in 2022.
Relations between Iran and Israel have become especially hostile since 1979. This conflict is rooted in ideological, religious, and geopolitical factors, as well as issues connected to Israel’s nuclear capabilities and the ongoing Israel-Hamas conflict. Both countries engage in ongoing cyber and proxy warfare, which escalated into direct confrontation following the exchange of airstrikes in April 2024. Iranian cyber campaigns against Israeli entities focus on espionage, infrastructure disruption, and attempts to influence both Israeli and global public opinion.
Iran, as a Shi’a theocracy, competes with Sunni-majority states such as Saudi Arabia for influence across the Middle East. Iranian cyber activities have targeted Sunni rivals and supported political proxies in countries with significant Shi’a populations (including Iraq, Syria, Lebanon, Bahrain, Yemen, and to some extent Azerbaijan). This extends to cooperation with cyber actors associated with these groups.
Iran’s cyber activities are conducted by several interconnected agencies and councils, which report to varying government offices, including the president, the supreme leader, and the Secretary of the Supreme National Security Council (SNSC). Most notable are the Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC). Cyber activity conducted by Iran in response to the escalating conflict is most likely to be associated with one or both of these organisations.
The MOIS is Iran’s civilian intelligence agency charged with intelligence collection both domestically and abroad, counterintelligence, and surveillance of domestic opponents. Notable associated cyber threat groups include:
The IRGC is tasked with the broad remit of defending the revolution from foreign and domestic threats. It frequently engages in more globally reaching operations than MOIS-linked actors. Its noteworthy cyber divisions include the following:
The Israeli airstrikes mark a significant escalation in the ongoing conflict. In the cyber domain, such acts may trigger an intensified cycle of retaliation. Iran’s use of cyber attacks has at times been disruptive or destructive, but it generally follows a “tit-for-tat” logic—it often retaliates in response to perceived aggression rather than acting purely pre-emptively.
Iran is therefore expected to ramp up its cyber operations, especially against Israeli critical infrastructure, government entities, private sector organisations, and public opinion. These operations may also extend to Israeli allies or Western interests perceived as supporting Israel. Although the direct targeting of Western organisations is highly unlikely, organisations globally may also feel knock-on effects if Israel’s national state of emergency and subsequent mobilisation of military reservists impact cybersecurity services provided by Israeli companies.
While Iran does not have access to the same level of technological resources as Russia and China, it has consistently demonstrated a commitment to leveraging cyber operations to counterbalance its military, diplomatic and economic isolation. As digital threats become ever more entwined with geopolitical tensions, understanding Iran’s cyber strategy is essential for governments, organisations, and individuals alike to protect and respond to politically motivated cyber threats.
SecAlliance produces monthly Geopolitical analysis and bi-annual PESTLE-M Horizon Scanning for the cyber domain that is released to its ‘ThreatMatch Access’ clients. For details on ThreatMatch subscriptions please contact info@secalliance.com
