The UK and Ireland are now facing elevated cyber risk as Iranian‑aligned threat actors launch retaliatory operations in response to Operation Epic Fury, the joint US‑Israeli strikes on Iran.

Background

Intelligence reporting indicates that Iran‑linked groups and associated hacktivist proxies are expanding their targeting to Western nations, focusing on opportunistic attacks, DDoS campaigns, data‑theft operations, and attempts to exploit internet‑facing systems in countries perceived as aligned with the US and its allies. This escalation reflects broader warnings that geographically dispersed Iranian cyber units and proxy groups may target governments in regions hosting Western military interests, placing UK and Irish critical infrastructure at heightened risk. Integrity360 believes that critical infrastructure such as the healthcare sector, energy sector and telecoms at minimum, are likely to be targeted.

Heightened risk

The cyber-attacks with the primary goal of disruption, rather than ransomware for profit or long-term infiltration, are generally far simpler and therefore easier for threat actors to carry out. Low to medium sophistication disruptive attacks such as DDoS, defacement, hack and leak operations and wiper malware do not require deep access, stealth, zero-days or months of preparation. They only need to interrupt normal operations fast and loudly to cause as much damage as possible.

An example of this is the recent health giant Stryker breach, where anecdotal reports show that Microsoft Intune was abused to perform wiping operations for mass disruption by the Handala threat group. Intune is a common component used to remotely control and manage PC and Mobile devices. It's functions include the ability to deploy software and, reportedly in this case, can be used maliciously to delete large amounts of files and applications on remote devices.

It should also be noted that whilst the majority of these disruptive attacks will be low to medium in sophistication, there is still a chance that a severe 0-day vulnerability could be unleashed to the world by pro-Iran adversaries in the near future. It is common for sophisticated threat actors to stockpile these to use on an emergency basis such as this cyber-war.

What to do?

In terms of what organisations can do to best protect themselves during this conflict:

• Harden all internet facing systems by patching externally exposed services in addition to enabling any 0-day protections available (e.g. Intrusion Prevention Systems and sandboxing).
• Enforce phishing-resistant mechanisms such as MFA and certificate-based authentication as email compromise is one of the most common initial access vector.
• Strict network segmentation and zero-trust access to protect critical IT/OT/ICS environments. Iran-linked actors often target infrastructure and OT systems when reachable.
• Disable unused services and reduce attack surface, for example unused VPN gateways, outdated remote-access appliances and unnecessary public-facing ports.
• Continuous monitoring of identity and privileged access, for example alerting on abnormal logins, MFA fatigue, password spraying and impossible travel.
• Deploy EDR/XDR with behavioural-based detection.
• Tighten remote access of third parties to protect against supply chain attacks, for example by implementing just-in-time access and session recording.

Integrity360 are closely monitoring this evolving situation in real time. If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.

If you think you have a breach, our major incident response team is ready to assist.