The global geopolitical and cybersecurity landscape has shifted dramatically following the February 28, 2026 launch of Operation “Epic Fury” by the United States and the parallel Israeli campaign Operation “Roaring Lion” against Iran. The coordinated military strikes successfully eliminated key Iranian leadership, including Supreme Leader Ayatollah Ali Khamenei, and heavily degraded Iran's conventional military and nuclear infrastructure.

Overview

In tandem with kinetic strikes, USA and Israeli forces executed cyberattacks against Iran, creating a "digital fog" that took Iranian internet connectivity down to 4% of normal traffic. This cyber offensive paralyzed the Islamic Revolutionary Guard Corps' (IRGC) command-and-control architecture and hijacked state media networks. The goal was to disrupt their ability to coordinate counterattacks, specifically the launching of drones and ballistic missiles.

With its conventional military options severely hindered, Iran is now highly reliant on cyber operations as its primary instrument for asymmetric retaliation. Retaliatory kinetic strikes have already targeted US bases and allies across the Middle East, while commercial shipping through the Strait of Hormuz has essentially halted, threatening a global energy crisis and oil price spikes.

Simultaneously, the US Department of Defense has aggressively altered its technology supply chain, designating AI firm Anthropic as a "supply chain risk" and banning its use after the company refused to allow its models to be used for mass surveillance and autonomous weapons. Rival OpenAI has since secured a $200 million contract to deploy its AI models on the Pentagon's classified networks.

Elevated Cyber Threat Activity

Threat intelligence firms confirm that Iranian state-sponsored actors and hacktivist proxies are actively retooling and escalating operations against Western targets. The risk window is immediate, with the following groups and actions identified:

    • Handala Group: Actively targeting Israeli industrial control systems (ICS) and claiming disruptions against Jordanian fuel infrastructure and Israeli healthcare networks.
    • Fatimiyoun Electronic Team: Attempting to deploy destructive wiper malware against Western financial institutions and energy firms.
    • Cyber Islamic Resistance: Launching distributed denial-of-service (DDoS) and data-wiping attacks against US and Israeli military logistics providers.
    • APT33 (Peach Sandstorm) / MuddyWater / APT42: These highly proficient espionage groups have been activated and are known to leverage password spraying, spear-phishing, and custom backdoors against the aerospace, defense, energy, and telecommunications sectors.
    • Exploitation of Edge Devices: Threat actors are actively exploiting critical vulnerabilities, such as CVE-2026-20127 and CVE-2022-20775 in Cisco SD-WAN deployments, which can grant attackers full administrative access and a foothold for lateral movement. More info on this inside this advisory: https://insights.integrity360.com/threat-advisories/security-advisory-cve-2026-20127-cisco-catalyst-sd-wan-authentication-bypass


TTPs and IOCs

There are several known Tactics, Techniques, and Procedures (TTPs) associated with Iran-aligned threat actors, but no specific Indicators of Compromise (IOCs) tied to the current events have been confirmed yet.

Based on historical activity the following MITRE ATT&CK techniques has been identified:

  • Initial Access:
  • Phishing and spearphishing (T1566)
  • Exploitation of public-facing applications (T1190)
  • Exploiting external remote services such as VPNs (T1133)
  • Credential Access:
  • Brute force and password spraying (T1110)
  • OS credential dumping (T1003)
  • Extracting credentials from password stores (T1555)
  • Persistence & Defense Evasion:
  • Account manipulation (T1098)
  • Process injection (T1055)
  • Impairing defenses (T1562)
  • Indicator removal on host (T1070)
  • File obfuscation (T1027)
  • Command & Control:
  • Application layer protocols (T1071)
  • Ingress tool transfer (T1105)
  • Encrypted channels (T1573)
  • Impact:
  • Data destruction or wiper activity (T1485)
  • Ransomware (T1486)
  • Inhibiting system recovery (T1490)
  • Website defacement (T1491)

Is immediate blacklisting effective? No, relying solely on blacklisting is not an effective primary strategy in this scenario for a few key reasons:

    • Absence of Current IOCs: Security researchers note that no specific campaign has been confirmed yet, meaning there is a lack of fresh, static indicators (such as malicious IP addresses or file hashes) to blacklist right away.
    • Focus on Behaviors over Static Indicators: Threat actors frequently combine credential-based access, lateral movement, and destructive payloads. Experts explicitly recommend that security teams tune their detection and Extended Detection and Response (EDR/XDR) capabilities to identify malicious behaviors associated with these techniques, rather than relying solely on static blacklists.
    • Abuse of Legitimate Infrastructure: Attackers are using credential-based attacks, such as password spraying and phishing, to log in through legitimate external access points. Furthermore, recent campaigns have abused compromised, legitimate sites to deliver remote access trojans, making domain blacklisting difficult without blocking benign services.

Mitigation & Recommended Actions

Because geography provides no protection against cyber-enabled adversaries, organizations in the government, critical infrastructure, defense, financial, and healthcare sectors must immediately adopt a heightened defensive posture.

    • Secure Industrial Control Systems (ICS) Firms operating in energy, water, and manufacturing must isolate ICS and SCADA systems from the public internet immediately to mitigate Handala style disruptions.
    • Patch Edge Devices Immediately Review and patch internet-facing systems against known vulnerabilities. Federal agencies and private partners must urgently address CVE-2026-20127 in Cisco SD-WAN systems, and should consider fully rebuilding compromised controllers as patching alone may not remediate prior intrusions.
    • Validate Backups and Resilience Ensure the integrity of backups, maintaining offline or immutable copies to quickly recover from potential wiper malware or ransomware deployment.
    • Enhance Identity & Access Controls Enforce multi-factor authentication (MFA) across all remote access and privileged accounts. Increase alert triage sensitivity for password spraying, brute force attempts, and credential abuse.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternativelyGet in touchto find out how you can protect your organisation.

 

Contact Us