When geopolitical tensions escalate, most attention is placed on physical conflict, economic disruption and political fallout. What is often less visible, but already unfolding in parallel, is a surge in cyber activity.
In this blog, Integrity360 CTO Richard Ford explains how global conflict is driving increased cyber risk, why hacktivism is gaining traction, and what organisations need to understand to reduce their exposure.
Hacktivism has become a defining feature of modern cyber conflict, particularly during periods of geopolitical instability. Unlike traditional cybercrime, these groups are not primarily financially motivated. Their objectives are ideological.
Richard Ford explains:
‘The term Hacktivism refers to hacker groups that are politically or socially motivated, driven by ideology, or the desire for social justice or political change rather than being financially motivated.
Depending on the group and/or motivation, targets are usually governments or large corporations. In this specific case we’re talking about hacktivist groups that either have ties to or are sympathetic to Iran, and are being triggered by the events unfolding over the last few weeks. In this instance Iranian hacktivists will be aiming to disrupt government organisations, services and the population of any target countries, partly to put pressure on them but mostly for retaliation.’
This marks a shift in how cyber activity is used during conflict. Rather than isolated incidents, attacks are increasingly coordinated and designed to create broader societal impact.
Richard continues:
‘The fear currently is that the likely targets of any attack, to maximise impact, will be Critical National Infrastructure (CNI). There has been a lot of focus on securing CNI, with the adoption of the NIS2 Directive in the EU and the forthcoming Cyber Security & Resilience Bill in the UK setting out the security requirements for providers and operators of CNI.
This focus is being driven firstly by the huge impact breaches can have, including loss of life in extreme instances, but secondly because these environments have traditionally been very insecure and operated with a focus on operations and availability rather than security.’
In the current landscape, groups sympathetic to geopolitical causes are launching disruptive cyber operations at pace. Their objective is not just visibility. It is pressure. By targeting organisations that underpin daily life, they aim to influence governments indirectly through disruption to the population.
Richard Ford outlines how these attacks are typically carried out:
‘Attackers generally will use a range of methods to attack their targets. One attack technique common to hacktivism, and relatively easy and cheap to do through dark web services, is Distributed Denial of Service (DDoS) attacks.
The dark web is a hidden, anonymous and encrypted part of the internet that is notorious for illegal marketplaces, and some of those offer attacker tools and services as part of an attacker supply chain.’
These services have significantly lowered the barrier to entry for attackers.
‘DDoS services provide access to existing botnets, which are wide-scale compromised machines, and allow attackers to target websites and services with extremely large amounts of traffic at a relatively low price point, knocking them offline, albeit temporarily.’
However, while DDoS attacks are highly visible, they are rarely the most damaging.
‘Although DDoS attacks are more simplistic and easier to implement, the really impactful attacks are where an organisation is compromised and their systems are targeted for long-term disruption. This follows more of a traditional attack, often started by a simple phishing email or exploitation of a vulnerability, before working their way to critical systems to launch ransomware-style attacks, encrypting, disabling or altering systems.’
The real-world impact of these attacks depends on both the method used and the type of organisation targeted. While some attacks may cause temporary disruption, others can have far-reaching consequences.
Richard Ford explains:
‘The target and type of attack will dictate the impact that could be felt by people and organisations. Due to the relative ease to carry out, and being a typical tactic of hacktivists and the activities seen thus far, DDoS attacks are most likely and could take down public web services. Although most will have some form of protection and the impact will only be temporary.’
At the more severe end of the spectrum, the consequences become significantly more serious.
‘The worst case, which is less trivial to launch and successfully orchestrate, would be a breach of Critical National Infrastructure such as electricity, water supply, health services and food supply. That could have a myriad of effects and be the highest impact felt by populations.’
Recent cyber incidents in the commercial sector provide a useful indication of how disruption can escalate.
‘The Marks & Spencer’s attack in the UK is a very good example of a cyber attack, particularly in terms of severity and impact, where shelves were left bare and customers were unable to place orders. Although a financially motivated ransomware attack, the approach could be very similar in attacks against CNI providers.
Additionally, the JLR attack that followed on in the months after M&S, linked to the same attackers, was cited as impacting economic growth for the quarter. So it doesn’t need to be CNI to have a significant impact.’
While hacktivist activity may dominate headlines, it is only one part of a broader trend. Global conflict creates opportunity across the entire threat landscape.
As attention focuses on specific actors or regions, other groups operate in parallel. Nation-aligned actors, cybercriminals and opportunistic attackers all take advantage of increased distraction and complexity. This leads to overlapping threats, increased attack volume and a higher likelihood of successful compromise.
For organisations, this means threat levels shift rapidly in response to global events, often without warning.
In this environment, a reactive approach is no longer sufficient. Organisations must assume that cyber threats will increase during periods of geopolitical instability and prepare accordingly.
This requires:
Most importantly, organisations must move beyond prevention alone and focus on resilience. The ability to detect, respond and recover quickly is what ultimately determines the impact of an attack.
Today’s global conflicts are not just confined to physical or political domains. They extend and often begin in cyberspace, where multiple actors operate simultaneously with different motivations but often overlapping targets.
Cyber opportunism thrives in uncertainty, and periods of geopolitical tension create the ideal conditions for increased attacks. As physical security is increased during such periods cybersecurity too needs to be stepped up.
Organisations that recognise this pattern and prepare for the more complex, fast-moving threat landscape will be far better positioned to withstand the impact. Those that don’t risk being caught off guard as cyber conflict continues to evolve alongside events on the global stage.
If you are worried about any of the threats outlined in this blog or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please get in touch to find out how you can protect your organisation.