TL;DR
- Iran has advanced cyber capabilities and has openly declared its intent for revenge following U.S. and Israeli strikes on February 28, 2026—critical infrastructure, banking, and PLCs are primary targets.
- Expect a full spectrum of activity: ransomware, DDoS attacks used as cover for deeper intrusions, data releases from years of prior exfiltration, and aggressive social engineering via fake job offers and attachments.
- The best defense right now is disciplined execution of security fundamentals—patch what’s overdue, review logs, exercise best practices with email attachments, and don’t rely on automation alone to catch Iranian activity.
Following coordinated military strikes by the United States and Israel against Iran on February 28, 2026, the cybersecurity landscape has entered a period of heightened and rapidly evolving risk. Iran has openly declared its intent for revenge, and security teams worldwide are now asking the same question: what do we do?
To help answer that, Expel’s Director of Threat Operations, James Shank, sat down with Steph Shample—an Iran intelligence expert and adjunct professor at University of Maryland Global Campus who has tracked Iran’s military, physical, and cyber operations since 2004. Here’s what you need to know.
But before we dive into the details, it’s important to pause for a moment and remember the human element at play here, and what’s really at stake.
“It’s critical that we have that human understanding and step aside from thinking about the cyber impacts or even the geopolitical impacts, and think about the families and the people, the children, the innocent victims of these affairs,” Shank said.
“Iranians have been suffering for 40+ years. We know that the people are not their government. They’re being murdered, they’re being taken off the streets, they’re being prevented from having funerals to mourn their dead,” Shample agreed.
The cyber threat is real and urgent. So is the human cost on the ground. Security professionals can hold both truths at once—protect their organizations while keeping sight of the people caught in the middle.
Iran’s cyber capabilities are advanced—and motivated
Iran isn’t a new threat. The nation’s military has been building sophisticated cyber capabilities for years, learning from and partnering with Russia and China. What’s changed is the motivation.
“Iran is going for revenge and vengeance. They’ve openly stated that in the media. We’ve seen the reflections on Telegram and their communication groups as well,” Shample stated.
Iran has a well-documented focus on critical infrastructure. Shample was direct about what Iran plans to target: “Iran has openly stated this before—they want to go after our critical infrastructure elements, the 16 umbrellas there: water supply, food supplies, the banking system, the financial system, the power grid. All of these things that in the West, including Europe, we take for granted. Iran’s going to come after that hard.” Active ransomware campaigns, data wiping, and targeting of programmable logic controllers (PLCs) are already underway. This is not a future threat—it’s a current one.
Iranian threat actors have historically abused European infrastructure—OVH in France, Hetzner in Germany, and providers in the Netherlands. That has changed, Shample said. “Iran has moved from abusing European infrastructure—of course in conjunction with VPNs that you need to monitor—but they are now abusing Asian infrastructure, namely Japan.”
Monitor traffic from Japan and Kazakhstan. Watch for unusual C2 communications and any sudden behavioral shifts. As Shample noted, infrastructure changes during periods of chaos are a red flag. “If there’s an infrastructure change or a behavioral change, now is an opportune time for them because they’re scattered, they’re afraid, and they’re just trying to figure out what to do next.”
The goal: be seen and be felt
Understanding Iran’s motivation helps security teams anticipate their moves. James Shank framed it this way:
“My read on this is that a lot of the Iranian activity, especially in response to what’s happened, is going to be motivated by the desire to be seen and be felt. They’re going to want to be seen as a credible threat. They’re going to want to demonstrate capabilities and they’re going to want that impact to be felt.”
Iran has historically left Farsi messages embedded in source code—a signature move intended to ensure attribution. When they attacked oil giant Saudi Aramco, for example, they left notes behind. They want credit. That desire for visibility shapes how and where they strike.
At the same time, Iran maintains plausible deniability by operating through proxy and hacktivist groups—providing cover for more sophisticated operations happening in the background.
Years of preparation may be about to pay off
One of the more alarming dimensions of the current threat is what Iran may have been sitting on. Shample explained:
“We’ve seen this with ransomware or any data theft—a lot of entities will sit on specific types of data until the timing is right. Iran has been active with ransomware for years and years. My first venture into cyber was an Iranian ransomware campaign. They have only gotten more sophisticated through training and information sharing with Russia and China.”
This means organizations that were compromised months or even years ago could now face the release or weaponization of previously stolen data. Prominent figures and politicians may be particularly at risk. Hezbollah, which has its own cyber arm, may also serve as a release vector for sensitive information.
DDoS isn’t just noise anymore
Distributed denial-of-service (DDoS) attacks are often dismissed as disruptive but manageable. That calculus has changed:
“DDoS used to stand on its own as an attack and was disruptive. What we’re seeing in the cyber trend—not just Iran, but DDoS is often a first layer and then something else is happening behind the scenes,” Shample shared. “If you provide disruption with the DDoS attack and say ‘look over here, look over here,’ but in actuality something else is happening behind the scenes—that could be a physical attack.”
Never underestimate a DDoS attack, and remain vigilant that another attack could be unfolding elsewhere.
Hacktivist groups: more than just noise
Iran operates through a broad ecosystem of hacktivist groups—Cyber Avengers, 313 Team, Soldiers of Solomon, Cyber Toufan—and activity from all of them is expected to increase significantly. But Shample offered an important insight about their dual role:
“The hacktivist groups will weigh in on that and likely try to shape it. They’re going to serve two purposes: It’s a distraction from what higher-level IRGC and MOIS is doing in the background, and how they’re also responding. But the hacktivist groups are also going to show us how the new factions are going to align and what the future alignment looks like.”
With Iran’s leadership structure in flux following the loss of more than 40 senior figures, hacktivist activity will be a signal—not just an attack vector. Pay attention to what they’re saying, not just what they’re doing.
Disinformation and social engineering are core weapons
Iran’s disinformation capabilities are extensive and sophisticated. Shample described the kinds of social engineering campaigns already in motion:
“False job positions. ‘Hey, we have an opening for a professorship for somebody with your background. Come tell us all that you know about Iran.’ Or ‘You’re former government—UK, Canada, US—we have a position. Come work with us.'”
Front companies and fake think tanks are being established to extract intelligence from diaspora communities and former government officials. The goal is information collection under the guise of legitimate opportunity.
“Iran is really good at sending attachments for job invitations, or they’ll send attachments saying ‘Hey, I’m a journalist. Could I interview you?’ And those attachments are what’s going to wreak havoc,” Shample said.
False flags are a real concern
Attribution in this environment is complicated. Iran has impersonated Israeli actors; Israel has impersonated Iranian actors. Russia has a history of doing the same. With tensions this high, false flag operations are a credible risk.
“We’re not going to pass up false positives. We’re going to review alerts carefully. We’re not going to rely on automation. We’re going to use our human brain, and we’re not even going to rely on AI alone,” Shample advised.
The guidance is clear: slow down, compare observed activity to known Iranian TTPs, and question any sudden infrastructure or behavioral changes before drawing conclusions.
What security teams should do right now
When asked how much attention teams should pay to this threat, Shample didn’t pause: “The basics go a long way.”
And James Shank reinforced that framing. “It’s remarkable how often the recommendations all come back to security fundamentals. My view on this is that really being effective in security comes down to discipline. It’s discipline, prioritization, and focus.”
Immediate priorities:
- Patch now. That thing you’ve been meaning to patch? Do it today.
- Review log activity. Know what your systems are communicating with and why.
- Assess legacy systems. Old systems are open doors.
- Brief your people on unexpected email attachments. This is Shample’s single biggest takeaway: “If you do one thing, if you take one thing away from this briefing: Don’t open attachments willy-nilly.”
- Automate your threat intelligence feeds. Pull in CISA, DHS, NCSC, and international partners via RSS. Go international—partners see and share different data and intel.
- Coordinate with your IT and SOC teams. Now is not the time for silos. Get on the same page.
On the more advanced side, Expel is actively hunting on known Iranian TTPs and infrastructure providers. Shample also recommends looking at historical Iranian behaviors as a baseline for detecting anomalies.
Stay informed
Expel’s SOC and Threat Intel teams are actively monitoring this situation and hunting for related activity across customer environments. As of early March 2026, no confirmed Iranian-related incidents have been identified in customer environments—but the situation is fluid.
For the full briefing, watch the video with James Shank and Steph Shample. For additional context and defensive resources, see:
