Current events · 3 MIN READ · JAMES SHANK · JUN 26, 2025 · TAGS: Guidance / in the media
TL;DR
- The news cycle is currently locked in on the US-Israel-Iran geopolitical situation, including keeping their eyes peeling for any information related to changes in cybersecurity and threats related to the issues
- Expel is continuing to monitor the situation by following along as more and more resources are published
- Our take: resources don’t always include analysis, and for now, things look like they’re calming down (subject to change, of course)
The news cycle has been laser-focused on the recent US-Israel-Iran geopolitical situation, and naturally, many are looking for the latest updates in cyber threat activity related to the conflict. We’ve been keeping a close eye on the situation, and have seen that many resources are providing a ton of information and data, but not a lot of analysis.
So here’s our take: things seem to be calming down, at least in the cyber realm.
The situation
To recap, on June 21, the US conducted “Operation Midnight Hammer” targeting Iranian nuclear facilities. On June 23, Iran responded by launching missiles at a US military base in Qatar, but signaled their intent beforehand and publicly stated it was an equal response. What followed was a flurry of public statements from both sides, signaling a desire to de-escalate, culminating in a ceasefire announcement.
Now, let’s talk security. The US Department of Homeland Security put out a bulletin on June 22, anticipating retaliatory cyberattacks from Iran or its supporters. That’s a fair assumption given past patterns. However, since that report dropped, we’ve seen very little evidence and few reports of attacks launched by Iran or Iranian-backed actors—and that’s likely due to the ceasefire.
Here’s the crucial bit: if this ceasefire holds, we assess it’s unlikely that Iran will engage in any cyber activity designed to escalate the conflict. Iran MOIS and IRGC might continue their regular cyber operations, but any escalation could trigger responses that Iran seems keen to avoid. Iran has a track record of wanting the last “strike,” and with the US not responding after the missile launch, they’ve arguably achieved that.
The players
It’s important to understand the different groups of threat actors at work here, along with their motivations and potential actions, to truly comprehend the different challenges they each pose in terms of this delicate geopolitical situation. Here’s the different players at work here:
- The Ministry of Intelligence and Security (MOIS): Iran’s primary intelligence agency. The MOIS is unlikely to escalate this situation, though we (along with many others in the security community) believe that they’ll continue their standard cyber operations.
- The Islamic Revolutionary Guard Corps (IRGC): the main arm of the Iranian Armed Forces. Like the MOIS, the IRGC is also unlikely to escalate their activity, although again, they’ll keep up their usual activity.
- Sympathizers not controlled by the MOIS or the IRGC: this group is the true wild card. The jury’s out on whether they’ll escalate their activity, but for now, they haven’t done much since the ceasefire.
This whole picture gets complicated when you add in the potential for Iran’s allies to jump into the battle, too. Again, that activity is—at least for now—relatively quiet. It seems that Iran and its allies are committed to de-escalation on the digital battlefield as well as the physical one. Given the lack of central control of the sympathizers, cleaving to the de-escalation path is uncertain.
Of course, all of this can change. This is a sensitive and delicate situation that the world is watching.
What to do (and what Expel is doing)
For now, our recommendation is to stay vigilant. “Vigilant” doesn’t mean hitting the panic button. It means staying up-to-date on the geopolitical situation, maintaining your current robust security posture, ensuring your systems are patched, your monitoring is active, and your incident response plans are sharp.
At Expel, we’re actively monitoring this activity. We’re not just tracking cyber developments; we’re also paying close attention to the geopolitical motivations behind them. Our goal is to give you a clear, no-nonsense picture of what’s happening so you can make informed decisions. We’re here for our customers, ensuring their security operations continue, and allowing their teams to focus on the strategic work that truly impacts the business.
So, while the geopolitical dust settles, keep your head up and your defenses strong. We’ll keep you informed as the situation evolves, and we’ll also update this post as needed.