Iran cyber threats: What security teams need to know right now | Expel briefing

Introduction

Following coordinated attacks by Israel and the United States against Iran starting on February 28, 2026, the cybersecurity landscape faces a period of heightened risk. These attacks targeted Iranian leadership, infrastructure, and defensive capabilities, following the 12 Day War in June 2025 that also disrupted Iranian command structures.

The resulting ambiguity about Iranian leadership and chain of command creates uncertainty about how Iran’s sophisticated cyber capabilities will be deployed in response. With Iran openly stating their intent for revenge and vengeance, security teams worldwide need to understand the threat landscape and take appropriate defensive measures.

James Shank, Director of Threat Operations at Expel, sat down with Steph Shample—a leading expert on Iranian intelligence who has followed Iran since 2004 across military, physical, and cyber operations—to discuss what organizations need to know and do right now.

Critical context: This situation is ongoing and developing. The information state is in flux as events progress. This briefing establishes background, discusses current threats, and provides actionable recommendations based on what is known at present.

Iran’s cyber capabilities: Advanced, sophisticated, and revenge-motivated

Steph Shample: Iran operates outside its borders through proxy groups like Hezbollah, which have both cyber and physical capabilities active across Syria, Lebanon, and throughout the region. What we want to do here is provide protection suggestions, because Iran is going for revenge and vengeance. They’ve openly stated that in the media. We’ve seen the reflections on Telegram and their communication groups as well.

Iranian cyber capabilities are advanced. They have learned from other adversarial nations through partnering, training, and information exchanges with Russia and China. They’re active right now with ransomware, data wiping, and destruction of data.

Steph Shample: I think we’re going to be facing some revenge in the form of—Iran has openly stated this before—they want to go after our critical infrastructure elements, the 16 umbrellas there: water supply, food supplies, the banking system, the financial system, the power grid. All of these things that in the West, including Europe, we take for granted. Iran’s going to come after that hard.

They’ve already targeted these systems. There was a 2023 to present day 2026 focus on programmable logic controllers (PLCs). We’re going to see ongoing efforts after vengeance in the cyber realm, and physically that has already started—10 to 12 Middle Eastern countries have already had bombings or missile attacks in the aftermath of this.

Motives and objectives: Being seen and being felt

James Shank: My read on this is that a lot of the Iranian activity, especially in response to what’s happened, is going to be motivated by the desire to be seen and be felt. They’re going to want to be seen as a credible threat. They’re going to want to demonstrate capabilities and they’re going to want that impact to be felt.

Steph Shample: Iran has often taken that tack—”Hey, we’re here, we’re serious, we’re a world player, we’re on the global stage.” They fault the West for removing them from the global stage, which dates back to the ’50s, ’60s, ’70s.

When attacking anywhere, we have seen in source code—when they went after Saudi Aramco, for example—Iran leaves notes in their source code. They will leave Farsi messages. So that’s one way of saying “Hi, we’re here. It’s us.” They want to be seen.

At the same time, they also operate along this line of having plausible cover. You will see activist groups, Iranian-aligned groups (not necessarily Iran-backed, but that share that overlap and support the regime) who are going to come out and deface websites. They’ll leave a message there: “Hey, we were here.”

Steph Shample: But now we’ve essentially backed someone into a corner. The West has backed Iran into a corner. They’re fighting for their future. They’re fighting to exist. Their transition plan is not quite solid yet. The Ayatollahs and the regime had a layered defense in depth—”we have this successor, this successor”—but I don’t think they had a preparation plan for 40+ senior leaders lost.

They’re going to fight back harder. DDoS attacks, taking services offline, really going after banking, really going after PLCs, using everything that’s available—online platforms such as Shodan that give visibility into OT and industrial control systems. I think we’re really going to see them go after that hard.

Years of preparation: The ransomware and data exfiltration threat

Iranian cyber activity didn’t start with these recent physical attacks. They’ve been conducting compromises and data exfiltration for years, which creates specific concerns about what they may have been sitting on.

Steph Shample: We’ve seen this with ransomware or any data theft—a lot of entities will sit on specific types of data until the timing is right. With the geopolitical world we live in—very high tensions, very polarized—data is stolen and then actors will sit on it for the right time.

Iran has been active with ransomware for years and years. My first venture into cyber was an Iranian ransomware campaign. They have only gotten more sophisticated through training and information sharing with Russia and China.

We could see some very prominent data releases. Iran might have been sitting on it for a while, or they could give it to someone else, some other allies. Hezbollah has a cyber arm. We could see Hezbollah releasing information potentially—maybe politicians or world leaders, information about them that the groups had been sitting on.

Steph Shample: We could also see an uptick in DDoS attacks. DDoS used to stand on its own as an attack and was disruptive. What we’re seeing in the cyber trend—not just Iran, but DDoS is often a first layer and then something else is happening behind the scenes.

If you provide disruption with the DDoS attack and say “look over here, look over here,” but in actuality something else is happening behind the scenes—that could be a physical attack. They could be using drones. They could be sending resources to one place just so that they don’t go to another.

Data exfiltration, prominent figures targeted globally, and disruption in all services—those are the top three things I see them doing in the next two to four weeks.

Hacktivist groups: Distraction and future alignment signals

James Shank: One of the concerns when talking about a lot of the Middle Eastern countries is there’s a lot of hacktivists that are aligned to various different interests within the Middle East. With these physical activities happening, we’ve already seen announcements of various hacktivist groups—both traditionally Iranian, Iranian-aligned, as well as aligned to other countries—coming out and announcing their alignment. Are the hacktivists a real threat here?

Steph Shample: Yes, we’re going to see hacktivist activity increase. I think we’re going to see Shia-aligned groups, Iranian-aligned groups, anti-Western groups—all of those that exist and have been active for several decades are going to come out more in full force.

Iran itself has Cyber Avengers. They’re a pretty big hacktivist group. There’s also things like the 313 Team and Soldiers of Solomon and Cyber Toufan. You could name all of these groups. They will go out to spread the Iranian message—the regime is going to survive, or this is the leader that will take over. These hacktivist groups will advocate for a new leader as well.

Steph Shample: That’s important right now because that transition plan is not solidified. We don’t know exactly where they’re going, what they’re doing. We’re still weighing the narrative of who’s alive, who survived the attacks, versus who has been removed essentially from the battle space.

The hacktivist groups will weigh in on that and likely try to shape it. They’re going to serve two purposes: It’s a distraction from what higher-level Islamic Revolutionary Guard Corps (IRGC0 and the Ministry of Intelligence and Security (MOIS) is doing in the background, and how they’re also responding. But the hacktivist groups are also going to show us how the new factions are going to align and what the future alignment looks like.

Most important point: Be prepared for Iranian cyber responses. Don’t look to an APT, don’t look to cyber crime, don’t look to an agnostic state. Just look for an overall Iranian response and take precautions accordingly. They are active, all groups, all skill levels, and we need to be aware of the whole spectrum of possibilities.

Disinformation and social engineering campaigns

James Shank: One of the go-tos for Iran is disinformation. They have a lot of built-up disinformation capabilities. Can you speak to that and also talk about what other techniques might be in use?

Steph Shample: They’ve really upped their efforts in disinformation. Right now we could see some specific think tanks established to spread Iranian narrative. MOIS operates outside Iran and kind of spies on the diaspora.

As dissidents are more active and the diaspora now has a voice, I think we could see MOIS or IRGC set up honeypots essentially. “Oh, we are anti-the Iranian regime. We want this changed too.” But this is now going to be a new way for either MOIS or IRGC to collect information about who’s speaking outside of Iran, which now has more power.

Steph Shample: They’re going to set up those think tanks. Think of maybe front companies. Iran has been very popular with front companies. They’ve set them up before for operations.

What are their biggest efforts when it comes to social engineering that dovetails into mis- and disinformation? False job positions. “Hey, we have an opening for a professorship for somebody with your background. Come tell us all that you know about Iran.” Or, “You’re former government—UK, Canada, US—we have a position. Come work with us.”

The false entities, think tanks, front companies, peddling this narrative of “give us all the information that you have” so that they can remain informed during this increasingly transitional and sensitive time for them as they build a future.

The fundamentals: What security teams should do right now

James Shank: What are your thoughts on how much attention people should pay to this as a threat vector today versus doing the routine security things and upping the game?

Steph Shample: Let’s talk about security in cybersecurity. We know Iran’s going to come after everybody. We know they have the capability. We know what capabilities they don’t have, they can obtain from their friendlies—Russia, China, etc. 

Basics right now are not to be understated:

• Patch that thing you’ve been meaning to patch. Don’t put it off.
• Closer review of log activity. A closer review of who your system is communicating with.
• Review legacy systems. Do you have any legacy systems that need attention?

I know I sound like I’m doing a Security+ basic introduction, but I say that because in a time like this, when everything is so uncertain, the basics go a long way.

Steph Shample: The second step—and you’ve always been great at this—every organization needs to have their own news feed. Pull it in. Whatever you use—Slack, Mattermost—automate those RSS feeds. Get CISA, get DHS, get NCSC as well. Go international because our partners see different things.

Use those news feeds. Use the CVE vulnerability database. Use all of these things and use skepticism. That is my biggest thing right now.

Nobody in any org should just get an attachment and open it. If you do one thing, if you take one thing away from this briefing: Don’t open attachments willy-nilly.

Now is the time for every organization to really be friendly with their IT, their SOC, their tech teams. Extra vigilance really will prevent and reduce negative impacts.

Steph Shample: Iran is really good at sending attachments for job invitations, or they’ll send attachments saying “Hey, I’m a journalist. Could I interview you?” And those attachments are what’s going to wreak havoc.

Security fundamentals to focus on:

• Patch management
• Log monitoring
• Review system communications
• Legacy system assessments
• RSS feeds and threat intelligence
• Skepticism about all attachments
• Enhanced coordination with IT/SOC teams
• Digital literacy across the organization

Advanced measures: Threat hunting and infrastructure monitoring

James Shank: It’s remarkable how often the recommendations all come back to security fundamentals. My view on this is that really being effective in security comes down to discipline. It’s discipline, prioritization, and focus.

A lot of these international events raise awareness in a good way, but they can become something that dominates people’s minds about what they need to be focused on today. Oftentimes the best things that people can do is that thing that’s been sitting on your to-do list—go do that right now.

James Shank: Expel just last week released our Annual Threat Report, and in that threat report it became very clear that a lot of the techniques leading to active incidents in organizations—the remediation step or the resilience step is: do that fundamental thing. Do that thing that’s just been on your list for a while.

With a lot of these more advanced actor groups and nation-state activities, it comes down to the same thing. But with that being said, it’s also smart to engage in some extra hunts.

On our side, that’s one of the things we’re doing. We’re looking at different techniques we can hunt on. We’re looking at known hosting providers that the Iranians have used in the past and what we’re seeing connecting to our customer environments from those providers.

Steph Shample: I’m really glad you brought that up. The fundamentals are there for a reason. We teach foundational concepts because they work. But you can carry out the fundamentals and have one group focusing on that, and then double down on a specific hunt.

Look at previous Iranian TTPs. Look at previous infrastructure. I’ve been following them for a long, long time. Prior to now, Iranian actors would heavily abuse infrastructure in France, Germany, and the Netherlands. France was OVH. Germany was Hetzner.

Steph Shample: That has changed drastically. The Netherlands in 2019 had a huge cybersecurity law and regulation overhaul. They eradicated a lot of actors from their network.

So now Iran has moved from abusing European infrastructure—of course in conjunction with VPNs that you need to monitor—but they are now abusing Asian infrastructure, namely Japan.

I think that’s really important. This is a time where everything is in flux. We could see the move from Asian infrastructure again, so be aware: where is this coming from? From Kazakhstan? Why is this all of a sudden—why are there C2s coming in here? Pay attention to any different activity, because if there’s an infrastructure change or a behavioral change, now is an opportune time for them because they’re scattered, they’re afraid, and they’re just trying to figure out what to do next.

Infrastructure to monitor:

• Historical Iranian infrastructure abuse: France (OVH), Germany (Hetzner), Netherlands
• Current focus: Asian infrastructure, particularly Japan
• Watch for: Kazakhstan, unusual C2 communications, behavioral changes
• VPN usage for obfuscation

False flags and attribution challenges

James Shank: From an attribution perspective, what are your concerns about the possibility of there being other nations or other groups using these activities as a false flag?

Steph Shample: I do think it’s a real concern. Cyber gives everyone—not just Iran, but everybody—plausible cover, plausible deniability. If you know how to obfuscate your trail and protect yourself, you can craft any narrative you’d like. That’s part of the danger.

The conflict between Israel and Iran has been longstanding. Iran has imitated Israeli actors and vice versa. Israel has imitated Iranian actors. In this day and age with everybody wanting to take a part in this or wanting to have a say in the Iranian conflict, we could absolutely see impersonation.

Steph Shample: I think we could see people trying to jump on and pretend like they’re Iranian actors and spread a message either related or adjacent to the Iranian regime.

This is when fundamentals matter: We’re not going to pass up false positives. We’re going to review alerts carefully. We’re not going to rely on automation. We’re going to use our human brain, and we’re not even going to rely on AI alone.

We are going to really get deep and granular and make sure: From what I can tell, does this match previous Iranian TTPs? Why would they all of a sudden be using a brand new provider they hadn’t before? Is this a different actor? Is this a different country?

We know Russia likes to imitate people as well, so all of these have to be swimming in a security professional’s mind. It is a possibility. It has been done before, and now we’re in a higher time of tension, so prepare for it to happen again.

Attribution best practices:

• Don’t rely solely on automation or AI
• Review alerts carefully with human analysis
• Compare to known Iranian TTPs
• Question sudden changes in infrastructure or behavior
• Consider possibility of impersonation by other actors
• Trust your network of intelligence professionals
• Use MISP projects and trusted information sharing

Regional impacts and hybrid warfare

James Shank: Let’s talk about the regional impacts. What’s going to happen in the Middle East, and what role does Iran play in terms of overall stability in that region?

Steph Shample: Iran likes to straddle being off the Western stage and not having a global presence while also stirring incidents and malicious activity in the background via proxy groups. We know they’re in Yemen, and we know they’re in the Syrian and Lebanese conflicts.

Physically, the groups that will probably increase: Hezbollah activities, all pro-Shia groups protecting their weapons, protecting arsenals, physically attacking Middle Eastern countries. Going after US military bases in the region. I would be nervous for any flights in the region as well. I think there’s going be activity towards that.

Steph Shample: Cyber-wise, I think what we will see—my prediction—is a hybrid conflict, which has been circulating in academic, technical, and government circles. I think this is where it comes to fruition.

Iran’s going to say, “We’re trying to get succession in order. We’re trying to name the next supreme leader.” They’ve said they’re going to do that this week. They’re going to say they’re busy planning the government and planning for the future.

In reality, I think they’re just going to keep lashing out, destroying things, attacking things. Firing missiles, going after Israel, going after US and Western military personnel. The region is going to continue to destabilize, which is unfortunate because this is a lot of innocent people being hurt—tourists, service members—and they’re really going to go after them now because they’ve essentially got nothing to lose.

Recent Iranian activities:

• Attempted closure of Strait of Hormuz (impacts global oil prices)
• Targeting of AWS infrastructure in the Middle East region
• AWS has acknowledged stability problems due to attacks
• Focus on disrupting Western companies and data centers

The human impact: Remembering what matters most

James Shank: I think it’s critical that you bring up the human impact. That gets lost sometimes in our conversations about cyber impacts. The truth is that this is uncomfortable for so many people. There are people that are hurting, there are people that have lost loved ones.

It’s critical that we have that human understanding and step aside from thinking about the cyber impacts or even the geopolitical impacts, and think about the families and the people, the children, the innocent victims of these affairs.

Steph Shample: Let me echo that again—the human element. We’re all looking at screens, we’re working digitally, then we close a screen and you can’t close the human impact.

Iranians have been suffering for 40+ years. We know that the people are not their government. They’re being murdered, they’re being taken off the streets, they’re being prevented from having funerals to mourn their dead. They’re preventing Iranian families from doing that.

To all of our Iranians, be successful. The world is truly thinking of you. Tehran’s running out of water in addition to everything else they’re going through. We really need to think of the Iranian people and start asking: What can groups do? What can we send over? Do they need food? Do they need infrastructure? What does this look like in their future?

Steph Shample: Let’s protect ourselves as infrastructure and as professionals and as companies who can contribute back to Iran. Let’s maintain vigilance. Let’s fight against propaganda and mis- and disinformation, which is only going to increase. And let’s just keep the conversation open.

Frequently asked questions about Iran cyber threats

What makes Iranian cyber capabilities different from other nation-state actors?

Iranian cyber operators combine advanced technical capabilities learned from Russia and China with extensive experience in ransomware, data wiping, and targeting critical infrastructure. They operate through both official channels (IRGC, MOIS) and proxy groups (Hezbollah, Cyber Avengers), giving them multiple attack vectors. They also excel at social engineering, disinformation campaigns, and leaving messages in source code to ensure their attacks are attributed.

Should organizations outside critical infrastructure sectors be concerned about Iranian cyber threats?

Yes. While Iran has openly stated their intent to target critical infrastructure (water, power, banking, food supply), they also conduct broad campaigns involving ransomware, data theft, DDoS attacks, and social engineering across all sectors. Any organization with Western ties or valuable data could be targeted, either directly or as collateral damage in broader campaigns.

How can security teams distinguish between genuine Iranian threats and false flag operations?

This requires deep analysis rather than relying on automation alone. Compare observed TTPs to known Iranian patterns, question sudden changes in infrastructure or behavior, and consider whether other actors (like Russia or Israel) might be impersonating Iranian groups. Work with trusted intelligence networks and don’t jump to conclusions based on initial indicators alone.

What infrastructure should security teams monitor for Iranian activity?

Historically, Iranian actors abused European infrastructure (OVH in France, Hetzner in Germany, Netherlands providers). Following cybersecurity law changes, they’ve shifted to Asian infrastructure, particularly in Japan. Also monitor for traffic from Kazakhstan and watch for any unusual C2 communications or VPN usage patterns that could indicate Iranian operations.

How does the current leadership uncertainty in Iran affect the cyber threat landscape?

The ambiguity about Iranian leadership following the loss of 40+ senior leaders creates unpredictability. Without a clear chain of command, cyber operations may be more scattered, reactive, and aggressive as various groups attempt to demonstrate capability and relevance. This also means hacktivist groups will be more active as different factions signal their alignment and push for particular successors.

What role do Iranian hacktivist groups play in the overall threat landscape?

Hacktivist groups serve dual purposes: they provide distraction from higher-level IRGC and MOIS operations while also signaling how future Iranian factions will align. Groups like Cyber Avengers, 313 Team, Soldiers of Solomon, and Cyber Toufan will increase activity, spread regime messages, and advocate for particular leaders. They represent the “whole spectrum” of Iranian cyber capabilities that organizations need to prepare for.

Are DDoS attacks still a serious concern or just a distraction tactic?

Both. While DDoS used to be a standalone attack vector, Iranian actors now frequently use it as a first layer to create disruption and divert attention while conducting more serious attacks behind the scenes—data exfiltration, infrastructure targeting, or even coordinating with physical attacks. Never dismiss a DDoS as “just” a distraction; always investigate what else might be happening.

Immediate action items for security teams

Based on this briefing, security teams should take the following actions immediately:

Within 24 hours:

• Review and close any outstanding patching gaps
• Verify log monitoring is comprehensive and alerts are being reviewed
• Brief all staff on attachment awareness and social engineering tactics
• Document all systems communicating externally and verify legitimacy
• Enable additional monitoring for traffic from Japan, Kazakhstan, and Asian infrastructure

Within one week:

• Conduct threat hunts focused on known Iranian TTPs and infrastructure
• Review critical infrastructure systems for PLC vulnerabilities
• Implement or enhance RSS feeds from CISA, DHS, NCSC, and international partners
• Assess legacy systems for exposure and implement additional controls
• Coordinate with incident response teams on Iranian-specific scenarios

Ongoing:

• Maintain heightened alert review (human analysis, not just automation)
• Monitor for data exfiltration attempts, especially involving previously compromised credentials
• Watch for signs of DDoS preparation or unusual traffic patterns
• Review all job offers, interview requests, and think tank invitations for legitimacy
• Keep the conversation open across security teams and trusted networks

Don’t forget:

• Do that thing that’s been sitting on your security to-do list
• Focus on fundamentals—discipline, prioritization, and focus
• Remember the human impact and innocent people affected by this situation

Expel’s commitment to protecting customers

James Shank: To all of our Expel customers out there, please know that we are keeping track of this situation as it develops. We’re looking continuously at what hunts we can do to help ensure that anything we have the capability to do to help protect you, and we are looking into how to do so.

At this time, this is still a developing situation. Things are changing quickly. We will do our best to keep you updated with the latest that we know.

This briefing reflects the information state as of early March 2026. The situation remains fluid and ongoing. For the latest threat intelligence updates, follow Expel on LinkedIn or contact your Expel representative.

For additional context and defensive resources, see:

• UK NCSC recommendations
• Canadian Centre for Cyber Security threat bulletin
• Checkpoint review of Iran’s cyber capabilities
• SentinelOne’s summary of Iranian cyber activity