The Shadow War: Cyber Operations in the Iran Conflict 

Author

Erin Whitmore

Managing Director, Executive Risk and Strategic Intelligence

How Iran Projects Power, Targets Companies, and Expands the Battlespace

Executive Summary

The current conflict involving Iran is unfolding across two interconnected domains: physical and digital. While kinetic activity captures immediate attention, cyber operations are enabling Iran to extend the conflict globally, shape perception, and impose cost on both governments and private-sector organizations.

Recent developments over the past two weeks reinforce several critical realities:

• Iranian cyber operations are synchronized with geopolitical events, not reactive to them
• Private-sector organizations are now being targeted as instruments of state signaling
• Access into Western networks is often established before escalation and activated during it

Iran’s approach is deliberate. It relies on pre-positioned access, distributed operators, and layered disruption to create persistent pressure without crossing thresholds that would trigger large-scale military response.

For corporate leaders, this shifts cyber risk from a technical issue to an operational and strategic concern tied directly to geopolitical dynamics.

1. Iran’s Operational Model: Cyber as a Core Instrument of Statecraft

Iran’s military limitations relative to the United States and Israel have shaped a strategy built on asymmetry. Rather than competing through conventional force projection, Iran uses a combination of proxy actors, irregular warfare, and cyber operations to extend its influence.

Cyber is central to this model meaning Iran integrates cyber into its broader conflict framework alongside:

• Kinetic operations
• Proxy force activity
• Information operations

These elements are coordinated. Cyber access is often established months or years in advance through credential harvesting, phishing campaigns, and supply chain compromise. Once geopolitical conditions shift, that access is leveraged to achieve operational or strategic effects.

Recent public statements from Iranian leadership following targeted strikes on senior officials signal intent to respond across multiple domains, including indirect and cyber-enabled actions.

Cyber provides Iran with three durable advantages:

• Attribution Delay: Attribution in cyber operations is rarely immediate or universally accepted. This creates a window in which Iran can act while limiting immediate consequences.
• Global Reach: Cyber operations allow Iran to impact targets far beyond its geographic region, including U.S. and European organizations.
• Escalation Management: Cyber enables Iran to impose economic and operational cost without triggering a conventional military response.

This combination makes cyber a consistent and repeatable tool for state-level competition.

2. The Cyber Ecosystem: Structure, Scale, and Flexibility

Iran’s cyber capability is defined less by centralized control and more by a distributed ecosystem that blends state direction with proxy execution.

State-Aligned APT Groups

Groups such as APT33, APT34, APT35, and MuddyWater form the core of Iran’s cyber capability.

Their operations focus on:

• Long-term access to enterprise networks
• Credential harvesting and identity compromise
• Intelligence collection
• Persistence within critical infrastructure environments

Recent reporting indicates continued deployment of updated malware and backdoors targeting organizations in the United States and allied countries, particularly across financial and transportation sectors. APT35 has also increased phishing activity targeting think tanks and policy organizations, reinforcing its focus on strategic intelligence collection.

Proxy and Hacktivist Layers

Iran amplifies its cyber activity through a network of aligned groups that operate with varying degrees of coordination.

Recent intelligence indicates dozens of such groups actively conducting:

• Distributed denial-of-service (DDoS) attacks
• Website defacements
• Data exposure campaigns

These actors increase operational volume and create noise, complicating attribution and response.

Front Groups and Narrative Actors

The emergence of groups such as Handala illustrates how Iran blends cyber operations with narrative shaping.

These groups:

• Claim responsibility for destructive or disruptive attacks
• Release stolen or manipulated data
• Use public channels to amplify messaging tied to geopolitical events

This approach extends the impact of cyber operations beyond technical disruption into reputational and psychological domains.

Criminal Overlap

Iran’s ecosystem also overlaps with financially motivated cybercriminals. Infrastructure, tools, and access are often shared or repurposed.

This creates a hybrid environment where: State-directed operations, opportunistic cybercrime, and proxy campaigns operate simultaneously and sometimes indistinguishably.

3. The Active Campaign: Evidence from the Last Two Weeks

Recent activity demonstrates that Iran’s cyber operations are not preparatory. They are active and ongoing.

Direct Targeting of Private Companies

An Iranian-linked group recently claimed responsibility for a cyberattack against a major U.S. medical technology company.

Reported impact includes:

• Large-scale data exfiltration measured in tens of terabytes
• Claims of widespread device disruption or wiping
• Operational impact across systems

The attack was framed as retaliation tied to the broader geopolitical environment. This reflects a shift in intent. Private-sector organizations are being targeted to generate visibility, impose cost, and reinforce state messaging. 

Expansion into Critical Infrastructure

Recent reporting and government advisories indicate increased targeting of:

• Energy systems
• Water infrastructure
• Telecommunications networks
• Transportation and logistics platforms

Organizations across Europe and the United States have elevated defensive measures in response to increased scanning, intrusion attempts, and malware activity associated with Iranian actors.

Even unsuccessful attempts serve a signaling function and demonstrate intent.

Pre-Positioning and Persistence

Iranian actors continue to establish and maintain access within target environments.

Recent activity includes:

• Phishing campaigns targeting policy and research institutions
• Deployment of updated malware for persistent access
• Credential harvesting across enterprise systems

This pattern reflects a consistent operational model: establish access early, maintain persistence, and activate when conditions require.

Information Operations and Perception Management

Cyber activity is being paired with coordinated messaging efforts:

• Public claims of data destruction or disruption
• Amplification of attack narratives
• Distribution of real or manipulated data

These operations are designed to influence perception, create uncertainty, and extend the impact beyond technical disruption.

4. Internal Control and External Projection

Iran’s approach to cyber extends beyond offensive operations. It includes aggressive internal control of the digital environment.

Recent reporting indicates significant restrictions on internet connectivity within Iran, reducing access to external communication platforms and limiting information flow.

This reflects a dual strategy:

• External cyber operations targeting adversaries
• Internal control to maintain stability and manage narrative

The digital domain is treated as both an operational weapon and a strategic vulnerability.

5. What Comes Next: Forward-Looking Risk

Based on current activity, several developments are likely in the near term:

Destructive Operations

• Increased use of wiper malware
• Data destruction targeting operational systems

Supply Chain Compromise

• Targeting third-party providers to access larger organizations

Expanded Targeting of Western Companies

• Continued focus on sectors tied to economic and strategic value

Increased Coordination Across Actor Sets

• Greater alignment with proxy groups and potentially Russian-affiliated actors

Government warnings already indicate elevated risk of cyber activity affecting domestic infrastructure.

6. The Executive and Enterprise Risk Layer

The risk environment now extends beyond enterprise networks.

Executive Exposure

• Credential compromise
• Targeted phishing and impersonation
• Public exposure of personal data

Convergence of Cyber and Physical Risk

• Travel-related vulnerabilities
• Targeting tied to public visibility
• Blended campaigns combining cyber intrusion with physical risk

This requires integrated monitoring and response across cyber and physical domains.

7. Operational Response: What Organizations Should Do Now

Assume Adversary Presence

Operate under the assumption that access may already exist within your environment.

Elevate Intelligence and Monitoring

Focus on:

• Identity and credential exposure
• Dark web intelligence
• Indicators of persistence within infrastructure

Continuous, intelligence-driven monitoring is necessary to identify early-stage activity.

Prepare for Disruption and Recovery

Prevention is not sufficient.

Organizations need:

• Rapid containment capability
• Restoration-led incident response
• The ability to rebuild systems and resume operations quickly

Recovery speed determines operational impact.

Integrate Risk Functions

Cybersecurity, executive protection, and physical security must operate as a unified model. Fragmented approaches create gaps that adversaries exploit.

Align Leadership Decision-Making

Executives and boards need clarity on:

• Why their organization is a target
• How geopolitical events translate into operational risk
• What decisions must be made before an incident occurs

Strategic Conclusion

Iran’s cyber operations are structured, persistent, and integrated into its broader conflict strategy. They are not episodic events or isolated campaigns.

The defining characteristics of this environment are:

• Pre-positioned access
• Distributed execution
• Coordinated activation

Iran’s approach to cyber operations follows a consistent pattern: access is established well in advance, maintained quietly, and activated when it aligns with broader geopolitical objectives. What organizations are experiencing now is the execution phase of that model, not the beginning of it.

Most companies are already operating within this environment, regardless of whether they frame it that way internally. The deciding factor is no longer the likelihood of an incident. It is whether leadership understands how their organization fits into a geopolitical threat landscape and has built the capability to operate through disruption when it occurs.

The organizations that handle this well will act earlier, make decisions with clarity, and maintain continuity under pressure. Others will find themselves responding in real time to activity that was already underway, with far fewer options available once impact is visible.

Sources

1. https://www.reuters.com/world/middle-east/greek-firms-scan-computer-systems-iran-war-raises-cyberattack-risks-sources-say-2026-03-18/
2. U.S Strikes Killed Iranian Cyber Chiefs, But The Hacks Continued 
3. https://www.tomshardware.com/tech-industry/cyber-security/iran-hacking-group-claims-attack-on-med-tech-company-stryker 
4. Iran threatens Nvidia, Microsoft, other tech companies with strikes over alleged attack on Tehran bank — says that economic centers and banks are now considered legitimate targets | Tom’s Hardware 
5. https://www.wired.com/story/handala-hacker-group-iran-us-israel-war 
6. https://netblocks.org 
7. https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html 
8. 2026 Unit 42 Global Incident Response Report – Palo Alto Networks 
9. The Iran War: What You Need to Know 
10. Iran Threat Overview and Advisories | CISA 
11. U.S. Homeland Security Concerns After Iran Strikes | Council on Foreign Relations