Cybersecurity journalist Nicole Perlroth wrote in her 2021 book This is How They Tell Me the World Ends: “There wasn’t a single area of our lives [in the United States] that wasn’t touched by the web. We could now control our entire lives, economy, and grid via a remote web control. And we had never paused to think that, along the way, we were creating the world’s largest attack surface.”

True to Perlroth’s words, international conflict in recent years has been fought online as much as, if not more than, on the ground. For example:

• Russia’s aggressions against Ukraine began in part with a series of distributed denial of service (DDoS) attacks against Ukrainian websites in early February 2022.[i]
• Russia was suspected of causing outages to Denmark’s energy sector in 2024 and 2025, continuing its pattern of targeting critical European infrastructure.[ii]
• In 2025, purported Israeli group Predatory Sparrow is credited with stealing $90 million from Nobitex, Iran’s largest cryptocurrency exchange.[iii]
• On June 1l, 2025, purported IRGC-linked Fatemiyoun Cyber Team claimed responsibility for attacks on government websites in Jordan and Kuwait as part of an overall strategy of targeting U.S. and Israeli allies.

Initiating Hybrid Warfare

The U.S. and Israel airstrikes on Iran immediately raised concerns in the cybersecurity community of how these aggressions could play out in cyberspace. Iran maintains a talented state-sponsored cyber program and has previously perpetrated state-sponsored cyber operations with documented capabilities in wiper malware, DDoS attacks, and espionage against critical infrastructure.[iv]

By March 2, 2026, more than 60 groups claimed responsibility for hacktivist activity on behalf of Iran.[v] And on March 15, 2026, Iranian hacktivist group Handala caused disruption of global medical-equipment firm Stryker in what The Wall Street Journal suggested was “the most significant wartime cyberattack against the U.S. in history.”[vi]

The U.S.-Israel conflict with Iran brings increased focus on U.S. vulnerabilities and targets. Beyond government resources, these attacks include (but are not limited to) energy, financial services, critical infrastructure, and medical industries in both enterprise and consumer sectors. Reporting from Palo Alto Network’s Unit 42 notes that the threat actors are “heavily relying on the impersonation of highly trusted entities including major telecommunications providers, national airlines, law enforcement and critical energy corporations” to commit financial fraud, harvest credentials, and distribute illicit content.[vii] Risks arising from physical destruction also persist.

On March 11, 2026, Iranian news agency Tasnim published a list of Western technology and cloud firms as “enemy technology infrastructure” and potential targets for military action in the Middle East; companies listed include Microsoft, Google, Nvidia, and other companies with military or cloud computing ties.[viii] While a brief ceasefire raised hopes for relief, Iranian-connected and allied threat actor groups have already declared: “The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.”[ix]

The Iran conflict’s evolution from localized, regional activity into a persistent targeting of energy, data, logistics, and other systems that support state and private-sector operations alike reinforce the need for strong cyber resilience across industries and reinforcement of cyber ecosystems.

Increase in Threat Actor Activity

Cybercrime activity has increased by 245% since February 28, 2026.[x] While early March’s activity largely targeted Israel and Persian Gulf countries, the activity has recently moved stateside. The U.S.’s ability to counter major cyberattacks is challenged by the ongoing partial government shutdown, as the leading readiness body (CISA) works through furloughs and management changes.[xi] CISA, in coordination with the FBI, NSA, EPA, DOE, and CNMF, issued its first advisory on April 7, 2026, concerning the ongoing cyber exploits of internet-accessible devices by Iranian-affiliated threat actors.[xii]

In a discussion on March 31, 2026, Digital Forensics and Incident Response Investigator with CyberCX Rich Cominos reinforced that no company should consider themselves safe from potential cyber-attacks: “Biggest thing for everyone to understand is that you are in fact a target. Doesn’t matter what your size or sophistication is.” The same applies to individuals, who may also see their personal information released or compromised and misused.

While Handala’s March 2026 release of files from Kash Patel’s personal email account are years old and largely appear to be receipts and vacation photographs, internet sleuths have connected information in those emails to map Patel’s online activity and online user accounts. For individuals that share passwords across accounts, innocuous emails provide further information to hackers to expand a breach’s impact. Even if the information does not increase vulnerability, it still can force expensive and time-consuming reviews and response efforts.

Blurring of Hacker Motivations

Though targets have not changed, the motivations blur in this new conflict. Iran-connected threat actors generally operate in three tiers: groups that are directly connected to the Iranian Revolutionary Guards and the Ministry of Intelligence, proxy groups (e.g., ransomware gangs), and a network of independent hacktivists. Financial gain is often a motivator to fund Iran military operations. But new pro-Iran threat actors are more likely motivated by ideological goals, using attacks to project power against adversaries, conduct revenge operations, gather intelligence, spread disinformation, or engage in economic disruption to strain adversary resources.[xiii]

Cominos notes that these ideals can push new hacktivists to join the fray: “You have individuals with some know-how watching the news or reading about what a country is doing, and that may be the thing that ultimately pulls you in. Continued attacks can activate people with similar ideological values that will see a call to action.” Indeed, on March 4, 2026, the Cyber Jihad Movement (a hacking group allegiant to Al-Qaeda) released an English-language manifesto calling for global participation in digital sabotage against the U.S. and Israel. The CJM stated it would be joining “pro-Iranian hacker movements and groups in their fight against the United States and Israel,” representing the first explicit declaration of cross-ideological cyber collaboration between Sunni jihadists and Shia-aligned hacker collectives and suggesting an “enemy of my enemy” tactical alliance.[xiv] Russian-linked hacktivists also appear to be aligning with Iran to target Israeli critical infrastructure, breaching security cameras to inform kinetic operations and disrupt U.S. networks.[xv]

Low Skill Requirements, High Impact

Individual recruitment succeeds often because the barriers to entry are very low. Cominos reports that the incidents he sees most often are not sophisticated zero-day exploits—they are instead clicks on malicious links in phishing emails, credential harvesting, and similar social-engineering based causes. The most basic of these techniques take less than a day to learn, allowing individuals to quickly deploy without lengthy training. Because hacktivists’ primary goal is to waste resources, cause economic and other disruption, or embarrass adversaries, hacktivism presents an attractive option for disaffected individuals wanting to engage in collective action.[xvi]

What complicates this engagement is the hacktivists’ independence. Because they are not centralized around a specific authority, like nation-state actors and traditional kinetic warfare, it can be unclear whether hacktivists’ action is done by a nation state, loosely affiliated threat actor organizations, or independent disrupters. Consequently, whether hacktivist action is an actual act of cyberwarfare, or a crime of opportunity, can be open to interpretation.

Semi-autonomous ransomware gangs and the like also give Iran and similar countries plausible deniability on its direction of those groups. These muddied motivations and affiliations increase liability for companies that pay ransoms during ransomware events; an entity may pay a ransom to what appears to be an independent group but could unknowingly violate OFAC (Office of Foreign Assets Control) sanctions if that group has undisclosed ties to Iran.

New Conflict, Same Threat

CISA’s recent guidance to critical infrastructure entities concerned Iran-linked attacks on programmable logic controllers, but no entity should consider itself “exempt.” Now presents an important opportunity to review the entities overall security posture and technological ecosystem. Entities should identify and rapidly mitigate external vulnerabilities, especially in network edge devices and appliances. Monitor advice as well from cybersecurity regulators and authorities regarding recent threats and mitigation advice. And, should the worst happen, involve your data counsel as soon as possible to assist with mitigation and recovery efforts.

Special thanks to Rich Cominos, Digital Forensics and Incident Response Investigator with CyberCX, for his contributions to this writing.

Jessica Engler is Chair of Kean Miller’s Data Privacy & Cybersecurity practice. She advises clients on protecting, managing, and maximizing the value of their data and intellectual property assets. Jessica provides strategic guidance on compliance, risk management, and incident response, helping organizations navigate evolving cyber threats and regulatory frameworks. A registered patent attorney and trusted advisor, she works with clients across industries to develop practical solutions that align with their business objectives while safeguarding critical assets.

[i] “Tracking Cyber Operations and Actors in the Russia-Ukraine War,” Council on Foreign Relations (last updated Mar. 24, 2022) (https://www.cfr.org/articles/tracking-cyber-operations-and-actors-russia-ukraine-war).

[ii] Associated Press, “Denmark Blames Russia for Cyberattacks Ahead of Elections and on Water Utility,” SecurityWeek.com (Dec. 19, 2025) (https://www.securityweek.com/denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/).

[iii] “Inside the Nobitex Breach: What the Leaked Source Code Reveals about Iran’s Crypto Infrastructure,” TRM (last accessed Apr. 13, 2026) (https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure).

[iv] Kuhu Badgi & Lauryn Williams, “How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran?” Center for Strategic & International Studies (Mar. 3, 2026) (https://www.csis.org/analysis/how-will-cyber-warfare-shape-us-israel-conflict-iran).

[v] Id.

[vi] Dustin Volz & Peter Loftus, “Hack on U.S. Medical Company Shows Reach of Iran’s Cyber Capabilities,” The Wall Street Journal (Mar. 15, 2026) (https://www.wsj.com/politics/national-security/hack-on-u-s-medical-company-shows-reach-of-irans-cyber-capabilities-85999878).

[vii] “Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26),” Palo Alto Networks (last accessed March 31, 2026) (https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/).

[viii] Emmet Lyons, “Iran says major U.S. tech firms are targets in the Middle East, with drone and cyberattacks already underway,” CBS News (Mar. 13, 2026) (https://www.cbsnews.com/news/iran-war-tehran-us-tech-companies-targets-middle-east-drones-cyberattacks/).

[ix] “Shaky ceasefire unlikely to stop cyberattacks from Iran-linked hackers for long,” PBS (Apr. 8, 2026) (https://www.pbs.org/newshour/world/shaky-ceasefire-unlikely-to-stop-cyberattacks-from-iran-linked-hackers-for-long).

[x] Jessica Lyons, “Cybercrime has skyrocketed 245% since the start of the Iran war,” The Register (Mar. 16, 2026) (https://www.theregister.com/2026/03/16/cybercrime_iran_war_245_percent_rise/).

[xi] Samantha Subin, “The lead U.S. cyber agency is stretched thin as Iran hacking threat escalates,” CNBC (Mar. 4, 2026) (https://www.cnbc.com/2026/03/03/iran-cisa-cybersecurity-war-threat.html).

[xii] “Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure,” CISA (Apr. 7, 2026) (https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a?utm_source=IranPLC202604&utm_medium=GovDelivery).

[xiii] Nikita Shah, “What the Israel-Iran conflict revealed about wartime cyber operations,” Atlantic Council (Jul. 30, 2025) (https://www.atlanticcouncil.org/blogs/new-atlanticist/what-the-israel-iran-conflict-revealed-about-wartime-cyber-operations/).

[xiv] Daria Alexe, “Al-Qaeda’s Cyber Jihad Movement: Plugging into Iran’s Wartime Hacktivist Ecosystem,” Global Network on Extremism & Technology (Mar. 23, 2026) (https://gnet-research.org/2026/03/23/al-qaedas-cyber-jihad-movement-plugging-into-irans-wartime-hacktivist-ecosystem/).

[xv] Sam Sabin, “First cyberattacks of war hint at Iran’s playbook against U.S.,” Axios (Mar. 17, 2026) (https://www.axios.com/2026/03/17/iran-us-israel-cyberattacks-critical-infrastructure).

[xvi] Romagna, M., & Leukfeldt, R. E, Social Opportunity Structures in Hacktivism: Exploring Online and Offline Social Ties and the Role of Offender Convergence Settings in Hacktivist Networks, Victims & Offenders, 1–23 (2024) (https://doi.org/10.1080/15564886.2024.2372054).