New research data presents a mixed picture of the evolving cyber dimensions of the Iran-Israel conflict, cautioning that while current activity remains measured, the threat landscape is primed for escalation.
Palo Alto’s Unit 42 disclosed that “while we have not yet seen a dramatic uptick in Iranian-directed cyberattacks, further escalations could manifest as a surge in cyber operations by both state-sponsored groups and independent hacktivists. Their aim would be to disrupt, collect intelligence on, or influence perceived adversaries. Iranian threat groups have a history of targeting critical infrastructure and sensitive industries across public and private enterprises globally, and these attacks can have far-reaching consequences.”
Data from DomainTools Investigations shows that alongside the kinetic exchanges, Iranian cyber operators have reportedly hijacked Israeli CCTV and smart home cameras to evaluate the precision and impact of missile strikes in real time. Concurrently, cyberattack activity has spiked dramatically since early June, affecting sectors ranging from energy and defense to agriculture and municipal infrastructure across Israel, and extending into Western targets.
The conflict between Iran and Israel has sharply escalated, playing out on both physical and cyber fronts. Over the past two weeks, Iran has fired multi-warhead missiles at major Israeli cities, including Tel Aviv and Haifa. In retaliation, Israel has launched airstrikes on Iranian military sites, nuclear facilities, and IRGC-Cyber Electronic Command (IRGC-CEC) centers in Isfahan and Tehran.
The Halcyon RISE Team identified that the current military conflict underscores the urgent need for US organizations to harden their cyber defenses. “Iran’s dual role as a state sponsor of terrorism and a state sponsor of cybercrime gives it additional malicious tools at its disposal. Its track record of using destructive cyber operations to advance political objectives suggests that any future campaign will blend traditional state-sponsored tactics with criminal tradecraft.”
They added that if tensions rise, so will the likelihood that Iranian threat actors will turn to cyber operations to influence and exert pressure, making resilience and defense-in-depth essential across all sectors.
Over the past two years, Unit 42 has observed Iranian-backed groups and hacktivists steadily expanding their global cyber operations. This includes opportunistically leveraging generative AI for social engineering and influence campaigns, as well as explicitly tying destructive cyberattacks to geopolitical flashpoints.
These efforts build on tactics that Iranian threat actors have long employed. In light of recent escalations involving Israel and the U.S., these activities are likely to intensify. Among them are destructive attacks, website defacements, distributed denial-of-service (DDoS) campaigns, and data exfiltration and wiper malware deployments, primarily tactics reminiscent of earlier Iranian operations targeting Israel’s education and technology sectors.
Unit 42 tracks Iranian state-sponsored threat actors under the constellation name Serpens, warning that these groups may escalate their activity in the coming weeks.
Iran’s state-backed cyber operations are often used to amplify political messaging through destructive and psychological tactics. These campaigns tend to focus on regional adversaries such as Israel, as well as high-value individuals like political leaders, decision-makers, and entities directly involved in ongoing conflicts.
Their targets often include critical infrastructure, supply chains, vendors, and service providers. Most cyberattacks tied to the current conflict have been denial-of-service (DoS) attacks designed to cause disruption rather than destruction. These are frequently carried out by hacktivists and proxy actors aligned with one side of the conflict, aiming to damage public perception and operational continuity.
As of June 22, 2025, Unit 42 researchers report that at least 120 hacktivist groups are actively participating. In parallel, cybercriminal groups and state-linked proxies have also ramped up their campaigns.
DDoS attacks are the most commonly reported tactic, followed by destructive operations. Researchers have observed malware samples, including data wipers, linked to the current wave of activity. One destructive attack in June 2025 wiped out an estimated 90 million dollars in a targeted breach of a cryptocurrency exchange.
Additional breaches have resulted in significant data leaks, many designed to inflict reputational or strategic harm. Operational technology (OT) systems have also come under fire, particularly in the energy and utilities sectors, where breaches appear disruptive and deeply connected to wider geopolitical objectives.
DomainTools Investigations mentioned that as the Iran-Israel conflict intensified in early 2025, CyberAv3ngers emerged as a prominent actor in the digital battlespace. Known for hijacking water systems, defacing industrial controllers, and mocking Israeli cybersecurity on platforms like Telegram and Twitter, the group has blended cyber disruption with psychological warfare.
What began as crude propaganda has evolved into a more sophisticated campaign, raising suspicions of ties to Iran’s Cyber Command. Far from being independent hacktivists, CyberAv3ngers now appear to be part of a coordinated, state-aligned strategy aimed at undermining critical infrastructure and public morale.
“CyberAv3ngers has evolved beyond a conventional threat actor into a strategic asset within Iran’s asymmetric warfare toolkit—combining real-world cyberattacks, recycled leaks, and targeted propaganda to amplify psychological impact,” according to DomainTools Investigations. “Their operations integrate technical capability, such as IOCONTROL malware and MQTT-based command and control, with ideological messaging distributed via Telegram, Twitter, and symbolic domain registrations.”
Earlier this month, the U.S. Department of State said it was offering up to US$10 million for information on a hacker operating under the alias ‘Mr. Soul’ or ‘Mr. Soll’ that could help identify or locate members of Iran’s Islamic Revolutionary Guard Corps (IRGC) linked to cyberattacks on U.S. critical infrastructure. Six individuals have been charged under the Computer Fraud and Abuse Act for their involvement in the campaign.
“Whether or not ‘Mr. Sul’ is truly Mahdi Lashgarian; the persona functions as a force multiplier, shaping narratives, intimidating adversaries, and reinforcing the perception of persistent threat,” DomainTools Investigations noted. “CyberAv3ngers aren’t just breaching systems, they’re engineering beliefs.”
Dawn Cappelli, head of the OT-Cyber Emergency Readiness Team at Dragos, urged CISOs to secure the resources for an OT security platform, but emphasized that organizations must not wait if that isn’t immediately possible. “But you should be doing more than that, so if that is not an option or will take time, do not wait.”
She offers industry advice in light of current geopolitical events, calling upon security teams to remain on high alert, particularly during off-hours and weekends, when major cyberattacks are most likely to occur. Response readiness must be constant.
Attention to the OT environment is critical. Many organizations, especially in manufacturing, have robust IT security programs but are only beginning to address OT security. A disruption in manufacturing operations due to a cyberattack directly impacts company revenue. This heightened threat environment presents an opportunity to request targeted funding for OT cybersecurity initiatives. Organizations should develop joint IT and OT playbooks tailored to specific geopolitical threats. The current focus may be on Iran, but other state actors are likely to escalate cyber operations soon. Each adversary employs distinct tactics, techniques, and procedures (TTPs), and these must be factored into evolving threat models.
Cappelli detailed that playbooks must incorporate active threat intelligence. It is essential to ingest, prioritize, and apply specific TTPs and indicators of compromise (IOCs) across security platforms. Active threat hunting should extend across both IT and OT environments. The broader supply chain and ecosystem must also be considered. Iranian-linked hacktivist groups, such as the BAUXITE group tracked by Dragos, have targeted small water utilities and other vulnerable sectors.
For those at the start of their OT cybersecurity efforts, Cappelli reminded that the SANS ICS Five Critical Controls provide a practical foundation. These controls help simplify the complexity often associated with securing industrial systems. Existing controls should be assessed and validated to ensure proper implementation.
Cappelli also focused on smaller electric, water, and natural gas utilities that remain essential to collective defense. While the scale of the challenge may seem daunting, numerous resources exist to help build capacity and improve security posture. ISACs and other support organizations can provide essential guidance and assistance in making OT cybersecurity both manageable and effective.
