The conflict in the Middle East has rapidly extended into the cyber domain. Iranian state-sponsored actors and a large ecosystem of pro-Iranian hacktivist groups are actively targeting Western commercial, financial, energy and critical infrastructure organisations. <\/p>\n
As of early March 2026, security researchers have tracked over 60 active threat groups aligned with this conflict – 53 of them operating on the pro-Iranian side. Activity has accelerated sharply and, contrary to some initial assessments that Iranian cyber capabilities had been degraded by kinetic strikes, adversary operations have intensified rather than diminished.<\/p>\n
\nThe threat landscape: what is happening and to whom\n<\/p>\n
A rapidly evolving timeline<\/p>\n
The cyber dimension of this conflict did not emerge suddenly. It is understood that Iranian Advanced Persistent Threat (APT) groups have conducted sustained espionage and disruptive operations against Gulf energy infrastructure and US networks since at least early 2025. The pace and severity of activity escalated sharply during the 12-day hostilities.<\/p>\n
In the last few weeks, pro-Iranian hackers have claimed an attack on a North American medical device company, a foiled attack on Poland\u2019s nuclear sector has been attributed to Iranian actors, DDoS attacks targeting Gulf Cooperation Council (GCC) infrastructure have been identified, and phishing campaigns mimicking official alert applications were launched across the region.<\/p>\n
This past weekend the UAE Cyber Security Council urged individuals and organisations to remain vigilant against wiper malware.\u00a0 For those who are unaware, wiper malware is designed to permanently delete data on targeted systems. The security professionals that our team regularly work with are advising a \u201cshields up\u201d posture, anticipating further wiper malware deployments, DDoS campaigns, and widening regional and Western spillover.<\/p>\n
Who is being targeted?<\/p>\n
The targeting patterns seen in this conflict are broad and reflect both strategic intent and opportunistic exploitation. Sectors facing elevated exposure include:<\/p>\n
Energy and utilities – where disruption can have physical consequences.
\nFinancial services \u2013 particularly institutions with Middle Eastern operations or correspondent relationships.
\nAerospace, defence and logistics \u2013 supply chain targeting is a priority for Iranian APTs.
\nHealthcare \u2013 both for disruption value and the sensitivity of the data held.
\nCloud and telecommunications infrastructure \u2013 as an enabler of downstream attacks on multiple sectors simultaneously.
\nCritical national infrastructure more broadly, including water utilities, where pro-Iranian groups have claimed access to operational control systems.<\/p>\n
Importantly, organisations with no direct connection to Israel, the United States or the conflict itself are being targeted opportunistically. The breadth of hacktivist mobilisation means that any high-profile or symbolically significant organisation may attract attention.<\/p>\n
The types of attacks being used<\/p>\n
Iranian state actors and affiliated groups employ a layered attack methodology:<\/p>\n
Spear phishing and credential harvesting \u2013 targeting employees, executives and supply chain contacts with convincing lures, including AI-generated phishing content.
\nVPN and edge device exploitation \u2013 unpatched remote access infrastructure is a primary initial access vector.
\nWiper malware \u2013 designed not to encrypt data for ransom but to permanently destroy it, making recovery impossible without offline backups.
\nDDoS attacks \u2013 used for both symbolic disruption and to mask concurrent intrusion activity.
\nHack-and-leak operations \u2013 where sensitive data is exfiltrated and published online.
\nSupply chain compromise \u2013 targeting cloud providers, logistics platforms and managed service providers to achieve downstream access at scale.
\nPhysical attacks on digital infrastructure \u2013 drone strikes on Amazon Web Services data centres in the UAE and Bahrain caused structural damage and cloud service disruptions, demonstrating that the boundary between cyber and physical attack has collapsed.
\nSmishing and fake application campaigns \u2013 civilian-facing phishing using spoofed government alert apps to harvest credentials and spread malware.
\nAI-enhanced operations \u2013 groups are deploying AI-assisted phishing tools which materially improve attack velocity and credibility.<\/p>\n
\nSome of the key issues for affected organisations\n<\/p>\n
1. Sanctions and compliance obligations<\/p>\n
Iranian APT groups use infrastructure \u2013 servers, domains, payment accounts \u2013 that may be controlled by sanctioned entities. Paying a ransom or making any transfer of value that ultimately benefits a sanctioned party could constitute a sanctions violation, even where the organisation is itself a victim. For instance, under US law, specifically the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), US organizations wherever located are prohibited from engaging in transactions, \u201cdirectly or indirectly,\u201d with individuals or entities on the Specially Designated Nationals and Blocked Persons List created by the Treasury Department\u2019s Office of Foreign Assets Control (OFAC). This list also includes regional embargoes. Iran and many organizations with Iranian ties are on this list. This includes directing a payment to be made by a non-US company on its behalf. Violation of these prohibitions can result in civil fines (up to $311,562 under IEEPA, $91,816 for each violation under TWEA, or twice the amount of ransom paid), as well as criminal prosecution of the organization\u2019s management.<\/p>\n
Organisations should ensure they have clear internal guidance on the sanctions dimension of any incident response involving Iran-aligned threat actors, including the need to conduct sanctions screening before any ransom payment is considered. Legal advice should be obtained promptly if an attack occurs.<\/p>\n
2. Regulatory and reporting obligations<\/p>\n
A cyber incident of sufficient severity will trigger multiple legal reporting obligations simultaneously, regardless of whether it is attributable to a state actor:<\/p>\n
Data Protection \u2013 Many countries now have regulations in force which mandate that a personal data breach must be reported to the relevant supervisory authority and\/or data subjects within a certain timeframe of awareness. A wiper attack that destroys records containing personal data, or exfiltration of sensitive data, will often engage these obligations.
\nOperators of essential services and relevant digital service providers – Under the Network and Information Systems (NIS) Regulations 2018 in the UK and NIS2 in Europe, organisations may have separate incident reporting obligations to their competent authority. Likewise, in the UAE, telecom providers\/certain digital infrastructure operators must report incidents to the Telecommunications and Digital Government Regulatory Authority.
\nSector-Specific Regulators \u2013 Many financial institutions have their own separate regulatory reporting requirements such as to the Financial Conduct Authority in the UK, the Central Bank in the UAE and potentially multiple regulators in the US.\u00a0 Also, unique to the UAE, healthcare providers and entities handling health data who are impacted may also need to notify one of the relevant healthcare authorities.
\nCritical National Infrastructure \u2013 Organisations operating CNI may have obligations under the forthcoming Cyber Security and Resilience Bill (UK), which is expected to expand reporting requirements and impose stronger security duties on a wider range of organisations.<\/p>\n
A single incident could therefore trigger multiple reporting requirements across numerous jurisdictions and to a range of different regulatory bodies.\u00a0<\/p>\n
3. Business interruption and third-party liability<\/p>\n
Wiper malware and destructive DDoS attacks are designed to cause operational shutdown. Unlike ransomware, where systems may be restored on payment, a wiper attack means data and systems are gone unless offline, immutable backups exist. Incidents of this nature will result in legal and commercial consequences:<\/p>\n
Contractual liability \u2013 Organisations unable to perform contractual obligations due to a cyber-attack will need to assess whether force majeure clauses are engaged.\u00a0
\nSupply chain liability \u2013 Where an organisation is a supplier whose systems are compromised, leading to downstream damage to customers, third-party liability claims may follow. The AWS data centre attacks in the UAE and Bahrain are illustrative: businesses relying on cloud services suffered disruptions caused by physical attacks on infrastructure they did not control.
\nDirector and officer liability \u2013 Boards have a duty to ensure adequate cyber security governance. Where a breach follows from a failure to implement reasonable controls \u2013 for example, a known VPN vulnerability left unpatched \u2013 questions of board liability may arise. This is a particular concern in some of the Middle Eastern jurisdictions which have the ability to impose criminal sanctions on individuals within an organisation in certain circumstances.<\/p>\n
\nConclusion\n<\/p>\n
The cyber dimension of the Middle East conflict is not a contained regional matter. It is also a live and escalating risk for businesses, infrastructure operators and their insurers across Europe and North America. The combination of state-directed APT operations, ideologically motivated hacktivism, AI-enhanced attack capabilities, and the demonstrated willingness to cause physical damage to digital infrastructure makes this one of the most complex and consequential cyber threat environments faced to date.<\/p>\n","protected":false},"excerpt":{"rendered":"The conflict in the Middle East has rapidly extended into the cyber domain. Iranian state-sponsored actors and a…\n","protected":false},"author":2,"featured_media":23559,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[11473,3950,11475,11472,34,11474],"class_list":{"0":"post-23558","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-iran","8":"tag-cyber-risks","9":"tag-data-privacy","10":"tag-insurance-and-claims","11":"tag-insurance-and-reinsurance","12":"tag-iran","13":"tag-political-risk-and-trade-credit"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@iran\/116245086572053142","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/posts\/23558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/comments?post=23558"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/posts\/23558\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/media\/23559"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/media?parent=23558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/categories?post=23558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/tags?post=23558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}