US-Israel war with Iran could change cyber-threat landscape, experts say

Experts are advising cybersecurity professionals to stay cautious during the escalating US-Israel war with Iran.

Periods of military escalation in the Middle East, according to the Sophos X-Ops Counter Threat Unit, have correlated with increased concern about state-aligned and “ideologically motivated” cyber threat actors—and attackers linked with Iran have “shown a willingness to conduct disruptive and psychologically oriented operations” during heightened tensions.

Are cyber threats imminent? While Sophos reported an elevated level of cyber risk for government, financial services, and critical infrastructure, the company’s Global Head of Government Partnerships and the Director of Threat Research Alexandra Rose told IT Brew that the risk for most businesses is the same as it was “a week ago.”

“State-sponsored threat actors still have their strategic objectives, and this isn’t going to likely deter them off of what their current objectives are,” Rose said. “Getting money is the criminals’ objective, so this [conflict] just helps them.” For example, employees’ interest in the conflict could lead them to click on malicious links pretending to be legitimate news articles.

The current risks. Kathryn Raines, a cyber threat intelligence team lead for Flashpoint’s national security solutions, said during a March 2 roundtable that, while there is a significant amount of concern about a “massive coordinated cyber war,” data is actually showing a drop in outbound Iranian cyber operations. She pointed to Cloudflare’s co-founder and CEO Matthew Prince’s post on X about the “noticeable lull” as operations are likely sheltering.

“We cannot ignore the human and physical elements of cyber warfare: the state sponsored operators in Tehran, the people who normally run these keyboards, they’re taking shelter from airstrikes,” Raines said. “Flashpoint has identified that the hacktivist activity that is occurring right now is being driven almost entirely by proxy groups located outside of Iran.”

Rose said there is “definitely” a surge in activity from hacktivist-like threat actors who are looking to stoke fear. These non-state actors are independent and still ideologically motivated to perform “boisterous” attack attempts that typically cause more worry than harm. She said that the behaviors coming out of these groups are not novel attacks, and instead are attempted website defacements and distributed denial-of-service (DDoS) attacks. She noted that while there is an uptick in these attacks, that doesn’t change the risk profile for most organizations.

Joe Saunders, the founder and CEO of RunSafe Security, told IT Brew that the continuing conflict could see cyberattacks coupled with kinetic attacks. Future cyberattacks, for example, could target communications, transportation, commerce routes, and data centers.

Here’s what you should do to stay secure. Saunders recommended that cybersecurity professionals consider alternative ways that non-state actors could target infrastructure, and build a greater resilience around those systems.

Additionally, Raines pointed to the need to regularly patch software defending an organization’s perimeter and move towards hardware-based authentication so that proxy groups can’t overwhelm cyber defense teams’ multi-factor authentication (MFA) fatigue.

In those attacks, actors will use stolen credentials to “spam employees’ cell phones with multi-factor login approval requests in the middle of the night…until an exhausted, tired employee accidentally hits that approved button,” Raines added.

Rose recommended that organizations be “brilliant at the basics” for things like MFA, environment monitoring, and other basic cybersecurity procedures. She also pointed to the need for an incident response plan, especially one that allows stakeholders to effectively communicate during a cyber crisis.

To that end, both Saunders and Raines recommend that companies prepare out-of-band (OOB) communications and bypass traditional communication routes, which are often vulnerable.