Five days into the conflict between the US, Israel, and Iran, the worst fears of cyber retaliation have not yet come true. Despite the lack of major attacks so far, experts warn that Iran’s cyber capabilities are still a significant threat. Iran has one of the most active and sophisticated cyber operations in the world, which suggests this pause may be temporary.

Western Agencies Issue Cyber Warnings

Over the weekend, both the UK National Cyber Security Centre (NCSC) and the Canadian Centre for Cyber Security (CCCS) released warnings about the potential dangers posed by Iranian cyber campaigns. The US Cybersecurity and Infrastructure Security Agency (CISA) has not updated its previous alert from October, leaving some uncertainty about the current threat level.

The NCSC pointed out that organizations with a presence or supply chains in the Middle East face a heightened risk of indirect cyber threats. Meanwhile, Canada’s CCCS highlighted the possibility that Iran might retaliate against US and Israeli military actions with cyber attacks. They advised organizations to remain vigilant beyond common low-level threats like DDoS attacks, warning of more serious risks such as ransomware and destructive malware.

The Challenge of Cyber Alert Fatigue

The vague and ongoing nature of these warnings underscores a bigger problem: alert fatigue. Organizations are constantly bombarded with alerts, making it hard to distinguish between noise and real threats. If attacks are an ever-present threat, how should organizations prioritize their defenses? Does the outbreak of physical warfare change how they should respond, or does it just shift the timeline?

Experts suggest that the threat landscape remains complex. While there is concern about escalation, current activity appears relatively subdued. That said, Iran’s cyber operations are known to be persistent and adaptable, so a sudden increase in attacks could happen at any time.

Iran’s Cyber Capabilities and Recent Activity

Security firms tend to highlight Iranian cyber threats frequently. However, the overall level of retaliation has so far been surprisingly mild. This could be due to disruptions in Iran’s energy and internet infrastructure caused by the ongoing conflict, limiting their ability to launch large-scale attacks.

Iran’s cyber operations are generally categorized into three groups: those targeting Middle Eastern infrastructure, those aimed at Western targets—including advanced persistent threat (APT) groups—and smaller proxies outside Iran that act unpredictably. Recent reports suggest that Iran’s cyber units may be operating in isolation, which could lead to deviations from typical attack patterns. This makes predicting their next move more difficult.

Currently, the most immediate threat appears to be DDoS attacks. Despite fears of widespread disruption, recent reports indicate that Iranian-linked DDoS activity has actually decreased. For example, a major security firm noted that DDoS attacks associated with Iran were down over the weekend, even as some groups issued threats against US banks, causing brief disruptions.

Between February 28 and March 2, security company Radware tracked 149 DDoS attacks linked to Iran. Most targeted government entities in the Middle East. Interestingly, only a few groups were responsible for the majority of these attacks, including hacktivist groups like Keymous+, DieNet, and Conquerors Electronic Army.

Overall, while Iran’s cyber threat remains high, the scale of retaliation so far has been limited. Experts warn that as the conflict continues, Iran’s cyber operations could ramp up again at any moment. Organizations worldwide should stay alert and prepared for potential cyber escalations.

Inspired by

• https://www.computerworld.com/article/4140594/iranian-cyberattacks-fail-to-materialize-but-threat-remains-acute-2.html

Sources

• cisa.gov
• gov.uk
• gc.ca
• paloaltonetworks.com
• crowdstrike.com