Geopolitical Conflict Driving 245% Surge in Malicious Traffic

8:29

By Drew Todd

The numbers beneath the headline

Akamai's telemetry from its Prolexic Network Cloud Firewall platform shows that Iran-attributed IPs account for a minority of the malicious traffic observed since the conflict began. The larger shares originate from Russia (35%) and China (28%)—proxy infrastructure being leveraged to scale attacks and obscure attribution.

Sunil Gottumukkala, CEO of Averlon, said the pattern aligns with what security teams typically see in conflict-adjacent environments:

"The surge in activity following geopolitical tensions is consistent with what we typically see in these environments. Early-stage signals like reconnaissance, credential harvesting, and infrastructure probing tend to increase significantly as attackers look for initial access opportunities. The organizations that fare best are the ones that treat this activity as a precursor to more targeted attacks and invest in visibility into their exposure and rapid remediation of high-risk issues."

Michael Bell, Founder and CEO of Suzu Labs, pushed further on what the proxy infrastructure picture actually means for defenders, saying:

"The 245% number is real but the breakdown underneath it matters more than the headline. Only 14% of the malicious traffic Akamai observed originated from Iranian IPs. Russia accounted for 35% and China 28%, which tells you this isn't just Iranian retaliation. Russia and China are taking a 'never let a good crisis go to waste' approach, using the conflict as operational cover to ramp up scanning, credential harvesting, and infrastructure mapping while defenders are focused on the named adversary."

Bell also cautioned that the current numbers may understate what's coming: the attack mix—botnet discovery traffic up 70%, automated reconnaissance up 65%—reflects a setup phase, not the main event. The access and infrastructure mapping being built now is the precursor to follow-on operations that will likely be more severe.

Observed threat activity since February 28, 2026

Botnet-driven discovery traffic: +70%
Automated reconnaissance traffic: +65%
Infrastructure scanning of exposed services: +52%
Credential harvesting attempts: +45%
Pre-DDoS reconnaissance probing: +38%

Financial services and fintech under the heaviest pressure

Banking and financial services are the most heavily targeted verticals in Akamai's data, followed by e-commerce and gaming. Together, banking, financial services, and e-commerce account for more than 50% of malicious traffic destinations; when gaming is added, those three verticals absorb roughly 80% of observed attack volume.

The targeting logic, Akamai notes, is deliberate. Any disruption to financial services infrastructure—payment processing platforms, banking applications, credit card systems—carries an outsized economic and social impact. The company's research includes several anonymized case studies drawn from its customer base:

A critical payment processing platform in Asia-Pacific blocked more than 11 million malicious packets originating from Russia in a single day, with 65% of all traffic blocked since its 2025 deployment, with March 2026 alone accounting for 65% of all traffic blocked.
A major European payment processor blocked nearly 978 million packets from Russian-origin IPs over 90 days, including 46 million in a single week. The same customer also blocked a pre-conflict spike of 3 million Iranian-origin packets—traffic that dropped sharply after Iran imposed a near-total internet shutdown at the start of the conflict.
A U.S. financial services institution blocked 10 million of 13 million total Iranian-origin packets in just a 30-day window.
A U.S.-headquartered global real estate and professional services firm blocked 29 million packets from Russia between mid-January and March 2026—including more than 5 million on February 28 alone, the day the conflict began.

The Iran traffic drop-off is itself a notable intelligence signal: it reflects the Iranian government's near-total domestic internet shutdown in the early days of the conflict, a move that effectively cut off a large portion of the country's internet-connected infrastructure from the rest of the world.

The loud attack and the quiet intruder

Akamai's research specifically references the March 11 data-wiping attack on Stryker—claimed by Handala, a hacktivist group alleged to have ties to Iranian intelligence services—as an illustrative example of how geopolitical cyber operations can cause direct commercial disruption. The attack reportedly wiped multiple terabytes of data from Stryker's systems and disrupted internal operations, including ordering, manufacturing, and shipping.

Jacob Warner, Director of IT at Xcape, Inc., said the Stryker attack is a textbook example of a strategic misdirection pattern that defenders should be wary of:

"The recent surge in Iranian cyber activity highlights a sophisticated 'loud vs. quiet' strategic pivot. High-profile wiper attacks on entities like Stryker dominate headlines and cause immediate operational paralysis. Meanwhile, state-sponsored actors are simultaneously executing quiet, long-term espionage campaigns. For security professionals, the danger lies in the 'loud' attacks serving as a massive smoke screen, drawing incident response resources away from deep-seated persistence in critical infrastructure. In modern conflict, the wiper attack is just a loud invitation to a heist that has been running for months."

Warner specifically urged defenders to hunt for "living off the land" techniques and signs of compromised administrative tooling—including unified endpoint management (UEM) and mobile device management (MDM) platforms—rather than focusing exclusively on the headline-grabbing destructive attacks.

Seven recommendations for security teams

Akamai's research closes with seven operational recommendations for security teams navigating elevated geopolitical threat environments:

Take a proactive geo-blocking posture. If your organization does not serve users in a given geography, deny all traffic from that region at the network edge. For financial services, healthcare, and utilities, this is a particularly high-value defensive move.
Enforce caching, rate limiting, and IP reputation controls at the network edge, not deeper in the stack, where downstream systems still absorb the load.
Review critical subnets and IP spaces and verify that mitigation controls are in place across the full network surface.
Deploy DDoS protection in always-on mitigation mode to reduce the operational burden on incident response teams during surges.
Maintain close monitoring of web application firewall (WAF) policies and API behaviors, particularly for shadow APIs that may be undocumented and unprotected.
Adopt microsegmentation to limit lateral movement opportunities once an attacker has obtained initial access.
Exercise your incident response runbook: validate emergency plans, contacts, and lockdown procedures for critical applications and network assets before the next spike, not during it.

Gottumukkala's advice for practitioners mirrors Akamai's posture: treat the current reconnaissance surge as a precursor, not the main event, and prioritize attack-surface reduction and identity security before follow-on campaigns arrive.

Follow SecureWorld News for more cybersecurity news.

Tags: Cyber Warfare, Iran, Financial Sector, Cybercrime / Threats, Geopolitics,