Following the significant military escalation on February 28, 2026, involving coordinated U.S. and Israeli strikes on Iranian targets, and return fire to U.S. bases and allies, cybersecurity in general has shifted into a period of high-intensity risk.
U.S. federal agencies, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and private intelligence firms indicate that while kinetic warfare is regional, the cyber front is global, targeting both Americans overseas and critical infrastructure on U.S. soil.
The primary concern is retaliatory asymmetric warfare. Iran historically responds to physical strikes with cyber operations to project power while maintaining plausible deniability.
Experts warn that Iranian state-sponsored actors (like APT33 and APT35) are pivoting toward targeting critical infrastructure such as U.S. and allied power grids, water utilities, and healthcare systems. The goal is to create "public anxiety" and economic disruption.
"To me, the cyberattacks from Iran have already started but are covert in ways people are not expecting," said Dr. Eric Cole, DPS, Cybersecurity Expert and Author of Cyber Crisis. "First, poisoning of AI data sets to reduce the effectiveness of AI analysis tools. It is no secret that the DOD is using public AI tools for planning purposes. If the data is less accurate, so too will be the outcome."
Dr. Cole added, "They are targeting key individuals' bank accounts and identities so their focus is distracted from the world. What if several of the key military officers actively involved in this war have their identities stolen or loved ones' bank accounts hacked? That would deter their focus and distract them. Could a foreign adversary attack critical infrastructure, yes, but the impact would be a lot less than people anticipate."
On March 2, cybersecurity experts specifically warned that the U.S. healthcare sector is at elevated risk for wiper malware and DDoS attacks. Proxy groups like "Handala" have already claimed attacks on major healthcare networks in the region.
Coordinated disinformation (information operations, or IO) campaigns are being used to erode public trust in military operations and amplify domestic political pressure within the U.S.
Iran's cyber ecosystem is highly coordinated, blurring the lines between government military wings (IRGC), civilian intelligence (MOIS), and "independent" hacktivists.
Groups like MuddyWater and OilRig specialize in long-term espionage and infrastructure mapping with highly-sophisticated, state-sponsored campaigns. In 2026, these groups have integrated AI-generated impersonation into their spear-phishing campaigns, making social engineering nearly impossible to detect through traditional means.
Iran increasingly "deputizes" hacktivists to perform low-sophistication but high-visibility attacks (website defacement, DDoS). These Cyber Islamic Resistance (non-government) proxies often act as a smoke screen for more serious state-sponsored intrusions.
While not yet at the technical tier of Russia or China, Iran possesses some of the "most creative and dangerous" operators, specifically in the realm of Operational Technology (OT) and Industrial Control Systems (ICS). Their operations are maturing.
[RELATED: Top Countries in Cybersecurity: The Global Leaders Setting the Standard]
"Iran has developed a capable and opportunistic cyber program that blends state-sponsored operators, Islamic Revolutionary Guard Corps–linked actors, and aligned hacktivist groups," said Matthew Hartman, Chief Strategy Officer at Merlin Group, a network of affiliates that invests in, enables, and scales cyber technology companies. "While the principal risk isn't sophisticated tradecraft or exploitation of previously unknown vulnerabilities, Iranian government and affiliated actors have proven very adept at strategically exploiting widespread cyber hygiene gaps to create real-world disruption and psychological impact. U.S. critical infrastructure entities—including those in the water, energy, healthcare, and manufacturing sectors—should be on high alert."
Hartman continued, "U.S. government reporting indicates that Iran's state-sponsored cyber operators are primarily based in Iran, however, they routinely leverage infrastructure and hosting providers in third countries to conduct activity globally. That practice is common among nation-state actors and is designed to complicate attribution, increase operational resilience, and create friction for defenders. We've also seen Iran-aligned hacktivists and politically motivated actors operate across borders, often amplifying state objectives."
He added, "In terms of target expansion, Iran clearly has the capability to target private-sector entities, including financial institutions, through disruptive attacks, ransomware, or data-leak operations. The more consequential variable right now is intent: expanding operations against U.S. businesses, particularly those that are considered critical infrastructure, would represent a deliberate escalation with potentially significant consequences."
Risks for Americans overseas and at home
Americans in the Middle East—particularly those in the defense, aviation, and logistics sectors—face immediate operational risks. Retaliatory missile/drone activity is being paired with "sophisticated probing attacks" against mobile apps and communication APIs used by regional governments.
The "front line" is now considered to be in the domestic backyard. National security experts emphasize that identity is the most reliable path to attacker success on U.S. soil in 2026.
[RELATED: Invisible Battlefield: Why Identity Verification Is the New Firewall]
Americans should be wary of sophisticated social engineering targeting corporate help desks to reset MFA or passwords—a tactic perfected by Iran-aligned groups to gain initial access. It's better known as the "help desk vulnerability."
There is a heightened risk of "nuisance" attacks on patient portals, banking apps, and transportation schedules to disrupt daily American life. Basic public services are at risk.
Given the current "elevated" threat level, CISA and the FBI strongly urge the following:
-
Aggressive MFA enforcement: Use phishing-resistant MFA (hardware keys) where possible; Iranian actors excel at bypassing SMS-based codes.
-
Credential vigilance: Monitor for "password spraying" and anomalous login activity, especially for remote access and VPN accounts.
-
Verify offline backups: With the threat of wiper malware (which deletes data entirely), ensuring immutable, offline backups is the only guarantee of operational recovery.
"Cyberattacks are no longer isolated to the countries directly involved in geopolitical conflict. In the case of Iran, it's not just about their known cyber capabilities; it's about the broader network of proxy actors and aligned nations who may view recent U.S. actions as justification for retaliation," said Randolph Barr, CISO at Cequence Security, an API security and bot management provider. "This dramatically increases the likelihood that the U.S. and its allies will become targets of cyberwarfare, especially from adversaries seeking to exploit regional instability."
Barr added, "Iran has historically demonstrated a strong capability in cyber operations, often leveraging credential theft, social engineering, and access via federated identity systems. What makes their tactics especially dangerous is their tendency to abuse federated and third-party access, essentially exploiting trusted relationships and integrations to move laterally and persist undetected."
As of March 2, CISA is reportedly operating with limited staff due to a funding lapse, which experts warn may delay the distribution of timely threat intelligence to the private sector during this crisis.
