A soldier participates in a cybersecurity training exercise at Fort Johnson, Louisiana, U.S. Army photo
The Evolving Iranian Cyber Threat
The crisis in the Middle East has gripped global attention, but one front is overlooked: cyberspace. While Iranian state-operated hacking groups face reduced capacity, Tehran-allied hackers are carrying out a high number of low-to-medium sophistication attacks on critical infrastructure. Tehran is also bolstering its future cyber capabilities by increasing coordination between state-controlled groups, expanding their infrastructure, and adopting advanced tactics, techniques, and procedures (TTPs). Washington should address the immediate cyber threat by temporarily reallocating resources to train U.S. and Middle Eastern critical infrastructure providers on Iranian TTPs. Long term, Washington should reinvigorate public-private communication on cybersecurity, implement requirements on critical infrastructure cybersecurity reporting, and encourage interagency intelligence collaboration on Iranian cyber capabilities.
Iran has long inflicted damage on U.S. infrastructure and systems through cyberattacks. For example, in 2024, Iranian nationals conducted a ransomware attack on American cities, corporations, health care organizations, and other entities, leading to a loss of $19 million in Baltimore alone due to disruptions to city networks and essential services. Also in 2024, Iranian hackers breached the accounts of Trump Presidential campaign officials, attempting to steal and leak sensitive information.
Since 2023, many of Iran’s conventional deterrence tools have deteriorated: its allies Hezbollah and Hamas are weakened by war with Israel, the Iranian-backed Assad regime has fallen, and U.S.-Israeli bombing has decimated Tehran’s conventional and nuclear capabilities. As a result, Iran has relied on its cyber capabilities for asymmetrical power projection and deterrence. After the 12-Day War in 2025, cybersecurity firm SOCRadar reported a 700% increase in cyberactivity linked to Iran, driven by international hacker disruption, influence operations, and regional targeting by Tehran-operated groups.
Prior to the current war, cybersecurity firm Augur tracked two bursts in Iranian cyber infrastructure expansion, one in September 2025 and another in January 2026. These infrastructure expansions used diversified provider ecosystems, suggesting that Iran is looking to improve its operational security. However, internet blackouts and strikes against Iranian cybersecurity leaders have diminished the near-term threat from state-operated groups in Iran.
Despite this slowdown, Tehran-aligned hackers outside of Iran have conducted numerous low-to-medium sophistication attacks against critical infrastructure networks against the U.S. and its allies. On March 2, cybersecurity provider Palo Alto Networks recorded around 60 individual cyber groups supporting Iran. These groups demonstrate increased centralized planning through the establishment of an “Electronic Operations Room”, using “brute force” style social-engineering and spear-phishing tactics to gain remote access to vulnerable targets to then disable networks or wipe or steal information. Specific TTPs include password spraying and multifactor authentication “push bombing” to compromise user accounts and obtain access to organizations. The Tehran-allied Handala group claimed responsibility for a cyberattack on U.S. medical company Stryker, wiping thousands of devices and causing disruptions in operations and shipping. Other hacker groups have targeted and disrupted transportation, healthcare, agricultural, and energy systems in Saudi Arabia, Jordan, and the UAE, among other countries.
This is a concern, as communication channels between Washington and critical infrastructure providers are weak. In March 2025, DHS terminated the Critical Infrastructure Partnership Advisory Council (CIPAC), which facilitated confidential public-private deliberations on critical infrastructure security. Washington also delayed implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) proposed rule that would require cybersecurity reporting from critical infrastructure providers. The CIPAC replacement and CIRCIA implementation initiatives are slow-moving and face opposition from policymakers who wish to see states assume cybersecurity responsibilities. In addition, resignations of senior CISA officials in March 2025 raised concerns about the agency’s future vitality. In September 2025, several state-level cybersecurity officials voiced concerns about a lack of support from CISA regional offices, and an initiative to hire 300 new CISA employees still fails to cover the agency’s 1,000 vacancies.
To address these challenges, the U.S. should temporarily reallocate resources to engage with critical infrastructure providers in the United States and the Middle East. CISA and the State Department’s newly formed Bureau of Emerging Threats can host training for domestic and international critical infrastructure providers that simulate these TTPs in preparation for Iranian attacks.
Long-term, Washington should reinstate CIPAC and move forward with CIRCIA so it can better understand cyber threats. CISA should also give updates to its 2024 report to Congress on its outreach programs so that policymakers can understand where gaps still exist. Finally, the intelligence community and the State Department’s Bureau of Emerging Threats should work with CISA to monitor and respond to Tehran’s coordination with external proxies and movement of cyber assets outside its borders.
If the United States does not mend its immediate and long-term cyber vulnerabilities, critical infrastructure at home and abroad will be more susceptible to Iranian cyberattacks. If it does, it will mitigate one of Tehran’s key capabilities, in turn minimizing Iran’s ability to destabilize international security now and in the future.
