With the conflict in the Middle East entering a phase of total infrastructure and economic warfare, threat analysts are urging organizations across the US and its allies to beware of potential retaliatory cyberattacks. In fact, they’ve already begun.
Already on Sunday, Sophos issued an advisory, warning that proxy groups or ideologically motivated actors aligned with Iran could target Israeli and US-affiliated military, commercial, or civilian organizations.
The firm said possible tactics could include website defacements, distributed denial-of-service attacks, ransomware, destructive “wiper” malware, hack-and-leak operations, and credential-based attacks such as phishing and password spraying.
This is indeed happening. According to threat intelligence platform Flashpoint, a broad coalition of pro-Russian and pro-Iranian actors has launched the “#OpIsrael” campaign, focusing on critical infrastructure and data exfiltration.
A series of cyber intrusions
NoName057(16) has allegedly partnered with Cyber Islamic Resistance (CIR) to conduct massive DDoS attacks against Israeli defense contractor Elbit Systems and municipal governments. Additionally, CIR has claimed a breach of an Israeli health insurance provider.
Earlier, pro-Iranian actors also claimed successful, highly disruptive intrusions into a major Jordanian grain silo company’s control systems.
These reportedly include alleged manipulation of temperature controls and weighing systems, moving beyond simple defacements and signaling a direct threat to food security.
FAD Team, also known as Iraq’s Resistance Hub, executed a global SQL injection campaign, leaking PII from a wide range of targets, including a virtual US Air Force group, Pennsbury Township (PA), and educational institutions in France, India, and Vietnam.
Fatimion Cyber Team has targeted Arab states perceived as US allies, disabling the Bahrain News Agency and launching DDoS attacks against Qatari oil firm Gasco and Qatar Radio.
FAD Team also claimed control over network monitoring dashboards for firewall devices in Mecca and Medina, Saudi Arabia.
American organizations exposed
Speaking with Euronews, Scott McKinnon, Palo Alto’s chief security officer for Europe, the Middle East, and Africa, also warned of a further surge in cyber “sidearms” deployed by nation-state actors, including, of course, Iran.
Organizations must implement maximum security protocols and prepare for hybrid physical-to-cyber attacks, Flashpoint said. American firms, especially smaller businesses (SMBs), are especially exposed, VikingCloud points out.
“They are embedded inside enterprise supply chains but lack the resources to absorb even a modest hit. If targeted, the disruption can quickly cascade across vendors and customers,” said the cybersecurity company.
Check if your data has been leaked
According to new data from VikingCloud’s 2026 SMB Threat Landscape Report, 84% of SMB owners still self-manage cybersecurity, and 28% admit the person managing their cybersecurity lacks sufficient training.
American or US-linked organizations should be treating the situation as a when, not an if, according to Binary Defense Director of Threat Intelligence JP Castellanos – especially those with direct connections to the US military.
More opportunistic than cutting-edge
James Turgal, a 22-year FBI vet and VP of global cyber risk and board relations at Optiv, told Cybernews that US cyber defenders should expect “opportunistic exploitation of US-facing weaknesses:” unpatched internet-facing systems, exposed VPNs, default passwords, and poorly secured edge devices.
According to Turgal, Iranian groups will likely attempt to hit high-impact critical infrastructure in healthcare, energy, water, and transportation industries. Any disruption of those creates immediate economic and public impact.
None of this is to say that these attacks are going to be successful because, surely, the US and Israel have been preparing.
Gary Barlet, a retired US Air Force Cyber Operations Officer and Public Sector CTO at Illumio, told Cybernews that there will be activity, but not necessarily a highly coordinated, top-tier campaign.
Iran-linked cyber activity has been far more opportunistic than cutting-edge and not particularly advanced, Barlet thinks, so the country’s large ecosystem of aligned hacktivist and proxy groups will operate “independently and simultaneously.”
It may be a little more freewheeling campaign. It could be dangerous because this is now a wild pack without a leader,
Gary Barlet.
“These proxies aren’t necessarily directly affected by the kinetic attacks, so they can operate on Iran’s behalf. Still, I’m not sure how much direction from Iran they’re getting right now,” Barlet told Cybernews.
“So it may be a little more freewheeling campaign. It could be dangerous because this is now a wild pack without a leader.”
Turgal additionally isn’t sure Iran could receive meaningful help from comrades in China or Russia. Assistance is more likely to be “enabling” than “jointly operated keyboard time,” he said.
“Russia-Iran cooperation exists, including cyber-related agreements and intelligence sharing, but credible analysis also notes limits, particularly reluctance to share top-tier offensive capabilities that could later be turned on the partner,” Turgal told Cybernews.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked