Editor's Note: This is part one of a two-part series examining how the Iranian conflict could affect cybersecurity risks for insurers and their clients.
The war in Iran is impacting a range of industries such as
The attacks can come from a variety of sources including retaliatory attacks from within the Iranian government to incidents launched by organized hacktivist groups. Kevin McDonald, chief operating officer and chief information security officer at Alvaka cautions that the attacks initially are more likely to be destructive and disruptive than financially motivated. "Distributed denial of service attacks, attacks on operational technology in critical infrastructure, encryption (with no key ransom demands) or even mass deletion of data are all to be expected," he shares.
"There may also be cyber impacts from physical attacks on Western-supporting Gulf infrastructure such as communications links, data centers and power support for both. Amazon has already confirmed three facilities in the Middle East being struck, two in the UAE were hit directly and one in Bahrain was said to be damaged by a nearby strike. This also opens the phishing apparatus because stress, curiosity and fear cause people to be less discerning in what they open, believe and do."
How war amplifies cyber threats
Steve Durbin, chief executive of the Information Security Forum finds, "Geopolitical conflict is a force multiplier for cyber threat activity. The chaos and distraction of
armed conflict create windows of opportunity that both state-sponsored actors and opportunistic cybercriminals are very adept at exploiting. The Iran-US-Israel dynamic is particularly concerning because all three parties have sophisticated cyber capabilities, and when tensions escalate, those capabilities don't stay contained within the borders of the conflict."
Understanding how to assess the risks that can arise from such a conflict requires a broader context of the dangers involved. Michael Crean, senior vice president of managed services for SonicWall and a U.S. Army combat veteran explains, "We assess that opportunistic threat actors will actively exploit the current conflict environment — either by impersonating Iranian-aligned groups or by leveraging the geopolitical situation as a thematic lure in targeted campaigns. Kinetic conflicts rarely stay kinetic, modern warfare is multi-domain by design — land, sea, air, space, and cyber are integrated operational theaters. When nation-states engage militarily, cyber operations almost always follow, precede, or accompany physical action."
"Periods of crisis also create distraction and urgency, which increases success rates for phishing, fraud, opportunistic ransomware, and disruption attempts," says Siobhan O'Brien, global head of cyber, COE, at MSIG USA. "Threat intel firms have specifically warned about heightened risk and spillover during the current Iran-linked escalation."
Cybersecurity bad actors
While threat actors are constantly operating, those with ties to nation-states typically get more active because cyber operations can be a low-cost way to gather intelligence, says Mary Ann Miller, vice president, evangelist and fraud executive advisor at Prove. "Threat actors like MuddyWater and Fox Kitten, which have been linked to Iranian cyber activity, are known for targeting government and private-sector organizations to gain access for espionage or future disruptive operations. During conflicts, we see that lines tend to blur among state actors, proxies, and criminal groups, and that makes it much harder to identify the source."
Judson Dressler, director of the Resilience Risk Operations Center (ROC), says that while there have been some retaliatory campaigns from the Iranian Advanced Persistent Threats, their near-term impact is limited. However, he predicts that, "Iranian-aligned groups outside of the country, from hacktivists to other nation-states, will likely strike vulnerable targets associated with the U.S., Israel, or our allies. These include the Handala Hack, Cyber Islamic Resistance, FAD, pro-Palestinian group Dark Storm and pro-Russian groups Cardinal and NoName057."
O'Brien says, "These attacks can look like a mix of state-linked espionage groups prioritizing intelligence collection, access, and positioning (persistence) inside networks, or like hacktivist or proxy activity that is more visible (DDoS, defacements, "hack-and leak") and sometimes less technically sophisticated, but still operationally disruptive."
Identifying possible cyber targets
While cyberattacks are a very real risk for all businesses, a war can make some entities become more likely targets of attacks.
"During conflicts, some industries become more vulnerable to cyberattacks, especially those crucial to national security, the economy, and public perception," details Michelle Chia, chief underwriting officer, Cyber, Design & Select Professional at AXA XL. "CISA, The Cybersecurity & Infrastructure Security Agency, which is part of the Department of Homeland Security, identified
McDonald believes the breadth of potential targets during the conflict are almost unlimited. "If it causes pain in the West, it's a bullseye. Military, defense, industrial, government and critical infrastructure are obvious targets, but when an adversary feels humiliated or backed into a corner in a very public way or feels their lives, religion and future are under attack, they tend to be less selective. AI automation has ended the need for selectivity since they can scale the chaos across the board without breaking a sweat. During relative peace, they might avoid schools, hospitals and the like, but once the wartime gloves go on, those limits come off."
Industries managing large amounts of data like those in the financial, banking, insurance, healthcare, energy and utility sectors often face a higher risk of being targeted.
"Certain industries are disproportionately vulnerable to cyberattacks due to the high value of their data, the critical nature of their operations, and, in many cases, the continued reliance on legacy infrastructure that is difficult to secure," advises Crean. "Iranian-linked threat groups have historically focused on industries that can produce strategic intelligence, disrupt economic stability, or create public pressure without requiring kinetic action. Manufacturing organizations often sit within complex global supply chains and support defense, energy, and critical infrastructure programs, making them valuable targets for espionage and operational disruption."
The chaos created by global events can make it easier for threat actors to more easily launch attacks and penetrate systems that are not up to date or employing strong cyber defenses. Part two of this series will examine the threat actors' goals, how the war will affect the cyber insurance market and why conflicts can embolden hackers.
