The joint US–Israel military strikes against Iran on 28 February 2026 have significantly heightened geopolitical tensions, with a clear spillover into the cyber domain. Multiple intelligence sources indicate that Iranian state-linked and hacktivist groups have increased operational tempo, demonstrating intent to retaliate globally, primarily through disruptive cyber activity rather than direct military action.
The UK’s National Cyber Security Centre (NCSC) assesses that while there is no major direct cyber threat uplift to the UK, there is “almost certainly” a heightened indirect cyber threat, particularly for organisations with operations or supplychain links in the Middle East.
CyberOne continues to maintain an elevated monitoring posture within our MXDR service and stands ready to provide 24x7x365 NCSC Accredited Cyber Incident Response should clients require support.
What Has Happened?
- On 28 Feb 2026, coordinated US–Israel strikes targeted multiple sites in Iran as part of operations referred to as Operation Epic Fury / Roaring Lion.
- The strikes were accompanied by major cyber components, including the compromise of widely used Iranian apps, attacks on government websites and largescale disruption of Iranian internet connectivity (reduced to ~4% of normal levels).
- In parallel, over 150+ hacktivist incidents were recorded regionally, with spillover risks to global critical infrastructure with sectors including Energy, Finance and IT services.
Current Cyber Threat Landscape
Iranian State-Linked Activity
- Iranian groups maintain capability despite domestic internet disruptions.
- Established APT clusters have historically targeted critical infrastructure, operational technology (OT)/Integrated Control Systems (ICS), Financial Services and Government networks, with an emphasis on disruptive operations (DDoS, wipers, pseudoransomware).
- Threat actors are expected to intensify operations following public Iranian declarations of “revenge.”
Hacktivist & Ideological Actors
- Pro-Iran hacktivist groups (e.g. Handala Hack Team, BaqiyatLock affiliates) have surged in activity, focusing on DDoS, defacement and hack-and-leak operations (HLOs). Many claims are exaggerated or unverified.
- Social media driven disinformation and psychological operations (PSYOPS) continue to be used to amplify fear and confusion.
Increased Global Spillover Risk
-
NCSC and other Western agencies warn of heightened indirect risk, even for organisations without direct Middle East ties.
-
Prior patterns show Iranian groups opportunistically targeting poorly secured edge devices, Virtual Private Network (VPN) appliances and internet facing OT/ICS components.
NCSC Guidance Relevant to UK Organisations
According to the NCSC advisory:
- No significant direct change in threat, but the situation remains volatile.
- Indirect risks are elevated, especially for organisations with regional exposure or supplychain dependencies.
- Review cyber security posture and patch known vulnerabilities.
- Increase monitoring of external attack surfaces.
- Revisit incident response plans.
- Prepare for DDoS, phishing and ICS targeting scenarios.
Practical Recommendations
CyberOne expects that Iranian operators are likely to deploy a full spectrum of activity, from ransomware and DDoS to long delayed data leaks and sophisticated social engineering.
Key recommended actions include:
Strengthen Basic Cyber Hygiene
- Prioritise patching overdue vulnerabilities, particularly edge infrastructure.
- Validate multi-factor authentication (MFA) enforcement across all accounts.
- Confirm no default credentials remain on perimeter devices.
Increase Visibility and Log Review
- Intensify log review for authentication anomalies, new remoteaccess paths and DDoS indicators.
- Ensure security analytics are not solely reliant on automation, manual threat hunting is strongly advised.
Harden OT/ICS Environments
- Review segmentation between IT and OT.
- Remove unnecessary internet exposure for any industrial control interfaces.
Strengthen Social Engineering Defences
- Increase vigilance for fake job offers, malicious attachments or impersonation - all documented Iranian TTPs.
- Reinforce phishingresilience training and safeattachment processes.
Prepare for Hack-and-Leak Scenarios
- Ensure data loss prevention controls and backups are validated.
- Review exposure of sensitive data across cloud and SaaS platforms.
Rehearse Cyber Incident Response
Conduct a short interval Incident Response Tabletop or communication rehearsals focused on:- Data wiper attack response
- OT/ICS disruption
- DDoS + intrusion masking scenarios
CyberOne MXDR: Our Commitment to You
CyberOne is actively adapting our detection and monitoring posture in line with the heightened geopolitical threat environment:
- 24x7x365 Heightened MXDR Vigilance:
Our Security Operations Centre (SOC) is continuously monitoring indicators of Iranian linked activity, including DDoS precursor patterns, spearphishing campaigns and suspicious external network probing behaviours. - NCSC Accredited Incident Response (IR):
CyberOne’s Cyber Incident Response (CIRO team is available 24x7x365 to support investigations, containment and recovery should any customer experience suspicious activity or a confirmed incident. - Proactive Threat Hunting:
We are conducting ongoing hunts aligned to known Iranian TTPs, including credentialstuffing, wiper precursors and exploitation of edge appliances.
Contact CyberOne to Strengthen Your Cybersecurity
Amid escalating geopolitical tensions involving Iran, organisations should review and patch external-facing systems, confirm incident response contacts are up to date, enable alerts for abnormal authentication activity, and reassess suppliers with Middle East reliance.
If you notice suspicious activity or have any concerns, contact the CyberOne team immediately — we are available 24x7x365 to support you.