I hadn’t even finished writing about Chinese state hackers quietly carpet-bombing 53 organisations globally when this landed on my desk like a grenade. Iran. Retaliatory cyber campaign. “No red lines.” Sixty-plus threat groups coordinating under a single umbrella. My coffee went cold the moment I read the words “Electronic Operations Room” and I have not recovered since.
Here’s where we are. The US and Israel executed coordinated military and cyber strikes against Iran — offensive cyber operations were baked directly into the campaign, according to reporting from Palo Alto Unit 42 and Defence Connect. Iran’s national internet connectivity reportedly cratered to roughly 4% of normal. IRNA, the IRGC’s Tasnim news agency, energy and aviation systems, and government digital services across Tehran, Isfahan, and Shiraz all went dark. And then Ayatollah Ali Khamenei was killed. And Iran announced there would be “no red lines” in its response. So. Yeah.
How does a country with a partially rubble-ified national internet punch back at adversaries with vastly superior conventional military capacity? You already know. Cyber. And lots of it.
What Is Actually Happening Right Now
Per CloudSEK, Industrial Cyber, and Defence Connect, Iran’s hacktivist and state-aligned groups have been spinning up at serious speed. On February 28, 2026, the “Electronic Operations Room” was formally established — a coordination body that bundles multiple pro-Iranian hacktivist collectives into a semi-unified offensive command structure. We’re talking APT Iran, Cyber Islamic Resistance, RipperSec, Cyb3rDrag0nzz, and Handala Hack, which is linked to Iran’s MOIS. Sixty-plus individual groups active. Pro-Russian clusters are reportedly piggy-backing on the chaos because of course they are.
Claimed operations as of March 2–3, 2026 already include sabotage of Jordan’s critical infrastructure by APT Iran, DDoS attacks against Israeli payment infrastructure, defacements across Western and Israeli sites, and compromise of a drone defense and detection system. Some of these claims are unverified. Some are not. The Canadian Centre for Cyber Security issued a formal bulletin on February 28 warning of “cyber attacks against critical infrastructure,” cyber-enabled information operations, and targeted online harassment of military personnel.
Explicitly flagged target categories from Palo Alto Unit 42 and ABHS include Gulf energy producers, pipeline operators, refineries, petrochemical plants, power generation and transmission infrastructure, Western utilities, financial systems, and healthcare. The tactics being observed or anticipated: pseudo-ransomware with wiper components, ICS and OT intrusions via IT network pivots, targeting of engineering workstations and HMIs that physically control industrial processes, credential-stuffing, brute-force attacks against internet-exposed devices, and DDoS at scale.
Why This Should Scare the Shit Out of You
Most coverage is treating this like a bilateral Israel-Iran cyber brawl. It isn’t. Iranian APT groups have historically gone after US water utilities, healthcare networks, energy sectors, and financial systems. CISA has been warning about this for years — Cotton Sandstorm, Charming Kitten, Peach Sandstorm. These groups don’t need explicit attribution orders to opportunistically hit Western infrastructure. They look for what’s exposed and they walk in.
And right now, with the conflict at this temperature, the opportunistic exploitation risk is through the roof. The “Electronic Operations Room” signals coordination — this is not a mob of script kiddies throwing rocks. It’s an organised effort with state backing, aimed at your sector’s weakest points.
Gulf energy is the obvious prize — hit the pipelines, jack the oil price, generate economic pain. But the secondary targets are where this gets genuinely ugly. These groups probe water systems. They probe hospital networks. They target maritime communications providers and satellite infrastructure — which I covered in my research on submarine cable and satellite surveillance infrastructure protection, and the threat model there is worse than most operators realise. One successful ICS intrusion with a wiper doesn’t just knock out a system — it kills people if the wrong thing stops working at the wrong time.
I wrote about why a Cyber 9/11 is structurally inevitable years ago. The argument hasn’t changed: the confluence of exposed critical infrastructure, motivated state-level adversaries, and civilian operators who cannot harden their environments creates conditions for catastrophic cascading failure. We are currently inside an active threat window that looks more like that scenario than anything I’ve seen since writing that paper.
Root Cause Analysis — aka the Usual Clusterfuck
Let’s be blunt about what makes this possible. Iranian APTs are not magic. Their preferred initial access techniques are brute-force attacks against internet-exposed devices, credential stuffing against weak or reused passwords, phishing, and exploitation of known unpatched vulnerabilities in VPNs, firewalls, and remote access tools. That’s the entire list. And per literally every threat report published in the past 18 months, enormous swaths of critical infrastructure OT environments still run internet-exposed devices with default credentials, no multi-factor authentication, and firmware that hasn’t been updated since the Obama administration.
I covered CrowdStrike’s 2026 Threat Report a few weeks ago — 27-second breakout times, AI-accelerated adversary movement, and your average enterprise still arguing about whether patch Tuesday matters. That was about eCrime actors. State-sponsored groups are faster, better-resourced, and right now, highly motivated.
The ICS/OT problem is its own special hell. These environments were never designed for internet connectivity. They got internet connectivity anyway because someone decided remote monitoring was more convenient than security. The IT/OT air gap that was supposed to provide some protection? Swiss cheese for years. And now Iranian threat actors are explicitly targeting engineering workstations and HMIs — the things that control pressure valves, pumps, and turbines. If your organisation operates critical infrastructure and you’ve been treating “cyber” as an IT problem rather than an operational safety problem, this is your wake-up call.
What You Do Right Now
First: assess your exposure. As I’ve been saying since before some of your SOC analysts were in secondary school, publicly visible device IPs are an open invitation to anyone with a scanner. Shodan your own estate before Iranian threat actors do. Find your exposed management interfaces, VPNs, OT gateways, and jump servers and get them off the public internet immediately.
Second: MFA everything internet-accessible. Not because a framework says so. Because Iranian APTs love credential stuffing and MFA makes that attack category largely irrelevant.
Third: patch your perimeter devices. Specifically, if you have not read my post on the Cisco SD-WAN CVSS 10.0 zero-day that’s been open since 2023, read it today and then patch. Also patch Juniper PTX — I’m covering that separately because it deserves its own dedicated rant.
Fourth: if you operate OT/ICS environments, get your incident response plan out, dust it off, and run a tabletop exercise this week. Not next quarter. This week. Know what your manual fallback procedures are if SCADA goes offline. Assume breach.
Fifth: threat intelligence. CISA, the Canadian CCCS, Palo Alto Unit 42, and CrowdStrike are all publishing IOCs and TTPs specific to Iranian threat actors right now. Pull the feeds. Share them internally. Act on them.
The Part Nobody in the Vendor Community Will Say Out Loud
Most critical infrastructure operators are catastrophically underprepared for a sustained, motivated Iranian cyber campaign. Security investment has been uneven. OT environments are ancient. Staff are overworked. Budgets are political. And we’re now in a geopolitical situation where Iran has explicitly declared no red lines and is actively coordinating 60-plus threat groups against Western infrastructure.
I’ve written before about how China’s state hackers are systematically targeting global organisations at scale. Iranian threat actors work differently, but the lesson is the same — these aren’t random. They do their reconnaissance. They find the weak points. They walk in through doors you didn’t know were open.
“We were working on it” is not going to be an acceptable answer when the lights go out. Get your shit together. Now.
