Share
Security chiefs have urged British organisations to urgently review their cyber defences as tensions in the Middle East risk spilling into the digital domain, with a former top FBI agent warning Tehran’s retaliation is likely to look like criminal ransomware and sabotage rather than overt state action.
Iran is expected to strike back in cyberspace, deploying ransomware, destructive malware and proxy hacker groups, according to Cynthia Kaiser, former Deputy FBI Director of Cyber and now head of research at cybersecurity firm Halcyon.
“Iran will likely respond in cyberspace. It will probably look like cybercrime and ransomware,” she said.
Kaiser revealed Halcyon’s intelligence and analyst teams are already seeing increased activity in the Middle East, alongside calls to action from the DDoS botnet HydraC2, hacktivist group Handala and ransomware group Sicarii.
Her warning comes as the UK’s National Cyber Security Centre, part of GCHQ, issued a fresh alert urging organisations to review their cybersecurity posture in light of rapidly evolving events in the region.
Jonathon Ellison, the NCSC’s director for national resilience, said: “In light of rapidly evolving events in the Middle East, it is critical that all UK organisations remain alert to the potential risk of cyber compromise, particularly those with assets or supply chains that are in areas of regional tensions.
“Today, the National Cyber Security Centre has published an alert outlining the current cyber threat to the UK and the practical steps organisations should take in response.”
The NCSC said there is “likely no current significant change in the direct cyber threat from Iran to the UK”, but warned that assessment could change quickly. It added there is “almost certainly a heightened risk of indirect cyber threat” for organisations with a presence or supply chains in the Middle East.
Iranian state and Iran-linked cyber actors “almost certainly currently maintain at least some capability to conduct cyber activity”, the agency said, urging businesses to prepare for possible DDoS attacks, phishing campaigns and targeting of industrial control systems.
Critical national infrastructure operators have been told to review guidance on preparing for severe cyber threats, while organisations more exposed to regional risk are being encouraged to adjust their security posture accordingly. The NCSC is also pushing firms to sign up to its early warning service for real-time alerts.
Kaiser said Iran’s cyber playbook is well established and increasingly blended with criminal tactics.
From disabling US financial websites between 2011 and 2013, to wiping data from the Las Vegas Sands casino in 2014, to defacing websites and issuing online threats after the death of Iranian military commander Qasem Soleimani, Tehran has repeatedly used cyber operations as retaliation.
In July 2022, Iranian state hackers launched a destructive attack on Albanian government networks, combining ransomware, extortion and data-wiping tactics while masquerading as a fictitious hacktivist group.
“In practice, Iran’s destructive cyber operations often emerge from a murky blend of state sponsorship, personal profiteering and outright criminal behaviour,” Kaiser said.
Hackers may monetise access gained through government-backed campaigns, blurring the lines between espionage and extortion. Tehran has historically tolerated or turned a blind eye to private cyber operations against targets in the US, Israel and allied nations, giving it deniability and options.
As Iran weighs its response to US and Israeli military action, Kaiser said it is likely to activate whichever actors it believes can deliver meaningful retaliatory impact.
Tehran has a long, aggressive history of using cyber operations for political retaliation.
Past targets have ranged from the US financial sector and the Las Vegas Sands Casino to a thwarted ransomware attempt on Boston Children’s Hospital.
Today, Iran’s destructive cyber operations emerge from a murky blend of state sponsorship, personal profiteering, and outright criminal behavior.
By turning a blind eye to private cybercriminals, the Iranian government maintains a deep roster of hackers it can activate for retaliatory strikes—allowing them to seamlessly merge espionage with extortion.