Iran War Cyber Threat Outlook: Conflict Phases and What Comes Next

Since the Iran War began on February 28, 2026, the conflict has moved through phases that most threat frameworks were not built to track. In cyberspace, SOCRadar tracked 1,357 incidents prominent in the first month that spanned 25+ countries, 15+ sectors, and 40+ distinct attack groups. That data does more than record what happened. It reveals a pattern: the cyber dimension of this conflict moves through distinct, recognizable phases, each with a different threat profile for organizations operating in targeted regions and sectors.

Cyber Threat Assessment of the Iran – Israel & US War

The numbers below are drawn from the first month cyber assessment report. Data spans from February 28 to March 31. Each incident is supported by at least one form of evidence. Unverified claims and pure propaganda posts were excluded.

Attack Types

DDoS accounted for 82.9% of all activity across the full month, 1,125 of 1,357 incidents. Its dominance reflects its operational logic: minimal technical skill required, visible disruption guaranteed, and screenshot-based proof immediately amplifiable on Telegram. But the more significant story is what happened to the remaining 17.1%.

Top 10 attack types

Top Targeted Countries

Israel absorbed 516 incidents, 38% of all recorded activity, the largest share by a significant margin. The gap between Israel and the next closest target, Kuwait, at 133, reflects the asymmetry of the coalition’s focus throughout the month.

Top 10 target countries

Kuwait, Bahrain, Cyprus, and the UAE were not incidental targets. All hosted U.S. military installations, all were struck kinetically alongside Israel, and all were explicitly framed in threat actor communications as instruments of American regional power. The U.S. received only 56 incidents in volume, but its confirmed operations were the highest-sophistication events of the month.

Top Targeted Sectors

Government and public administration absorbed 426 incidents, the highest of any sector, and the consistent primary target across all four weeks and all targeted countries. Defense and aerospace (116) and financial services (115) followed, with the latter carrying disproportionate risk.

Top 10 target industries

Most Active Threat Groups

313 Team finished the month as the single most active actor with 222 incidents, consistently evolving its targeting across all four weeks, from Gulf government portals in Week 1 to the single largest country sweep of the conflict on March 25. NoName057(16) contributed 192 incidents, operating a dual-agenda campaign that simultaneously advanced Iran-conflict objectives and Ukraine-related grievances. Keymous Plus (182 incidents) ran the broadest sustained geographic campaign of any pro-Iran/Palestine group, operating across six countries in a single week.

Top 10 threat actors/groups

The numbers above document what happened. What they do not show on their own is why the sequence matters or what it predicts. The cyber campaign did not simply accumulate incidents. It moved through distinct stages, each with a different character, a different set of actors in the foreground, and a different risk profile for organizations in the targeting frame.

Therefore, for security leaders, the strategic question is not only what happened in March; it is which phase comes next, what it will look like operationally, and whether their organization is positioned for it.

The Five Phases of Iran War: What Each Means for Security Leaders

What SOCRadar observed in the first month was a consistent kinetic-to-cyber correlation: major kinetic events drove cyber incident surges within 24–48 hours. The threat landscape wasn’t static; it was a campaign moving through phases, each building on the last, with a measurably different risk profile at each stage.

Phase 1: Kinetic Shock & Cyber Reflection

• February 28 – March 6, 2026 

Operation Epic Fury established a new operational tempo for hybrid conflict. Within hours of the first strikes, the cyber front opened alongside the kinetic one. SOCRadar recorded 363 cyber incidents in the first seven days, with the first week’s peak of 88 on March 5.

One of the first visible hacktivist mobilizations was linked to the Cyber Islamic Resistance axis

The opening cyber operations against Iran ran in parallel with the kinetic strikes: government sites went dark, IRNA went offline, IRGC-affiliated outlet Tasnim was hacked to display anti-Khamenei messages, and a prayer application was compromised to push political messaging to Iranian citizens. The operational logic was deliberate, suppress the regime’s ability to see, communicate, and respond before it could coordinate a counterattack.

On the other side, the first OT/industrial control system (ICS) intrusion claims appeared within 96 hours of the opening strikes. By Day 3, Iran-aligned threat actor coalitions had formally organized joint operational structures on Telegram. By Day 4, claims against food storage and water infrastructure had appeared in the dataset.

From strike to coordinated multi-actor cyber operation took under 24 hours. The assumption of a “warning period” between geopolitical escalation and cyber threat activation does not hold in a conflict of this kind.

Phase 2: Coalition Building & Geographic Expansion

• March 7 – March 15, 2026

Week 2 opened with a significant kinetic development: on March 8, Mojtaba Khamenei was elected Iran’s new Supreme Leader under heavy IRGC influence. Iran deployed naval mines in the Strait of Hormuz; U.S. Central Command destroyed 28 Iranian minelaying vessels in response.

The conflict’s cyber perimeter expanded in parallel.

Kuwait absorbed 133 cyber incidents across the month — second only to Israel’s 516 — not incidentally but because it hosts U.S. military installations and was framed explicitly in threat actor communications as an instrument of American regional power. The same logic applied to every Gulf state.

Cyprus (68) and Romania (58), which entered the dataset as a single incident in Week 2 and absorbed 53 incidents in Weeks 3 and 4 as NoName057(16) leveraged the same operations to hit NATO members while advancing Ukraine-related grievances -double purpose hits.

A DDoS group, DieNet’s justification for targeting Cyprus

The defining event of Week 2 from a threat intelligence standpoint was the Stryker Corporation attack on March 12. Handala, Ministry of Intelligence and Security (MOIS)-linked group, abused Microsoft Intune administrator access to remotely wipe more than 200,000 devices across Stryker’s operations in 79 countries. Over 5,000 workers were sent home from Stryker’s Ireland hub.Stryker filed an 8-K with the U.S. Securities and Exchange Commission confirming the incident.

Image from inside Stryker showed Handala branding displayed on affected login screens (WWMT)

The Stryker attack demonstrated that a state-linked actor could leverage compromised cloud device management infrastructure to achieve a destructive impact at a global scale, and that a U.S. medical technology company with no direct role in the conflict was a viable target.

Phase 3: Persistent Operations & Reconnaissance

• March 16 to March 31

Of everything SOCRadar observed, the transition into Phase 3 carries the most weight for security leaders. The shift is not visible in headline incident counts. It is visible in the composition.

The geolocation doxxing attacks, which recorded zero incidents prior weeks, surged to 34 incidents in Week 3 and 25 in Week 4, totaling 63 across the month. Previously unknown actors, Golden Falcon, and later Harvesting Time, appeared in Week 3 and produced the conflict’s new trend: systematic, geolocated targeting packages covering nuclear facilities, offshore gas platforms, military air bases, refineries, and individual-level location data across more than 10 countries.

First recorded geo doxxing of the conflict

Were they effective? Probably not, but they were physical targets that Iran hadn’t been hit yet, and there was clearly a psychological pressure aspect.

The same period produced two additional structural developments. Jordan’s National Cybersecurity Center officially confirmed it thwarted an APT Iran’s attack on the Jordan Silos Company grain storage system.

MuddyWater was confirmed to have pre-planted backdoors, specifically the Dindoor and Fakeset Python-based implants, inside a U.S. bank, an airport, a defense-adjacent software company, and multiple NGOs before the first strike on February 28.

On the kinetic side, Week 3 saw Israel confirm the killing of Ali Larijani, the highest-ranking official eliminated since Khamenei, prompting Iran’s IRGC to claim over 100 missile strikes on Israeli targets in retaliation.

FBI seizure notice on handala-redwanted[.]to

The FBI seized Handala’s primary domain on March 19 under a U.S. District Court warrant citing foreign state actor facilitation; Handala migrated to a new domain within hours and continued operations uninterrupted. Later, Handala made global headlines when they announced they had successfully hacked the personal Gmail account of FBI Director Kash Patel.

Phase 4: Entrenchment or Escalation

• Ongoing Phase

Phase 4 is a fork, not a linear continuation. Its character depends on conditions that remain genuinely uncertain: whether the ceasefire holds under the weight of unresolved kinetic triggers, whether Gulf state infrastructure becomes a direct target, and whether the reconnaissance activity of Phase 3 is activated into destructive operations.

Diagram of possible paths and outcomes

Path A – Managed Entrenchment

If the ceasefire holds without resolution, the conflict settles into sustained economic and cyber coercion as its primary mode. APT groups maintain persistence inside pre-positioned networks without activating destructive payloads. Espionage and credential harvesting continue at elevated rates. Periodic disruption operations, targeted DDoS, selective data leaks, influence campaigns, and sustain pressure without crossing escalation thresholds.

For organizations, this scenario means a sustained elevated threat posture with no defined end date. The threat is real but bounded. The priority shifts from defense against mass disruption to detection of persistence already inside the network.

Path B – Active Escalation

If the ceasefire collapses through renewed kinetic strikes, Gulf infrastructure targeting, or a miscalculation in the Strait of Hormuz, the pre-positioned access of Phase 3 gets activated. Like the Dindoor and Fakeset implants that were already resident in the U.S. and regional networks, more serious state-level threats might become operational. Wiper deployments scale beyond individual enterprise targets.

Phase 5: Resolution or Reorientation

• Forward Projection · Horizon 6–12 Months

Resolution, a genuine, negotiated winding down of the Iran War, is analytically possible. Pakistan offered to host mediation talks in late March, and Trump’s pause on energy plant strikes on March 26 signaled at least conditional U.S. openness to de-escalation. But the structural conditions for a durable settlement, Iran’s nuclear enrichment, its ballistic missile program, and the status of its regional proxy network, remain unresolved at every credible negotiating table.

Therefore, the more probable near-term path is reorientation: a shift in the locus of operations rather than their cessation.

In cyberspace, Iranian APT groups do not stand down when the shooting pauses. The infrastructure built during the conflict— harvested credentials, pre-planted backdoors, geolocated target packages, mapped network topologies — remains active regardless of what happens diplomatically.

Immediate Actions for Security Leaders

DDoS resilience: Data established a direct correlation between major kinetic events and DDoS surge activity. With ceasefire conditions remaining fragile, that correlation is still live. Validate DDoS mitigation capacity on all public-facing portals and APIs, confirm upstream scrubbing coverage for government and financial sector services, and review rate-limiting thresholds adjusted for conflict-period volumes — not peacetime baselines. Establish runbooks for rapid traffic diversion before the next kinetic trigger, not after.

Cloud MDM environments: The Stryker attack vector might remain open. Review all Microsoft Intune administrator accounts for unauthorized access, enforce multi-factor authentication (MFA) on all cloud MDM platform admin accounts without exception, audit enrolled device lists for unexpected additions, and review bulk device action logs for any mass wipe or factory reset commands not initiated by authorized personnel.

MuddyWater implant hunting: Hunt for Dindoor and Fakeset indicators across all endpoints. Review outbound GitHub and Google Drive connections from non-developer endpoints. Audit all installed RMM tools and remove Atera and ScreenConnect if not explicitly authorized. Check for unauthorized OAuth app grants in Microsoft 365 and Google Workspace.

OT/ICS isolation: Immediately audit internet-facing programmable logic controllers (PLCs), human-machine interface (HMI) panels, and SCADA systems. Change all default vendor credentials. Validate that OT environments are not reachable from corporate networks through any unintended path.

IP camera audit: SOCRadar observed a surge in IP camera targeting by Iran-linked actors, elevating CCTV infrastructure to a potential kinetic intelligence vector. Isolate camera networks from enterprise IT, change all default credentials, and check firmware against CVE-2023-6895 and CVE-2025-34067.

Conclusion

The Iran War entered its second month in a ceasefire that is fragile by design. The underlying conditions, Iran’s strategic calculus, U.S.-Israeli objectives, Gulf state interests, and the proxy infrastructure supporting all three remain unresolved.

The cyber campaign has not wound down; it has shifted into a quieter, more consequential phase.

Most of the incidents documented represent the observable surface of a broader campaign. Below that surface, APT groups already inside target networks before February 28 remain active.

Organizations that move on signals now will be ahead of the threat when the later phase arrives. Those waiting for the next headline will not be.