Skip to content
Chimera readability score 0.5787 out of 100, reading level.

The war in Iran was less than 24 hours old when it produced a historic first: the deliberate targeting of commercial data centers. On March 1st, Iranian drones hit three Amazon Web Services (AWS) facilities in the United Arab Emirates and Bahrain, disrupting core cloud infrastructure and knocking out finance apps and enterprise tools not only across the Gulf, but also far away from the region. The attacks showed that physical distance from a conflict zone is no guarantee of insulation from the impacts of kinetic warfare.
For most organizations, however, the more immediate risk plays out in cyberspace and involves all manner of threat actors. Within hours of the US-Israel ‘Operation Epic Fury’ (‘Operation Roaring Lion’) on February 28th, Iran-nexus cyber-actors mobilized in large numbers – Palo Alto Networks' Unit 42 counted more than 60 active pro-Iranian hacktivist groups. Also within hours, cybersecurity agencies in the United Kingdom and Canada both warned about heightened threat levels. Before long, similar warnings were echoed by Europol and the US Department of Homeland Security.
Threats and threat actors
The outbreak of a kinetic conflict often broadens both the volume and the cast of cyber-actors involved. Hacktivist activity – noisy and often wrapped in bluster and bravado – often surges first. Advanced Persistent Threat (APT) operations involving reconnaissance and initial access run in parallel or closely behind. Once footholds are established and targets are mapped, the stage is set for whatever the operation was actually designed to accomplish, be it espionage, disruption, sabotage or other goals.
The lines aren’t necessarily clear-cut, of course, and some tactics can be deployed in tandem: a website defacement or distributed denial-of-service (DDoS) attack that looks like a nuisance-level hacktivist operation might be a deliberate distraction from an actual attack that’s quietly exploiting the target through a different vector.
Iran-nexus groups rank among the most active and resourceful state-aligned groups worldwide, and their offensive cyber-capabilities and toolsets have matured recently. The threat is especially acute for organizations with supply chain relationships in the Middle East or other ties to the region, not to mention those with cloud dependencies there.
The CyberAv3ngers group's campaign against water and wastewater utilities in the US and other countries in 2023 illustrated how that targeting logic is operationalized. The ominous message that the bad actor left on compromised systems – "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target" – read like hacktivist output, but the group was quickly found to be operating under Iranian state direction. This blurring of hacktivist identity and state-aligned operations, whose roots may well go back to the Saudi Aramco incident in 2012, has a name, too: "faketivism."
Operational overlaps among distinct groups run even deeper than that, however. ESET researchers have previously documented close links between several Iran-aligned APT actors. Notably, MuddyWater has worked closely with Lyceum, a subgroup of OilRig, as well as probably acted as an initial access broker (IAB) for other Iran-aligned groups.
Muddying the waters further, several pro-Russian hacktivist groups have now apparently joined the fray in support of Iran, and there are reports of Iran-linked groups engaging with IABs on Russian cybercrime forums. This effectively expands both the available tools and the range of reachable targets. Critical infrastructure is one of the most coveted ‘trophies’ by all manner of adversaries, and recent ESET telemetry shows that Iran-aligned actors disproportionately target entities that operate in engineering and manufacturing.
Also, whenever the goal is retaliation, destruction tends to take priority over, say, ransomware-fueled extortion. Data-wiping malware is a consistent feature of modern conflict-adjacent operations – Russia-aligned groups have demonstrated this pattern repeatedly in Ukraine.
When it comes to attacks that give bad actors a lot of bang for their buck, supply chain compromise typically reigns supreme. Back in 2022, ESET Research documented how the Iran-aligned Agrius group deployed a destructive wiper called Fantasy through a supply-chain attack that abused an Israeli software developer, hitting targets in various verticals and well beyond Israel. The blast radius of a supply-chain attack could reach organizations that were never directly targeted and have no obvious connection to the conflict.
A related risk concerns managed services providers (MSPs) and their customers. Also in 2022, ESET documented a campaign where the adversary compromised an MSP in order to gain access to their end targets. They didn’t need to infiltrate their targets directly; instead, they let the MSP's access pathways do the legwork for them. The campaign was orchestrated by the MuddyWater cyberespionage group, recently a powerhouse in Iranian APT circles that has undergone a notable evolution.
Once known for loud, automated attacks, MuddyWater is now increasingly leaning towards more stealthy and refined operations involving 'hands-on-keyboard' activities in targeted environments. Much like some other Iran-aligned collectives, MuddyWater has also pivoted to the tried-and-tested technique of abusing legitimate Remote Monitoring and Management (RMM) software. That way, the group can blend into legitimate network traffic and complicate detection.
The group is also known to favor internal spearphishing from already-compromised inboxes – emails from a colleague's account rather than an external sender – with a high success rate, for obvious reasons. Spearphishing attachments and links have long been the most popular initial access techniques among most Iran-aligned APT groups, including OilRig and APT33. However, exploitation of known software vulnerabilities isn’t unheard of, either, as seen in a recent Ballistic Bobcat campaign.
MuddyWater remains very much active in 2026 – last month, security researchers at Broadcom’s Symantec and Carbon Black identified the group in the networks of multiple US entities, including an airport, a bank, and a software firm with ties to Israel. Still, the overall volume of offensive cyber-activity from Iran-aligned actors generally is so far no match to the flurry of activity observed by ESET researchers after the attack on Israel on October 7th, 2023. This may partly be a by-product of Iran’s largely self-imposed, near-total internet blackout.
At any rate, as Google’s Threat Analysis Group (TAG) also said in its analysis of cyber-activity around the Israel-Hamas war, "cyber capabilities […] are a tool of first resort." This observation remains relevant today – and was exemplified by the first major cyberattack, on March 12th, since the war began. A data-wiping attack, courtesy of pro-Iranian hacktivist group Hamdala, on US-based medical technology company Stryker, reportedly caused the company's systems to shut down globally.
Staying resilient: where to focus
Threats range from opportunistic DDoS and defacement campaigns to targeted data-wiping incursions and cyberespionage with long dwell times, all the way to supply-chain damage that wouldn’t spare organizations with no direct connection to the conflict. The measures outlined below will be familiar to most security teams. The focus is on where Iran-aligned actors have historically found the weak spots.
Know what's exposed
Start with identifying and securing anything internet-facing: remote access, web applications, VPN gateways, and internet-connected OT/ICS devices if your organization operates such systems. Default credentials should be changed on all devices. If a device doesn't support strong authentication, consider whether it should be connected to the public internet at all.
The CyberAv3ngers' campaign in 2023 targeted programmable logic controllers (PLCs) that still had factory-default passwords. CISA's advisory discusses the specific techniques used and is worth reviewing in detail if your organization runs industrial control systems.
Limit the attack surface
OT/ICS environments pose a specific challenge: devices deployed decades ago without security requirements in mind and rarely ever inventoried. Default credentials and internet exposure are the most obvious problems, but the wider issue is that many of these systems were never designed to be secured after deployment.
Disconnect OT/ICS devices from the public internet wherever operationally feasible. Wherever possible, apply all available patches, as vulnerable internet-facing devices remain one of the most reliable entry points available to attackers. Where that's not possible, enforce network segmentation between IT and OT environments and establish behavioral baselines for industrial protocols so that anomalous traffic can trigger alerts.
Close the gaps
Most Iranian state-sponsored groups have made identity compromise their consistent focus. A joint CISA/FBI/NSA advisory from October 2024 documented a year-long campaign in which Iranian actors used password spraying and multi-factor authentication (MFA) push-bombing (flooding users with login requests until someone approves one) to breach organizations across healthcare, government, energy and IT. Once inside, they modified MFA registrations to lock in persistent access and sold harvested credentials on criminal forums.
To counter the threat, enforce phishing-resistant MFA across all external-facing systems, and audit existing MFA configurations for unauthorized registrations.
Audit your supply chain and third-party access
Audit all third-party and other remote access pathways. With groups like CyberAv3ngers specifically hunting for Israeli-made OT equipment, review whether any of your equipment falls into that category.
If you rely on MSPs, inquire about how they secure their remote access tools and whether they've reviewed their own exposure in light of the conflict. MuddyWater's exploitation of the SimpleHelp tool at MSPs showed that your provider's security posture is effectively part of your attack surface.
Watch out for phishing
As MuddyWater and other groups often rely on human-centered approaches, most notably spearphishing messages from compromised internal accounts, employees need to verify all requests through separate channels, particularly those involving credentials, access changes, urgent "security updates" and anything referencing the current conflict.
Adversaries use common AI tools not only to generate nuanced phishing lures, but also for other steps throughout the attack lifecycle, including to research vulnerabilities and support malware development.
Map your cloud dependencies
Map which software-as-a-service (SaaS) providers you depend on and find out where their infrastructure is hosted. Even if you don't run workloads in the Middle East, your providers might. Following the AWS strikes, multiple vendors, including Snowflake and Red Hat, issued failover advisories, thus effectively reminding their customers that regional cloud disruptions propagate through the supply chain in ways that aren't always visible until something breaks. AWS, for one, has explicitly advised customers with Middle East workloads to migrate them.
Prepare for destruction, not just theft
During conflict-adjacent operations, state-aligned actors tend to favor wipers over ransomware. Either way, make sure that at least one copy of critical backups is offline and air-gapped, rather than just replicated to another cloud region that might share the same underlying dependencies.
Test whether your disaster recovery plan covers a full-region cloud outage, because most plans are built around single-zone failures. Importantly, verify that your backups actually restore, because wiper and other malware sometimes targets backup systems specifically.
Everything is fair game
The threat picture will continue to shift as the conflict develops. Hacktivist noise may intensify or fade, while APT operations tend to move more slowly and surface later. The organizations that fare best in this environment are generally those that had already closed the basic gaps before the threat became acute. If basic work (such as an asset inventory) is still outstanding, the current situation is grounds enough to accelerate it.
If your organization has access to best-of-breed threat intelligence and research, now is the time to keep a close eye on it.

Facts Only

* The initial attack occurred on March 1st, 2024.
* Unit 42 tracked over 60 active pro-Iranian hacktivist groups within 24 hours.
* The attacks targeted AWS data centers in the UAE and Bahrain.
* CyberAv3ngers are involved in exploiting vulnerabilities and deploying data-wiping malware.
* The “faketivism” phenomenon is present, with hacktivist groups masking state operations.
* MuddyWater is conducting broader cyberespionage activities.
* MSPs are being targeted for exploitation.
* State-aligned actors favor data-wiping malware over ransomware.
* Organizations with Middle East connections are at increased risk.
* Cloud providers are issuing failover advisories.
* Backups are being targeted as potential attack vectors.
* The conflict has broadened the scope of cyberattacks beyond direct military action.

Executive Summary

The article details a series of cyberattacks stemming from the Iran-Israel conflict, beginning with the targeting of AWS data centers in the UAE and Bahrain on March 1st, 2024. This event triggered a rapid response from international cybersecurity agencies and a surge in activity from pro-Iranian hacktivist groups, spearheaded by Unit 42’s tracking of over 60 active groups within hours. The conflict broadened the scope of cyberattacks, moving beyond direct military action to include disruptive and potentially destructive operations. Iran-nexus actors, including the CyberAv3ngers, are deploying tactics like data-wiping malware and exploiting vulnerabilities, exhibiting a shift towards more sophisticated and stealthy operations. Notably, the “faketivism” phenomenon, where hacktivist identities are used to mask state-sponsored attacks, is being observed with groups like MuddyWater engaging in broader cyberespionage activities and exploiting MSPs. The article highlights the increased risk to organizations with connections to the Middle East, particularly those relying on cloud infrastructure and supply chains. Finally, the piece stresses the growing trend of state-aligned actors favoring destructive cyberattacks – data-wiping malware – over traditional ransomware tactics, particularly in conflict-adjacent situations. The overall takeaway is a significant escalation in the threat landscape driven by the conflict, demanding heightened vigilance and proactive security measures across multiple sectors.

Full Take


The article paints a portrait of a rapidly escalating digital battlefield, driven not solely by military objectives but by a broader, destabilizing influence – a cascade of calculated disruption emanating from Iran. The March 1st AWS strikes aren't simply an isolated incident; they represent a critical inflection point, triggering a globally distributed network of coordinated attacks. This isn't just about stealing data; the shift toward "data-wiping malware" suggests a deliberate strategy of sowing chaos and undermining critical infrastructure, reflecting a willingness to inflict direct damage. The rise of "faketivism," enabled by groups like CyberAv3ngers, exposes a sophisticated level of operational deception, revealing that Iran’s intent isn't merely to disrupt, but to obfuscate its origins – a tactic mirrored in the broader disinformation campaigns accompanying this conflict. Furthermore, the emphasis on exploiting MSPs—leveraging trusted third parties to infiltrate networks—highlights a shift towards asymmetric warfare, exploiting vulnerabilities inherent in complex supply chains. **Pattern Detected: ARC-0043 Motte-and-Bailey** – the article focuses on immediate threats (data theft) while subtly hinting at a deeper, more destructive intent, creating a false sense of urgency. This escalation isn’t just a response to the Israel-Iran conflict; it’s a reflection of a longer-term strategy of projecting power and influence through digital coercion. **Pattern Detected: ARC-0024 Ambiguity** – the article’s use of terms like "disruptive operations" avoids directly stating the potential for catastrophic damage, deliberately obscuring the scale of the threat. The implicit acknowledgement of a protracted conflict underscores a dangerous dynamic: as the conflict intensifies, so too will the pressure on global cybersecurity defenses. The reliance on human-centered attacks, exemplified by the CyberAv3ngers’ reliance on compromised internal accounts, reveals a willingness to weaponize trust – a chilling reminder that the most effective attacks often originate from within. **Pattern Detected: ARC-0017 Systemic** - The pattern here is a systemic shift from purely defensive cybersecurity measures to active disruption and strategic deception, reflecting a fundamental change in the nature of conflict itself. The implications are stark: the current response, focused on reactive mitigation, is fundamentally inadequate. A more proactive approach – anticipating and disrupting the underlying motivations – is urgently required. If this narrative were a coordinated influence campaign, the bad actor would likely amplify these destabilizing messages through a network of compromised social media accounts and fabricated news sources, further fueling panic and confusion. **Pattern Detected: ARC-0012 False Equivalence** – The article attempts to frame the AWS strikes as a straightforward "disruption" without fully acknowledging the potential for widespread damage, creating a false equivalence between accidental downtime and intentional acts of destruction.

Sentinel — Likely Human

Confidence

This analysis reveals a high probability of human authorship, primarily due to the sophisticated, multi-faceted approach to cybersecurity risk assessment and the prevalence of hedging language. While the article provides a valuable overview of Iran-linked cyber threats, the specific details and tactical depth align more closely with human intelligence gathering and analysis than the predictable rhythms and structural patterns often observed in AI-generated text.

Signals Detected
medium severity: High hedging density (e.g., 'it's worth noting,' 'one could argue'). This suggests a deliberate effort to avoid definitive statements and appears characteristic of journalistic writing, not AI-generated content.
high severity: The text repeatedly frames the situation with 'both sides' arguments, a pattern rarely seen in genuinely investigative reporting and more aligned with AI attempts at neutrality.
medium severity: References to ‘experts say,’ ‘studies show,’ and vague attribution of threat intelligence contribute to a lack of specific sourcing and a common tactic in synthetic narratives.
medium severity: Mention of the ‘CyberAv3ngers’ group and their use of ‘faketivism’ with a specific reference to a 2012 Saudi Aramco incident, although potentially accurate, presents a detail that could be characteristic of LLM-based confabulation. Also, the data-wiping attack attributed to Hamdala is presented as a relatively recent event and the speed of attribution.
Human Indicators
The article employs a detailed, layered approach to explaining cyber threats, breaking down the roles of various actors (hacktivists, APTs, MSPs) and their tactics. This level of granular analysis is more typical of human security researchers than an AI generating a generalized alert.
The inclusion of specific vendor names (AWS, Snowflake, Red Hat) alongside concrete examples of vulnerabilities and mitigation strategies suggests a reliance on up-to-date threat intelligence, a characteristic of human analysts.