Less than 24 hours after the start of the war in Iran, a historically unprecedented event occurred: the attack on commercial data centers. On March 1, Iranian drones three were hit facilities Amazon Website Services (AWS) in the United Arab Emirates and Bahrain, disrupting critical infrastructure cloud and disabling financial applications and business tools, not only across the Gulf, but also in remote areasThese attacks have shown that physical distance from a conflict zone is no guarantee of protection from the impact, says Tomáš Foltýn from global cybersecurity firm ESET. 
For most organizations, however, the most immediate risk unfolds in cyberspace rather than on the battlefield and includes a wide range of threat actors. Within hours of the US-Israeli “Operation Epic fury" ("Business Roaring Lion") on February 28, Iranian groups mobilized en masse. The Unit 42 of Palo High Networks recorded more than 60 active pro-Iranian groups hacktivistsAt the same time, cybersecurity services in United Kingdom and Canada issued warnings of increased threat levels.
Within a short time, similar warnings were issued by the Europol and its US Department of Homeland Security.
Threats and threat actors
The outbreak of an armed conflict tends to broaden both the scope and the spectrum of cyberattack groups involved. The activity of hacktivists, noisy and often accompanied by excessive rhetoric, usually manifests itself first. Business Advanced Persistent Threat (APT), which include reconnaissance and initial access phases, are performed in parallel or immediately afterwards. Once positions are established and targets mapped, the stage is set for achieving the intended objectives, whether espionage, sabotage or other forms of attack.
Of course, the boundaries between these activities are not always clear. Some tactics can be evolving simultaneously: for example, a website conversion or distributed denial of service (DDoS) attack, which at first glance looks like a simple hacktivist action, may act as a deliberate distraction, covering up a targeted and silent attack via a different actor.
Iran-linked groups are among the most active and resourceful in the world, and their cyberattack capabilities and tools have matured significantly in recent years. The threat is particularly acute for organizations with supply chain relationships in the Middle East or other ties to the region, as well as those dependent on cloud infrastructure associated with it.
The CyberAv3ngers campaign against water and sanitation companies in the US and other countries in 2023 clearly demonstrated this targeting strategy. threatening message The message the attackers left on the compromised systems—“You have been hacked, down with Israel. Any equipment ‘made in Israel’ is a legitimate target for CyberAv3ngers”—at first seemed like a hacktivist operation. However, it was soon revealed that the group was operating under the direction of the Iranian state. This blurred line between activist identity and state-aligned operations, which may have its roots in the 2012 Saudi Aramco incident, has a specific name: “faketivism».
At the same time, the operational overlaps between distinct groups are even deeper. ESET researchers have document close ties between various APT groups associated with Iran. For example, MuddyWater has worked closely with Lyceum, a subgroup of OilRig, while there are indications that it has also acted as an Initial Access Broker (IAB) for other Iranian groups.
To further complicate the picture, several pro-Russian hacktivist groups now appear to have stand in favor of Iran, while there are also reports for Iranian groups collaborating with IAB on Russian cybercrime forums. This dynamic expands both the available arsenal and the range of potential targets. Critical infrastructure is one of the most valuable “trophies” for all kinds of threat actors, and recent data from ESET shows that Iran-linked groups are attacking organizations operating in the engineering and manufacturing sectors.
Industries targeted by Iran-linked APT groups from April to September 2025 (source): ESET APT Activity Report, 2nd quarter 2025 – 3rd quarter 2025)
Furthermore, when the goal is retaliation, destruction tends to take precedence over, for example, ransomware extortion. Data-deleting malware is a constant feature of modern operations linked to armed conflict. Groups related to Russia have repeatedly demonstrated this pattern in Ukraine.
When it comes to attacks that offer malicious actors high cost-effectiveness, supply chain breaches typically dominate. In 2022, ESET Research documented how the Iran-linked Agrius group developed a destructive data-deleting software called Fantasy. It was distributed through a supply chain attack, exploiting an Israeli software developer, and hit targets in various industries, far beyond Israel’s borders. The reach of such an attack can extend to organizations that were never directly targeted and have no obvious connection to the conflict.
A related risk concerns managed service providers (MSPs) and their customers. In 2022, ESET recorded a campaign in which the adversary compromised an MSP in order to gain access to its end targets. It did not need to penetrate them directly; instead, it leveraged the MSP’s existing access routes to achieve its purpose. The campaign was orchestrated by the MuddyWater cyberespionage group, which is now a powerful force in Iranian APT circles and is showing remarkable growth.
The MuddyWater group, once known for its massive, automated attacks, is now increasingly turning to more discreet and sophisticated businesses. These include hands-on keyboard activities in targeted environments, suggesting an increased level of technical maturity. Like other Iran-linked groups, MuddyWater has turned to the tried-and-true technique of abusing legitimate remote monitoring and management (RMM) software. In this way, the group can blend into legitimate network traffic, making it harder to detect.
The group is also known for its preference for internal spearphishing, leveraging already compromised inboxes. Specifically, emails are sent from colleagues' accounts instead of external senders, thus significantly increasing the success rate of the attacks. The attachments and links Spearphishing has long been one of the most popular initial access techniques among most APT groups linked to Iran, including OilRig and APT33However, exploiting known software vulnerabilities is not uncommon, as demonstrated in a recent campaign by Ballistic Bobcat.
MuddyWater remains highly active in 2026. Last month, security researchers Symantec and Carbon Black (Broadcom) have detected the group on the networks of several US organizations, including an airport, a bank and a software company with ties to Israel. However, the overall volume of cyberattacks by Iran-linked actors cannot, so far, compare to the intense activity seen they recorded ESET researchers after the attack on Israel on October 7, 2023. This may be due in part to the almost complete restriction of internet access imposed by Iran.
In any case, as Google's Threat Analysis Group (TAG) pointed out in analysis of cyber activity surrounding the Israel-Hamas conflict, “cyber capabilities […] are a tool of first necessity.” This observation remains relevant today, as demonstrated by the first major cyberattack since the start of the war. On March 12, a data-deletion attack attributed to the pro-Iranian hacktivist group Hamdala hit the American medical technology company Stryker. The attack reportedly caused global outage of the company's systems.
Desktop background installed by the CyberToufan group's wiper malware, which attacked 50 organizations in Israel in January 2025 (source: ESET APT Activity Report, 4nd quarter 2024 – 1rd quarter 2025)
Maintaining resilience: where to focus
Threats range from opportunistic DDoS and reputational damage campaigns, to targeted data deletion attacks, and cyberespionage operations. In addition, supply chain attacks are included, which can even affect organizations not directly involved in a conflict. The measures described below are already familiar to most security teams. However, special emphasis is placed on areas where Iran-linked actors have historically identified and exploited vulnerabilities.
Recording and protecting exposed systems
Start by identifying and protecting every element exposed to the internet: remote access services, web applications, VPN gateways, as well as OT/ICS devices connected to the public network, if your organization uses such systems.
Default credentials should be changed on all devices without exception. If a device does not support strong authentication mechanisms, it should be evaluated whether it is appropriate to keep it connected to the internet.
The CyberAv3ngers campaign in 2023 targeted programmable logic controllers (PLCs) that still had factory-set passwords. The CISA advisory details the techniques used and is worth careful consideration, especially by organizations managing industrial control systems.
Limiting the attack surface
The environments OT/ICS (Functional Technology – Operational Technology and Industrial Control Systems – Industrial Control Systems ) pose a particular challenge, as they involve devices that were developed decades ago without taking into account modern security requirements and often have not even been properly inventoried. Default credentials and online exposure are the most obvious problems. However, the broader issue is that many of these systems were never designed to be effectively protected after they were installed.
Where operationally feasible, OT/ICS devices should be disconnected from the internet. At the same time, it is critical to apply all available patches, as vulnerable and internet-exposed devices remain one of the entry points for attackers.
In cases where decoupling is not possible, strict segmentation between IT and OT environments should be implemented. In addition, it is important to define baselines for industrial protocols so that any abnormal activity can be detected in a timely manner and alarms can be triggered.
Close the gaps
Most Iranian-backed groups have consistently made identity theft the focus of their attacks. A joint statement from CISA/FBI/NSA in October 2024 documented a year-long campaign in which Iranian actors used Password spray and MFA push-bombing — “bombarding” users with connection requests until someone approves one — to breach organizations in the healthcare, government, energy, and IT sectors.
Once they gained access, they modified MFA settings to ensure a permanent presence on the systems and then sold the stolen credentials to criminal platforms.
To address such a threat, it is recommended to implement a multi-factor authentication mechanism (MFA) resistant to Phishing on all systems with internet access and control over existing configurations MFA, with the aim of identifying and removing unauthorized recordings.
Supply chain and third-party access control
Thoroughly review all third-party access routes, as well as any form of remote access to your systems. With groups like CyberAv3ngers to target specific equipment OT Israeli-made, it is critical to review whether any of your equipment falls into this category.
If you are working with MSP (Managed Service Providers), ask for clear information about how they protect remote access tools. At the same time, inquire whether they have reassessed their own risk exposure in light of the current conflict. The exploitation of the tool SimpleHelp from the team muddy water on MSP highlighted that your providers' security posture is essentially an extension of your own attack surface.
Beware of Phishing
While the muddy water and other groups often rely on human-centric attacks, mainly through targeted messages spear Phishing originating from compromised internal accounts, employees should verify every request through independent channels, especially those regarding credentials, access changes, urgent “security updates,” and anything related to the current conflict.
Attackers are now widely leveraging common artificial intelligence tools not only to create persuasive Phishing messages, but also for other stages of the attack lifecycle, such as vulnerability identification and malware development support.
Map your dependencies from cloud
Map from which software as a service providers (SaaS) your organization depends on and locate where their infrastructure is hosted. Even if you don't have a working relationship with the Middle East, your providers may have.
Following recent incidents affecting AWS, many vendors, including Snowflake and Red Hat, have issued failure response guidelines, reminding their customers that regional disruptions in the cloud can propagate throughout the supply chain in ways that aren’t always visible until a problem occurs.
AWS, for example, explicitly recommended that customers with services in servers in the Middle East to consider transferring them to other regions.
Prepare for destruction, not just theft
During operations related to geopolitical conflicts, state-aligned actors tend to prefer wiper attacks over ransomware.
In this context, ensure that at least one copy of your critical data is offline and air-gapped. Avoid relying solely on backups in other cloud regions, as they may share the same underlying dependencies.
Additionally, check if the Disaster Recovery Plan covers region-wide outage scenarios, as most plans only focus on single availability zone failures. Finally, it is critical to verify that backups can actually be restored. Wiper attacks and other malware often specifically target backup systems.
Everything is allowed.
The threat landscape will continue to change as the conflict progresses. Hacktivist activity may increase or decrease, while APT operations tend to move more slowly and become visible at a later stage.
The organizations that respond best to such conditions are those that have already addressed key security gaps before the threat arises. If critical functions, such as asset inventory, remain outstanding, the current situation is a strong incentive to complete them immediately.
Finally, if your organization has access to reliable sources of information about threats and investigations, now is the right time to watch them closely.
What does this mean for Greek businesses?
Cyber threats know no borders, and businesses in EU countries, such as Greece, are no exception, as they can be targeted due to partnerships, geopolitical connections, or simply as "collateral targets" in broader attacks.
For this reason, timely preparation and adaptation to new conditions are crucial for protecting businesses against an increasingly unstable digital reality.
"Today, the ability of Greek businesses to protect their systems and chains is not just a matter of security, it is a matter of competitiveness and survival in the global market," says the Christos Mylonas, Senior Territory Sales Manager ESET Greece and recommends to Greek businesses operating in critical sectors such as Logistics, shipping, energy, tourism and industry, where connectivity with international supply chains and infrastructure makes these industries particularly vulnerable to cyber threats, to emphasize the following:
-
Strengthen monitoring and threat detection (SOC, SIEM)
-
To check their partners and suppliers to reduce third-party risks
-
Train their staff in phishing and social engineering
-
Create and test incident response plans
-
Perform regular backups and check their recovery to ensure business continuity
Even if an attack does not directly target Greece, Greek businesses may be affected through cloud services, partners or international networks. In this environment, readiness is not an option, it is a business necessity
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
