Heightened Cyber Risk Following February 2026 U.S./Israel–Iran Escalation

On February 28, 2026, the United States, in coordination with Israel, launched a large-scale military campaign against Iran known as Operation Epic Fury, marking a significant escalation in direct hostilities. The operation involved coordinated air, missile, naval, and cyber strikes targeting Iranian military and nuclear facilities across the country. Iran retaliated with ballistic missile and drone strikes targeting Israeli territory and U.S. military installations across the region, including in Bahrain, Qatar, Kuwait, Jordan, and the United Arab Emirates.

Organizations in North America, the Middle East, the Schengen Area, and the Indo-Pacific, especially those in sectors historically targeted by Iranian threat groups such as energy, defense, transportation, healthcare, and government, should maintain heightened vigilance. Critical infrastructure providers (energy, utilities, telecommunications) and government- or defense-adjacent commercial organizations are particularly at risk, with collateral effects possible across other industries due to interconnected systems and shared third-party dependencies.

Organizations should also anticipate potential disruptions to internet services and increased risk of supply chain attacks, as past Iranian-linked cyber activity has occasionally been indiscriminate, affecting networks in countries not directly involved in the conflict, including U.S. water and wastewater systems, industrial control systems, and international corporate networks.

Historical context 

Historically, Iran has launched broad cyber operations in response to military interventions, sanctions, and various geopolitical pressures. These attacks have typically included:

• Destructive wiper malware campaigns.
• Distributed Denial of Service (DDoS) attacks.
• Targeted intrusions, particularly within energy and utility sector networks.
• Collaboration with ransomware affiliate actors.

In late 2023, Iranian IRGC-linked cyber actors operating under the alias “CyberAv3ngers” targeted Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human-machine interfaces (HMIs). These devices, widely used across critical infrastructure sectors such as water, energy, and manufacturing, were compromised through exploitation of default credentials and publicly exposed systems. The attackers defaced affected systems with political messages and altered device configurations to disrupt operations and complicate recovery efforts.

Previous threat activities tied to Iran have cast a wide net, and have affected countries throughout Europe, Asia, and North America. Historically, this has included Canada, the UK, France, Germany, the Netherlands, India, Kuwait, Pakistan, Qatar, Saudi Arabia, Turkey, United Arab Emirates, China, and South Korea. While some of these operations began as an immediate reaction to Stuxnet in the early 2010s, they later evolved into long-term efforts focusing on intelligence collection, credential harvesting, and infiltration of supply chains, with lasting impact across multiple geographies.

How Arctic Wolf is Responding to Iran-Affiliated Cyber Threats

Arctic Wolf has implemented increased monitoring of organizations in sectors previously affected by Iran-affiliated threat activity. Additionally, Arctic Wolf is actively monitoring for new developments in the threat landscape around Iran-affiliated threats, and will alert Managed Detection and Response (MDR) customers if and when relevant malicious activities are observed.

Recommendations

Reduce Exposure of ICS/SCADA Devices

Due to geopolitical interest that Iran-affiliated threat actors have historically shown towards ICS/SCADA devices, access to such devices should be minimized as much as possible. Following a 2023 cyber attack by the IRGC-linked group CyberAv3ngers, CISA issued a list of guidelines to protect PLCs.

• Internet exposure of ICS/SCADA devices and other critical infrastructure components should be limited wherever possible.
• Additionally, robust network segmentation should be implemented where possible to limit the impact of potential compromises and isolate threat actors from being able to move laterally to operationally sensitive networks.
• Efforts should be made to ensure that default passwords on ICS/SCADA devices are changed to avoid unauthorized access.
• Finally, critical vulnerabilities in SCADA devices such as CVE-2025-1960 in Schneider Electric EcoStruxure WebHMI should be patched as soon as possible, as highlighted by CISA.

Patch Critical Vulnerabilities Leveraged by Iran-affiliated Threat Actors

The following vulnerabilities have been previously exploited in Iran-affiliated threat campaigns. This has included targeting of VPN gateways and firewalls in various products, including appliances from Pulse Secure, Fortinet, Palo Alto Networks, F5, and Citrix.

Wherever possible, previously targeted software listed here should be prioritized for patching:

Block Telegram and Unused Remote Monitoring and Management Tools if Possible

In several Iran-affiliated threat campaigns, Telegram has been used as a means of conducting data exfiltration. Additionally, legitimate RMM tools such as Atera, Tactical, SimpleHelp, AnyDesk, ScreenConnect, and RemoteUtilities have been used by Iranian threat actors to evade detection.

If you are not using these tools in your environment, consider blocking them altogether to prevent malicious use.  

Adopt Additional Security Best Practices

• Enforce strong, unique passwords across all systems and enable multi-factor authentication (MFA) for all accounts.
• Perform continuous security audits and monitoring to proactively identify and respond to suspicious activities and potential threats.
• Deliver ongoing cybersecurity awareness training to employees, empowering them to recognize and mitigate cyber risks effectively.