Geopolitical Context

On 28^th February 2026, the United States and Israel initiated Operation Epic Fury (US) / Operation Roaring Lion (Israel), a military campaign against Iranian military infrastructure and their missile capability, which saw Iran’s Supreme Leader Ayatollah Ali Khamenei killed. This attack was launched in response to growing concerns about Iran’s nuclear weapons capabilities. The resulting operation rapidly broadened regional and international risk dynamics, raising the probability of retaliatory kinetic and cyber-attacks.

Although targeting has been mainly focused on countries within the Middle East (pictured below), there have been attacks against EU-member states such as Cyprus.

Early Warning to the UK

On 2 March 2026, the UK’s NCSC issued a public advisory urging UK organisations to review their cyber posture in response to the evolving conflict. The NCSC stated there was likely no current significant change in the direct cyber threat from Iran to the UK, but emphasised a heightened risk of indirect cyber threat—especially for organisations with offices, suppliers, or supply-chain links in the Middle East. The advisory states that UK defenders should prepare for DDoS, phishing, and credential theft, as well as potential interest in ICS environments. Subsequent analysis of the breakdown of attack type, shows the NCSC’s assessment to be accurate, with DDoS attacks constituting the greatest volume of attacks recorded against victims (pictured below).

Expected Iranian Attack Activity

The NCSC stated organisations should prepare for hacktivist attacks. In the days after this announcement, we see a surge of hacktivist activity against Israel, the Gulf States and the US, including support from Russian-associated groups such as NoName057(16).

Destructive AttacksIranian threat groups such as Handala, Cyber Islamic Resistance and MuddyWater have a demonstrated history of performing data destruction attacks (T1485). Data destruction attacks can be easier to execute, requiring less infrastructure from the attacker’s perspective. They are effective attacks if the objective is to cause maximum operational disruption.

First Attacks Observed

In late February 2026, MuddyWater was observed conducting coordinated intrusions against a US bank, an airport, NGOs, and a defence/aerospace software supplier with operations in Israel. They were observed using newly built backdoors to establish persistence and Rclone to stealthily exfiltrate data to cloud buckets (T1567.002).

UK Supply Chain Attack – StrykerOn 11^th March 2026, the Iranian threat group Handala compromised Stryker’s Microsoft Intune environment, resulting in a destructive data-wiping operation that reportedly remotely wiped 200,000 devices. No malware or ransomware was observed in this attack, highlighting the need for strict access controls at network and cloud perimeters. Handala defaced the organisation’s Microsoft login portals with their own logo.  Stryker is a key supplier to the NHS and private healthcare organisations, providing medical equipment, including clinical implants.

Cross-Sector ISAC AdvisoryA joint advisory, published mid-March 2026, spanning 10 sectors, published by members of the National Council of ISACs, warned that the conflict heightens risk to global critical infrastructure (CNI) and emphasised preparedness for increased Iranian-aligned cyber activity. Based on the latest reporting of observed attacks, we can indeed see that attacks are heavily focused on CNI, including government, finance and transportation sectors (pictured below). The advisory also encourages organisations to bolster their DDoS defences and remain vigilant for any news or signs of compromise within their supply chains.

Recommendations

DDoS Readiness

Validate DDoS runbooks, upstream provider contacts, and failover paths; test rate-limiting and WAF rules tuned for volumetric and application-layer attacks.

Phishing and Identity Hardening

Increase user reporting and triage capacity; deploy stricter conditional access policies for high-risk geographies and unusual login patterns; ensure universal, phishing-resistant MFA coverage for privileged roles.

Patch and External Attack Surface Management

Prioritise patching and configuration hardening of internet-facing systems; monitor for scanning and exploitation attempts consistent with pre-positioning behaviour.

Control-plane Protection (Entra/Intune/MDM)

Reduce standing privilege; implement just-in-time elevation; require step-up auth/approval workflows for destructive admin actions (wipe/reset, token changes, new global admins). Ensure Intune log sources are enabled and sent to a SIEM solution for monitoring.

OT/ICS Vigilance

Increase visibility into OT environments, monitor for abnormal PLC/ICS interactions, and validate segmentation and incident response procedures for operational outages.

Supply Chain Monitoring

Identify any critical Middle East dependencies (vendors, logistics, data centres, subcontractors); ensure supplier incident-notification paths are up to date and testable.

Sources

1. National Cyber Security Centre (NCSC) (2026) NCSC advises UK organisations to take action following conflict in the Middle East. Available at: https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east (Accessed: 17^th March 2026).

2. SOCRadar (2026) Iran–Israel/US Cyber War 2026: Iranian hackers, APT groups & cyber attacks. Available at: https://socradar.io/iran-israel-cyber-conflict-dashboard/ (Accessed: 19^th March 2026).

3. Security.com (2026) Seedworm: Iranian APT on networks of U.S. bank, airport, software company. Available at: https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us (Accessed: 6^th March 2026).

4. HPR News (2026) Post referencing Iran‑linked cyber activity [X post]. Available at: https://x.com/HPRNEW/status/2031723940360355898 (Accessed: 18^th March 2026).Note: Original post by the threat actor account has since been deleted; reference is retained for contextual and evidential purposes.

5. Gate 15 (2026) Joint advisory: Middle East conflict and critical infrastructure. Available at: https://gate15.global/joint-advisory-middle-east-conflict-and-critical-infrastructure/ (Accessed: 17^th March 2026).