In the wake of Israel’s large-scale military operation, Operation Rising Lion, which targeted Iranian nuclear and military infrastructure on June 13, 2025, the Israelian cyberthreat landscape has escalated significantly.
The preemptive action, aiming to dismantle Iran’s nuclear weaponisation capabilities, resulted in the deaths of key Iranian military figures and damage to critical infrastructure. These military strikes are expected to trigger retaliatory cyber operations by Iranian state actors and hacktivist groups aligned with the state.
Background
Cyber hostilities between Israel and Iran date back at least to 2010, with the discovery of the Stuxnet worm, widely regarded as the first cyber weapon to cause physical destruction. Stuxnet specifically targeted Siemens-made programmable logic controllers that operated uranium-enrichment centrifuges in Iran. By altering the centrifuge rotation speeds, the malware caused equipment failures that significantly disrupted Iran’s nuclear program.
In the aftermath of Stuxnet, Iran invested heavily in developing its cyber capabilities and initiated a series of retaliatory cyber operations. Over the following decade, Iranian-affiliated actors increasingly targeted infrastructure in the West and the Gulf regions. Notably, the Iranian Cyber Army was linked to a wave of distributed denial-of-service attacks on US financial institutions.
Since 2020, the focus of Iranian cyber operations has shifted more explicitly toward Israel. Threat groups such as APT35 (Charming Kitten), MuddyWater, and CyberAv3ngers have launched campaigns against Israeli critical infrastructure, including water utilities, healthcare facilities, and industrial control systems. These campaigns have also included breaches of surveillance systems and reconnaissance activities targeting public transportation networks.
“We expect Iranian cyber threat actors to rededicate themselves to attacks against Israeli targets in light of the recent military actions, though it’s too early at this time to measure any changes,” said Google Threat Intelligence Group Chief Analyst John Hultquist. Iranian cyber activity in Israel is already persistent and aggressive, and has been for several years.”
“Iranian cyber activity has not been as extensive outside of the Middle East but could shift in light of the military actions,” he added. “Targets in the United States could be reprioritized for action by Iran’s cyber threat capability. Iranian cyber espionage activity already targets the US government, military, and political set, but new activity may threaten privately owned critical infrastructure, or even private individuals.”
While Israel has not formally acknowledged conducting offensive cyber operations, several high-impact incidents, such as disruptions to Iran’s fuel distribution systems, railways, and industrial sites, have been widely attributed to Israeli state-linked actors by foreign intelligence services and cybersecurity experts.
Cyber warfare as strategic outlet amid military setbacks
Iran is currently more likely than ever to retaliate through cyberattacks due to its significantly reduced ability to respond through conventional military means. Recent Israeli operations have severely degraded Iran’s military infrastructure and leadership. The targeted strike allegedly eliminated around 20 senior commanders, including key figures from the Iranian Air Force and nuclear program.
The attacks, involving precision airstrikes and Mossad-led sabotage operations, have destroyed missile bases, fuel depots, and strategic assets critical to Iran’s defence capabilities. As a result, while Iran may be motivated to respond, it lacks the functional military capacity to do so immediately and effectively, making cyber operations a more accessible and viable alternative.
Additionally, the impact on Iran’s nuclear program and leadership structure has damaged the image of the Ayatollah regime, both domestically and internationally. In a system where the perception of strength and control is critical, such losses can be interpreted as signs of vulnerability. This perception not only weakens public confidence but could also embolden opposition groups or even spark internal unrest, as seen in past periods of regime instability.
To reassert power and deter further challenges, the regime may turn to asymmetric tools such as cyberattacks, espionage, and the activation of allied hacker groups to strike Israeli interests, both as retaliation and as a demonstration of continued capability and resolve.
Multi-vector threats
Iranian state-sponsored cyber actors, most notably APT34 (OilRig) and APT39 (Remix Kitten) continue to engage in targeted cyber operations aimed at espionage, infrastructure disruption, and surveillance. Their activities have historically extended across the Middle East and beyond, with a clear focus on regional adversaries.
Recent intelligence suggests a likely intensification of Iranian cyber efforts, with operational priorities expected to include:
-
Compromising Israeli government and defence networks;
-
Stealing sensitive state and military information; and
-
Utilising phishing, social engineering, and zero-day exploits.
These intrusions are often masked through legitimate-looking communications or facilitated via compromised third-party vendors and service providers.
In line with previous escalatory patterns, Iran may also engage in disruptive attacks intended to degrade or interrupt essential services. These could include denial-of-service campaigns, ransomware deployments, or the use of destructive wiper malware.
Furthermore, Iranian cyber operations are likely to be complemented by coordinated information warfare. Drawing from earlier campaigns, Iran is expected to activate AI-driven botnets and inauthentic social media personas to disseminate disinformation, erode public trust in Israeli leadership, and amplify divisive or destabilising narratives.
These influence operations may be conducted in cooperation with ideologically aligned, religiously motivated groups throughout the region. Platforms such as Telegram, X (formerly Twitter), and TikTok are anticipated to serve as primary channels for this coordinated propaganda and mobilisation effort.
“Iran has the ability to carry out cyber espionage and disruptive cyberattack as well as information operations like hack and leak campaigns,” said Hultquist. “Many of these activities have met with limited success. For instance, though Iran has carried out some serious disruptive cyberattacks, many have failed, and actors have repeatedly made false and exaggerated claims to bolster their impact. The goal of many of these operations is psychological rather than practical, and it is important not to overestimate their impact.”
Surge in pro-Iranian threat actor activity
Shortly after the news of the military operation became public, an increase in activity by threat actors aligned with Iran on their public and private Telegram channels was observed. The Cyber Bulletin channel received a message from an actor going by the name #OpIsrael about attacks targeting the Israeli public address system (Tzofar), which notifies civilians of potential missile attacks.
Recommended preventive actions
-
Enhance monitoring: Increase vigilance across all networks and endpoints and monitor for indicators of compromise linked to known Iranian APTs;
-
Harden systems: Ensure all internet-facing systems are patched and all services are protected by MFA;
-
Employee awareness: Remind employees of potential phishing scenarios;
-
Incident response readiness: Ensure IR teams are on high alert and that playbooks are up to date and include responses for nation-state-level threats; and
-
Public communication: Prepare counter-disinformation strategies and coordinate with trusted media outlets to mitigate the impact of fake news before it spreads or harms the reputation of the organisation.
The cyber domain is a primary theatre in the Israel-Iran conflict. Organisations across Israel must be aware and brace for a wave of sophisticated and ideologically driven cyberattacks. Proactive defence, intelligence sharing and public resilience will be critical in the days ahead.
