Escalating tensions between the United States, Israel and Iran are raising fresh concerns about cyber retaliation against Western businesses.
Yet cyber security experts warn that the most immediate threat may not come directly from Iran’s own cyber units, but from allied groups, hacktivists and proxy actors exploiting geopolitical tensions.
According to Matthieu Chan Tsin (pictured), SVP, resilience services at Cowbell, the cyber insurance provider, a combination of internal disruptions inside Iran and recent military developments may be reshaping where cyber threats originate.
“From a natural point of view, most escalation of cyber threats would come from actors on the ground in Iran, many of whom are tied to the Islamic Revolutionary Guard Corps,” Chan Tsin told Insurance Business. “But recent events suggest that direct cyber operations from inside Iran may actually be limited right now.”
Iran has historically been a prominent cyber actor, with campaigns targeting infrastructure, financial institutions and government agencies in the United States and its allies. US authorities have previously warned that Iranian hackers have conducted disruptive attacks, including distributed denial-of-service (DDoS) campaigns and destructive malware operations against Western organizations.
However, Chan Tsin said three developments may be constraining Iran’s cyber capabilities in the near term.
First, he believes Iranian cyber units had already redirected some resources internally to manage domestic unrest. Protests against the Iranian government over the past two years have forced authorities to focus surveillance and cyber operations inward rather than abroad.
Second, in an X post on March 4, Israel claimed it struck a Tehran compound that included “cyber warfare headquarters” and an intelligence directorate facility. While the extent of the damage remains unclear, Chan Tsin hypothesized this attack may have disrupted parts of Iran’s cyber command infrastructure.
Finally, internet connectivity within Iran has reportedly declined sharply since late February. Data from internet monitoring groups shows connectivity falling to roughly 1% of normal levels during a near-total blackout, though the cause (whether government restrictions or external cyber activity) remains uncertain.
Taken together, those factors suggest that any escalation in cyber activity linked to Iran could originate elsewhere. “What is more likely is that attacks would come from proxy forces or allied countries aligned with the Iranian regime,” Chan Tsin said.
Online chatter linked to Iranian-aligned hackers has already increased since late February, with hacktivist groups and advanced persistent threat (APT) actors posting warnings and claiming cyber operations against US and Israeli targets.
However, analysts caution that many of these claims are unverified. “Iranian-linked groups have historically overestimated their successes or claimed attacks they did not actually conduct,” Chan Tsin noted.
Iranian cyber actors are capable of a range of attacks, including DDoS campaigns, ransomware, credential theft and destructive “wiper” malware designed to erase systems.
Critical infrastructure operators, including utilities, government agencies and healthcare companies, are considered among the most vulnerable targets. Historically, Iran has used cyber attacks as a form of retaliation tied to geopolitical disputes.
“At this point we are still very much in the fog of war,” Chan Tsin said. “Until digital forensics investigations are completed, we cannot say whether Iranian actors were involved.”
Cyber insurers and incident response teams are monitoring developments closely, though Chan Tsin said it is still too early to detect a meaningful shift in cyber insurance claims.
Even if attacks were underway, attribution would take time. “Digital forensics investigations can take weeks,” he pointed out. “So even if we eventually saw claims linked to Iranian activity, we would not necessarily know that today.”
Nevertheless, Chan Tsin said policyholders have come forward with questions about geopolitical cyber risks. Iran has long been viewed as one of the most aggressive state-linked cyber actors, alongside Russia, China and North Korea.
But if attacks occur, they may rely on relatively simple tactics rather than highly sophisticated espionage campaigns.
“Iranian actors often go after poorly secured networks or internet-connected devices,” Chan Tsin said. “Their success often comes not from the sophistication of the attack but from open doors left by the victims.”
Given that likelihood, companies should focus on basic cyber security controls rather than assuming complex nation-state intrusions.
Chan Tsin highlighted three immediate steps businesses should prioritize. First, organizations should rapidly patch vulnerabilities and update network edge devices such as routers, firewalls and remote access systems.
Second, operational technology and industrial control systems should not be directly exposed to the public internet. Systems that manage physical infrastructure should be isolated behind firewalls or segmented networks whenever possible.
Finally, companies should strengthen identity security. Iranian actors have frequently used phishing campaigns, stolen credentials and password reuse to gain access to corporate systems. “Using strong, unique passwords, limiting access privileges and monitoring employee identities online can go a long way,” Chan Tsin said. Multi-factor authentication (MFA) remains one of the most effective safeguards.
For now, businesses and insurers alike must remain cautious. “At this stage, everything is still developing,” Chan Tsin said. “The best mindset for organizations is to assume attacks may happen and prepare accordingly.”
