Why do geopolitical tensions lead to higher risk of cyber-attacks?

War today plays out on the ground, in the air – and in cyberspace. On the back of the ongoing conflict in the Middle East, we’re seeing increased cyber activity linked to events in the region. There’s no sign of secret weapons or unprecedented new techniques. For risk managers and cyber insurers, that means familiar threats in a more volatile context, and a strong need to get the basics right.

What has changed - and what has not - since the start of the war in Iran and the blockade of the straight of Ormuz?

When geopolitical tensions rise, cyber activity follows. In this conflict, Iranian state-aligned and affiliated groups are using cyber operations as another way to respond.

What is important is perspective.

As highlighted by Google’s Threat Intelligence Group, we should not expect an entirely new class of attacks, but more frequent use of techniques we have seen over the past few years.

They are seeing:

• DDoS attacks and website defacements,
• Hacking and hack-and-leak operations,
• Social engineering and phishing campaigns,
• Malware, ransomware and, in some cases, destructive wiper tools.

The threat is real, but it is not unknown. Controls designed for these known techniques are still highly relevant - especially as attempts increase and targeting patterns shift.

Who is behind this recent surge of hostile activity?

Iran can call on a broad ecosystem of cyber actors.

• Hacking groups and sympathetic collectives
  As of 6 March, more than 70 groups and collectives had publicly signal-led support for Iran. They are primarily known for data leaks, defacements and disruptive DDoS attacks, often targeting websites, apps, APIs and other public-facing assets of organizations perceived to support the U.S. and Israel. So far, the most reported impact has been disruption and nuisance, not largescale destruction.
• Iranian Advanced Persistent Threat (APT) groups
  Groups such as APT33, APT42 and MuddyWater have a track record of more sophisticated campaigns. They combine spear phishing, social engineering, malware, ransomware, data exfiltration, and wipers. Recent research has found evidence of Iranian actors embedded in some U.S. corporate networks. At the same time, many new campaigns would still need to be built largely from the ground up, and bombardment and connectivity issues inside Iran are limiting some activity for now.

Do you observe a strategy that links cyber-attacks and physical damage?

One of the most striking developments is the link between ground operations and digital resilience.

Iranian drones have hit several AWS data centers in the region, causing disruption to digital operations for organizations relying on those facilities, though contingencies are likely to have been put in place in advance to maintain operations. More broadly, digital infrastructure - from data centers to telecoms - is now clearly a potential target for military combat.

That has two key implications. Regional disruption can quickly become a global business continuity issue. Meanwhile, disaster recovery and resilience plans are no longer theoretical – they’re being tested in real time.

For cyber insurance, this is exactly where coverage and services converge: outage-driven business interruption, cloud and technology dependencies, and the strength of an organization’s incident response and continuity planning.

Who is most exposed in the region according to you?

Historically, Iran-aligned actors have focused on U.S. and Israeli interests, including critical infrastructure, energy, defense, telecommunications and financial services in the region and beyond. Today, we see three broad groups of potential targets:

• U.S. and Israeli organizations
  Especially those in critical infrastructure and key sectors, or with strong strategic or supply chain links to the parties directly involved. These organizations should maintain heightened monitoring and resilience measures against largescale DDoS, ransomware, and potentially destructive malware.
• Local and global organizations in the wider region
  Companies in countries seen as historic U.S. supporters – including Kuwait, Qatar, Bahrain and Saudi Arabia – face elevated risk, including opportunistic attacks. Large tech providers such as Google, Microsoft, Oracle and Amazon operate facilities in the region and are exposed to disruption, with potential knock-on effects for their clients.
• Organizations elsewhere seen as supporting enemies
  Iran backed actors targeted European organizations during the 2015 nuclear negotiations, and the Albanian government in 2022. Similar patterns could emerge whenever countries or organizations are perceived to act against Iranian interests.

Direct political involvement isn’t the only driver of risk. Perception, sector, partnerships and geography all matter - and are key factors in exposure assessment.

What should businesses do now to mitigate these risks?

Most organizations don’t need entirely new security stacks. They need to make sure existing controls are active, effective, and well tested.

In this environment, we recommend that businesses:

• Maintain strong situational awareness through internal teams and trusted threat intelligence sources,
• Keep security operations centers on heightened alert for phishing, social engineering, credential harvesting and DDoS attempts,
• Verify that core controls are working - including MFA, EDR/MDR solutions and email filtering,
• Keep asset inventories current and apply security patches promptly,
• Ensure incident response and crisis management plans are up to date, rehearsed and ready to activate,
• Raise awareness among employees, especially support and frontline teams, with focused guidance on conflict-themed phishing and impersonation attempts.

These measures do not just reduce the likelihood and impact of a loss. They also demonstrate good cyber hygiene, which is increasingly important for securing and maintaining cyber insurance on sustainable terms.

We are likely to see continued cyber activity linked to the conflict, including opportunistic attacks and potential spillovers to organizations far from the front line.

We are not facing a new category of unstoppable cyber weapons. We are facing more frequent use of well understood techniques by determined threat actors in a tense geopolitical environment.

The key is to stay vigilant, not alarmed.