Iran’s cyberwar has begun
Summary
Iran-linked actors have escalated cyber operations following recent US and Israeli missile strikes. Security firms report a surge in spying, targeted probing of APIs and mobile apps, distributed denial-of-service (DDoS) activity, and staged malware deployments aimed at Israel and Gulf states. Analysts warn that attacks on US-linked organisations are likely to follow.
Researchers attribute activity to groups tied to the IRGC — notably Cotton Sandstorm (aka Haywire Kitten) — using tools such as the WezRat infostealer and, in some cases, WhiteLock-style ransomware. Operations mix reconnaissance, influence campaigns and disruptive intrusions; some claims circulating on social media are likely disinformation. Experts advise heightened vigilance, patching and supply-chain monitoring.
Key Points
- Immediate increase in cyber probing and espionage linked to presumed Iranian actors since early February, intensifying after recent strikes.
- Targets so far are Israel and Gulf countries, but analysts warn US-linked organisations should expect attacks soon.
- Cotton Sandstorm / Haywire Kitten and affiliated fronts have used WezRat infostealer and staged ransomware operations (e.g. WhiteLock).
- Activity includes API/mobile-app probes, spearphishing, DDoS, malware staging, and influence/disinformation campaigns.
- Some groups claim access to industrial control systems across the region; claims may be exaggerated and used for psychological effect.
- High-risk organisations include defence contractors, government suppliers, and companies using Israeli-made OT/industrial equipment.
- Defence advice: patch critical systems, review supply chains, reinforce security awareness, and treat social-media claims cautiously.
Context and relevance
This escalation ties cyber operations directly to kinetic strikes and reflects a known IRGC playbook: pre-positioning malware, heavy reconnaissance, followed by disruptive attacks and disinformation to amplify impact. The behaviour mirrors past Iran-linked campaigns against infrastructure and is significant for any organisation with US or Israeli links, or those operating critical systems in the region.
Why should I read this?
Quick and blunt: if you look after security, patching, or supplier risk, you need to know this now. We’ve read the detail so you don’t have to — the upshot is simple: expect more noise and probes, treat social-media claims with scepticism, and tighten the basics (patching, MFA, supply-chain checks).
Author style: Punchy — this is urgent for infosec teams and anyone connected to high-value or Israel/US-linked infrastructure; worth prioritising the recommended mitigations.
Source
Source: https://go.theregister.com/feed/www.theregister.com/2026/03/02/cyber_warfighters_iran/
