Five days into US and Israel’s war with Iran, the worst predictions for cyber-retaliation have yet to materialize. But Iran has built one of the world’s most active cyber operations, which means this is likely a temporary reprieve, experts warn. At the weekend, both the UK National Cyber Security Centre (NCSC) and the Canadian Centre for Cyber Security (CCCS) issued general warnings of the threat posed by Iranian cyber campaigns. The US Cybersecurity and Infrastructure Security Agency (CISA), meanwhile, has yet to update its last warning , from October. “There is almost certainly a heightened risk of indirect cyber threat for those organizations and entities who have a presence, or supply chains, in the Middle East,” said the NCSC , stating the obvious. Canada’s CCCS was at least willing to set out some of the possibilities: “Iran will very likely use its cyber program to respond to the joint US and Israel combat operations against Iran,” it said . The agency urged organizations to look beyond the background noise of opportunistic DDoS attacks and other low-level cyber-activity for more sinister threats such as ransomware and destructive wiper attacks. The general nature of the warnings underlines the problem of alert fatigue: If attacks are an ever-present threat, what should organizations pay attention to? Does the arrival of kinetic war change this, or simply alter its timescale? APTs and wiper malware Security companies are rarely shy about advertising Iranian threats. Despite this, the consensus is that Iranian cyber-retaliation has so far been surprisingly mild. This might simply be a period of adjustment caused by disruption to Iran’s energy and Internet infrastructure, they caution. To date, active groups divide into three overlapping categories; those primarily targeting Middle-Eastern infrastructure, those oriented towards targets in the West — which includes specialized advanced persistent threat (APT) groups — and smaller proxies based outside of Iran whose targeting is unpredictable. On March 2, Palo Alto’s Unit 42 said, “State-aligned cyber units may be acting in operational isolation, which could result in deviations from previously established patterns. Additionally, Iranian command and control degradation may also lead to tactical autonomy for cells outside of Iran.” DDoS represents the biggest immediate threat. So far, this has not come to pass on any scale, with Cloudflare CEO Mathew Prince tweeting on X on Sunday that Iranian-linked DDoS attacks were actually down. This was despite CrowdStrike reports that the Hydro Kitten group had issued DDoS threats against the US banking sector, which led to short-term disruption. Security company Radware detected 149 DDoS attacks that appeared to be connected to Iran between February 28 and March 2, the majority targeting government entities in the Middle East. All but a tiny percentage were driven by just three hacktivist groups, Keymous+, DieNet, and Conquerors Electronic Army, the company said. Destructive ‘wiper’ attacks are a more pressing worry. The precedent for this is the Infamous Iranian Shamoon malware of 2012 that wiped 30,000 workstations at oil company Saudi Aramco. While attempted follow-up attacks have also targeted the energy sector the danger is that in a time of war any target will do, in the US or elsewhere. Security vendor Anomali warned, “Iran’s wiper arsenal includes 15+ families (ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, PartialWasher).” The biggest concerns are high-profile APT groups associated with the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) which have a proven track record of attacks. This includes APT35/APT42 (Charming Kitten, Phosphorous), and APT 33 (Elfin Team). Curiously, one of the most active Iranian APTs, APT34 (OilRig), appear to have gone silent, having not been detected for a week. “This likely indicates covert pre-positioning, not inactivity,” said Anomali. Security company Tenable has published a useful summary of the most important Iranian threat groups which discusses the tools, techniques and procedures of each. Targeting and response According to Adrian Cheek , a senior cybercrime researcher at Canadian threat intelligence company Flare , the most at-risk sectors are critical infrastructure, including the defense and government supply chain, financial services, energy, and healthcare. “Water, energy, and healthcare sectors are currently the most exposed. These sectors combine high targeting priority with weak baseline security, particularly in operational technology environments. Financial services face high targeting priorities but generally have stronger defenses,” said Cheek. Iranian groups will first look for known weaknesses in operational technology and industrial control systems. “Every US multinational with Gulf region operations should brief regional personnel on heightened physical and cyber threats. Implement phishing-resistant MFA (FIDO2/WebAuthn) where possible. Remove unmanaged Remote Monitoring and Management (RMM) tools,” he said. Organizations should also urgently monitor for wiper malware whilst ensuring endpoint systems are primed to detect Shamoon variants while patching the VPN and other edge devices, another favored Iranian target, Cheek said. A big unknown is the effect AI might have on this type of conflict, suggested Dean Valentine , CEO of application security company ZeroPath. “The advent of frontier models with strong cybersecurity capabilities lowers the floor for participation in destructive cyberattacks. Before this year there were only a few countries that were heavily active in cyberspace. Now any country or criminal organization can get a team of 5 to 10 not-particularly-skilled engineers together and do major damage,” he said. While Iran’s offensive cyber-capability had been greatly reduced by US and Israeli attacks, AI was quietly putting potent disruption into the hands of more geographically distributed groups, he warned. “All of this means that in the near future poor countries like Iran are probably going to be much more capable of lashing out, by taking down large fractions of our internet infrastructure.” This article first appeared on CSO .