Beyond wipers: Iran-backed cyber attacks and the threat to businesses

Over the last few years, the threat from Iran-based cyberattacks has been quietly growing. The country was not previously seen as the most capable nation state, compared to its fellow CRINK adversaries, but when Israel and the US hit Iran with airstrikes at the end of February, along with cyber operations, the threat began to escalate.

At the start of March, the UK National Cyber Security Center (NCSC) issued a warning that there “is almost certainly a heightened risk of indirect cyber threat” for organizations who have a presence or supply chains in the Middle East.

Then in mid-March, a suspected Iran-linked cyberattack disrupted global systems at medical technology giant Stryker.

US-based security firm DigiCert has tracked 5,800 cyberattacks mounted by 50 different groups tied to Iran. So what’s the real threat to business in the US and UK during the current critical situation?

The current threat

From a tactical point of view, Iran’s plan is to “leverage global economic pain through any means”, according to Ian Thornton-Trump, CISO at Inversion6.

This includes cyber attacks to allow the regime to stay in power, he explains. “Iran aims to survive and extract concessions by weaponizing vulnerabilities in energy supply chains and chokepoints, with cyber operations as cost‑effective force multipliers.”

Adding to complexity, it isn’t always clear who is perpetrating attacks. Using proxies and cyber fronts helps Iran “maintain legal and attributional fog”, complicating retaliation and “keeping the country below thresholds that would unify great‑power opposition”, according to Thornton-Trump.

Handala – the group that claimed it had attacked Stryker in retaliation for US strikes – is widely regarded as a front for Iran's Ministry of Intelligence. In the March attack, the hacking collective claimed to have wiped more than 200,000 devices and forced Stryker to shut down offices in dozens of countries. This attack is relevant to businesses, experts say.

“We need to be alert to how it weaponised Microsoft Intune, the same legitimate device management tool in widespread use in UK business, to trigger mass remote wipes,” says Rob Anderson, head of reactive consulting services at Reliance Cyber.

Covert attacks

Wipers are a long-time tactic of Iran, and will continue to pose issues. But another thing to be aware of is how the nationwide internet outage since 28 February is impacting the cyber environment in Iran, according to the US Center for Strategic and International Studies.

The current blackout could “function as a defensive cyber tool for the regime to reduce the effectiveness of additional cyber intrusions and information operations from outside the country”, it said. At the same time, connectivity loss complicates attribution of future cyber incidents, obscuring whether disruptions originate from state-imposed controls or external cyberattacks.

Meanwhile, there is another immediate cyber threat from “the activation of long-standing access within Western networks”, according to Ruth Wandhofer, head of European markets at Blackwired.

For businesses across the globe, the real threat is “a long tail of proxy actors, diaspora hacktivists and pre-planted access that was quietly embedded in Western networks long before the first missile flew”, agrees Anderson. “These cells don't need Tehran online to act. Despite the blackout, approximately 60 hacktivist groups, including pro-Russian collectives activated outside Iran within days of the strikes.”

For years, Iranian-aligned actors have “quietly implanted malware, compromised credentials and maintained persistent footholds in sectors such as healthcare, logistics, aviation and energy”, Wandhofer says.

At the same time, Iran-linked hackers are still using traditional techniques such as wiper malware, phishing, credential theft and remote access tools. “But they are now deployed in coordinated campaigns – as seen in the Stryker attack,” says Wandhofer.

Iran could also ramp up its use of distributed denial of service (DDoS) attacks, which are not necessarily sophisticated, but can be disruptive.

Travis DeForge, director of cyber security at Abacus describes how Iran-linked adversaries could hit public sector and critical services with DDoS. “Not only is it extremely disruptive, they also get a big pay-off in propaganda value.”

Business targets for Iran-backed hackers

Any public sector or critical infrastructure organization is a target for Iran, as is any company with a presence in the Middle East, according to DeForge. “That can extend to obvious supply chain links,” he adds.

Energy, healthcare, defense supply chains and financial services top the list. US defense contractors, government vendors and businesses with Israeli ties face “the sharpest direct exposure”, says Anderson. “But critical infrastructure such as hospitals, ports, water plants and railways are squarely in scope too.”

Iran amplifies kinetic pressure by “probing for cascading failure in digitally-interconnected energy and trade systems”, says Thornton-Trump, “These include port operations and shipping lanes to refineries and grids, accelerating market panic and political pressure on its adversaries.”

OilRig and other Iran‑linked groups show a persistent focus on energy, finance, telecoms and supply‑chain infiltration techniques, according to Thornton-Trump. He says threat intelligence overviews show evolution towards “identity‑centric cloud intrusions, wipers, and psychological ops aligned to crises”.

Businesses throughout the UK and US are both at risk from Iran cyber-attacks. However, the US is “the primary target by some distance”, says Anderson. “It carries the vast majority of identified asset exposure, with healthcare and government the most affected sectors.”

The UK's risk is more indirect, but shouldn't be dismissed. “With Iranian actors going after cloud identity infrastructure, the supply chain risk travels fast and doesn't respect geography,” Anderson warns.

Protecting your business

The risk of attack is growing, but most firms can boost resilience by ensuring foundational security hygiene. “The to-do list isn't glamorous, but it is urgent,” according to Anderson. “Patch systems, keep firewalls current, enforce multi-factor authentication (MFA) and remove stale accounts. Scrutinise who holds privileged access to device management platforms such as Intune.”

With supply chains likely to be hit, the security of partner organizations must also be re-examined, with greater due diligence applied to third-party risk and access controls, according to DeForge.

As with any threat, businesses should “treat cyber conflict as a board-level operational risk”, says Wandhofer. Immediate priorities include “reducing reliance on legacy systems, improving patch management and addressing known vulnerabilities that attackers frequently exploit”, she says.

CISOs in energy, maritime, finance, and water should “assume targeted system probing during kinetic peaks,” says Thornton-Trump. He recommends MFA on remote access, removing publicly-exposed operational technology and eradicating default credentials, as well as ensuring segmentation and “immutable backups”.

Firms should have an incident response plan in place and expect identity‑centric intrusions from Iran-linked attackers such as APT 33 and 34, Thornton-Trump warns. “Harden cloud and identity and access management and monitor for wiper precursors and proxy‑linked information ops designed to induce panic.”