Iran and the Cxpanding Cyber Front: What Government Leaders Need to Know

Photo Credit: Getty Images

This OpEd was originally published in S.C. Media.

March 2026

Author: Michael R. Centrella, ICIT Fellow and Head of Public Policy, Security Scorecard

When conflict escalates in the Middle East, the battlefield is never limited to geography. It extends into energy grids, government networks, transportation systems, and financial infrastructure.

The current war involving Iran is no exception. While missiles and airstrikes dominate headlines, the parallel cyber dimension may prove equally consequential, particularly for regional governments, critical infrastructure operators, and U.S. state and local agencies connected through global supply chains.

Cyber is no longer just a supporting capability. It is an active part of the battlefield.

The strategic backdrop: Why Iran's history matters

Iran has long had a layered security model designed to preserve internal control while projecting asymmetric power abroad. The Islamic Revolutionary Guard Corps (IRGC) evolved into not just a military organization, but an intelligence, economic, and cyber force multiplier.

A defining moment came in 2010 with the Stuxnet operation that targeted Iran's Natanz nuclear facility. The malware in the attack sabotaged centrifuges, disrupting Iran's nuclear program.

The attack demonstrated that offensive cyber operations could create physical consequences. For Iran, it reinforced a lesson: Cyber capabilities provide deniable, scalable retaliation without immediate conventional escalation.

Since then, Iran has invested heavily in building offensive cyber capacity both directly and through aligned proxy actors.

SecurityScorecard's STRIKE Threat Intelligence Team revealed that during the 12-day war in 2025, Iranian state actors, proxies, and hacktivists ideologically aligned with Iran orchestrated cyberattacks against perceived adversaries, complete with reconnaissance, recruitment, defacement, data theft, data dumps, phishing, and malware delivery.

Iran's cyber capabilities: Asymmetric by design

Iran does not need to match larger powers technically across every domain. Its strategy is focused, opportunistic, and disruptive.

Iran-linked actors are widely associated with:

• Credential harvesting and password spraying at scale

• Exploitation of internet-facing infrastructure (VPNs, email gateways, remote management tools)

• Distributed denial-of-service (DDoS) campaigns for signaling and disruption

• Data theft paired with timed leaks and influence amplification

• Selective use of destructive malware or "wipers"

Their model blends state operators, contractors, and proxy or "patriotic" hacking groups. This creates volume, plausible deniability, and rapid surge capacity.

Iranian proxies and Iranian-aligned groups proactively targeted those sympathetic with Israel in the 12-day war in 2025, for instance, according to the STRIKE research. The research revealed that the Iranian hacking group known as Imperial Kitten had developed planning or tasking cycles that operate in sync with conflict flashpoints.

In periods of heightened geopolitical tension, DDoS and ransomware-style disruptions tend to increase because they create visible disruption without crossing strategic red lines.

Iran is not alone in blending cyber-operations alongside kinetic, physical military operations. For example, Russian government-linked hackers have frequently launched hacking operations in concert with or as a prelude to physical conflict.

In 2026, cyber-operations act as a transmission mechanism between geopolitical conflict and everyday life, converting strategic competition into tangible disruption across critical infrastructure, commerce, healthcare, and public trust.

Where the cyber spillover lands

When regional war escalates, the cyber effects rarely stay contained. They can cause a cascade of unexpected problems for both civilians and military personnel.

Energy and Gulf infrastructure

Energy facilities, refineries, shipping terminals, and pipeline logistics are high-value symbolic and economic targets. Even limited disruptions can generate market volatility and public anxiety. For instance, U.S. officials have previously linked Iran to the 2012 Shamoon cyberattack on Saudi Aramco, which delayed oil production.

Government agencies and public services

State and municipal networks are frequently softer targets than national defense systems. Citizen portals, law enforcement networks, health systems, and emergency management platforms all become attractive avenues for disruption.

State and local agencies cannot assume that distance equals insulation. State and local agencies don't get to opt out of geopolitics. In 2023, during the Israel-Hamas war, an Iran-aligned group, the Cyber Av3ngers, claimed responsibility for targeting an Israeli electric contractor. When tensions in the region escalate, ransomware crews, hacktivists, and state operators all look for the easiest door into adversaries' systems, often through third parties.

Transportation and aviation

Airports, maritime logistics systems, and cross-border freight platforms offer leverage. Disruption to reservation systems, port operations, or customs processing can have cascading economic consequences.

Third-party and supply-chain exposure

Perhaps the most significant risk vector is indirect. It is leveraged through third parties, managed service providers, SaaS platforms, identity systems, file-sharing software, and remote IT tools that connect multiple agencies and critical infrastructure entities.

A single compromised vendor can ripple across dozens of organizations simultaneously. In wartime conditions, attackers pursue the path of least resistance.

The leadership challenge: Operating in the "fog of cyber"

During geopolitical escalation, leaders face three immediate questions:

1. What is our most exposed piece of infrastructure today?

2. Which third parties increase systemic risk?

3. What risk can we reduce within the next 72 hours?

This is where clarity becomes decisive. The question isn't whether the cyber front will expand. It's whether organizations can shrink their attack surfaces faster than adversaries can exploit them.

Cyber spillover risk: Why governments must prepare beyond the physical battlefield

Any conflict with Iran will be analyzed through military and diplomatic lenses. But the cyber domain is already part and parcel of modern warfare. In any escalation, cyber operations can have a broad spillover impact, touching governments, utilities, transportation systems, and citizens far beyond the immediate conflict zone.

The battlefields of 2026 do not stop with physical territory. Resilience will depend on how quickly organizations can see risk, prioritize action, and shrink their attack surfaces before adversaries move.

Michael R. Centrella

Michael R. Centrella is an ICIT Fellow and a nationally recognized security executive and former senior federal law enforcement leader with more than 26 years of experience protecting national leaders, critical infrastructure, and financial systems from complex cyber and transnational threats. He most recently served as Assistant Director of the U.S. Secret Service’s Office of Field Operations, leading the agency’s largest operational directorate with more than 3,000 personnel across 162 global offices.

Following his federal service, Mr. Centrella joined SecurityScorecard as Head of Public Policy, where he works at the intersection of cybersecurity, government affairs, and business strategy to strengthen public-private partnerships and enhance resilience across government and critical infrastructure ecosystems.

About ICIT

The Institute for Critical Infrastructure Technology (ICIT) is a nonprofit, nonpartisan, 501(c)3think tank with the mission of modernizing, securing, and making resilient critical infrastructure that provides for people’s foundational needs. ICIT takes no institutional positions on policy matters. Rather than advocate, ICIT is dedicated to being a resource for the organizations and communities that share our mission. By applying a people-centric lens to critical infrastructure research and decision making, our work ensures that modernization and security investments have a lasting, positive impact on society. Learn more at www.icitech.org.