Argus - stock.adobe.com

News

NCSC: No increase in cyber threat from Iran, but be prepared

While cyber threat levels remain stable following the outbreak of war in the Middle East at the weekend, at-risk organisations in the UK should take steps now to ward off potential reprisals from Iran-linked threat actors.

Alex Scroxton
By
Published: 02 Mar 2026 21:07

In the wake of a major series of new US and Israel-led attacks on Iran and subsequent retaliatory strikes on Gulf states including Bahrain, Kuwait and the UAE, the UK’s National Cyber Security Centre (NCSC) has reassured British organisations that there is likely no significant change in the direct cyber threat posed by Iranian actors.

But that despite the attacks, Iranian state threat actors likely retain some ability to conduct cyber attacks, and more widely, there is a risk of collateral impacts – such as distributed denial of service (DDoS) attacks – originating from hacktivist groups sympathetic to Iran.

And, as the spreading conflict threatens to draw in the UK, the GCHQ-backed cyber agency said it this assessment was subject to change at short notice, and there was almost certainly a heightened risk of indirect cyber threat for any UK organisations with a presence in the Middle East.

“In light of rapidly evolving events in the Middle East, it is critical that all UK organisations remain alert to the potential risk of cyber compromise, particularly those with assets or supply chains that are in areas of regional tensions,” said NCSC director for national resilience, Jonathon Ellison.

“Today, the National Cyber Security Centre has published an alert outlining the current cyber threat to the UK and the practical steps organisations should take in response.

 “This includes engaging with our guidance to reduce the likelihood of falling victim to an attack where the cyber risk is heightened, and how critical national infrastructure organisations can prepare for and respond to severe cyber threats.

“Organisations are strongly encouraged to act now, following the recommended actions to prioritise and strengthen their cyber security posture,” said Ellison.

Global conflict

Although no European states have taken part in the initial strikes, Dennis Calderone, principal and chief technology officer (CTO) at Suzu Labs, said that European organisations still needed to pay attention.

“Iran's cyber operations don't stop at US borders, and the proxy groups operating on Iran's behalf are even less predictable in their targeting,” said Calderone. “When the motivation is retaliation and the conventional military is gone, cyber operators cast a wide net.

“Since it appears that conventional military options are looking increasingly to be off the table, cyber is what Iran has left,” he added.

“And even with their own internet down, pre-positioned implants and operators based outside Iran can still execute. If you're in energy, water, financial services, or defense, assume you're a target. Start hunting for anomalous access in your environment now. Don't wait for something to break.”

James Turgal, vice president of global cyber risk and board relations at Optiv, said that over the next 30 days or so, there will likely be a surge of cyber activity linked to Iran, including website defacements, DDoS attacks, doxxing and leaks, and disruptive intrusions designed to create symbolic impact and public fear. This will likely include influence operations.

Threat actors will likely opportunistically exploit vulnerabilities in unpatched, internet-facing systems, and take advantage of other cyber weaknesses, such as exposed VPNs, and badly-secured operational technology (OT) or industrial control systems (ICS).

Within 72 hours, at-risk organisations should move to lock down internet-facing exposures, verify they are patched and up-to-date, have removed or limited unnecessary remote admin surfaces, rotated any exposed credentials, and validated multifactor authentication on any remote devices, said Turgal. CNI operators should also review their OT and ICS segmentation and monitoring.

More widely, security leaders should take steps to protect user identities against potential intrusion, and ensure their infrastructure is hardened against DDoS attacks. 

Blended threat

Halcyon’s Cynthia Kaiser – who was previously deputy assistant director of the FBI’s cyber division, said she was already seeing increased activity in the Middle East, and calls to action from hacktivists, DDoS botnet operators, and ransomware gangs.

“Iran has a long track record of using cyber operations to retaliate against perceived political slights…. Tehran’s cyber playbook has been aggressive and evolving,” she said.

“Increasingly, ransomware is incorporated into these escalating operations. Last year, an Iranian national pleaded guilty to ransomware attacks that crippled Baltimore and other US municipalities, causing tens of millions in damages. Since at least 2017, Iranian operators have targeted US critical infrastructure … with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage.”

In practice, Kaiser explained, Iranian cyber ops blend state sponsorship, personal profiteering, and outright criminal behaviour. For example, she said, financially-motivated hackers may attempt to monetise access gained through government-funded campaigns.

Like Moscow, she added, Tehran turns a blind – or at least indifferent – eye to criminal cyber ops against shared enemies such as the US, Israel and their regional allies.

“Having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact,” said Kaiser.

Read more about cyber security in the Middle East

Read more on Hackers and cybercrime prevention