By Arthur Kay
Security Correspondent
Tensions in the Middle East have spilled into the digital realm as Iranian hacking groups unleash a new wave of cyberattacks against Israel and the United States. Following recent physical missile strikes, security experts warn that state sponsored actors are shifting tactics from espionage to destructive digital strikes. This surge puts critical infrastructure and government agencies on high alert for potential disruptions.
Digital Probing Precedes Major Attacks
Cyber warfare often begins in silence long before any alarms go off. Security researchers have observed a sharp increase in advanced probing activities originating from Iran. These digital scans are testing the locks on mobile apps and government communication channels.
A recent analysis by mobile security firm Approov indicates that hackers began targeting Application Programming Interfaces, or APIs, earlier this month. APIs act as bridges between different software programs. If a hacker compromises an API, they can access sensitive data flowing between mobile apps and servers.
cyber warfare digital map middle east connections
“Iranian groups seemed to be placing malware on systems before open military action began,” said JP Castellanos, the threat intelligence director at Binary Defense.
This tactic is known as pre-positioning. Attackers quietly install tools inside a network and wait. They do not attack immediately. Instead, they maintain access so they can launch disruptive strikes the moment a conflict escalates.
Cotton Sandstorm and Deceptive Tactics
One specific group has drawn significant attention from intelligence analysts during this conflict. Known as Cotton Sandstorm, or sometimes Haywire Kitten, this hacking team has deep ties to Iran’s Islamic Revolutionary Guard Corps.
Their methods are deceptive and highly technical. Researchers at Check Point have tracked the group using a specific tool called WezRat. This software functions as a digital spy. It steals files and records keystrokes without the user knowing.
Common Tactics Used by Cotton Sandstorm:
- Spearphishing: Sending emails that look like urgent software updates to trick employees.
- Fake Ransomware: Encrypting data to look like a criminal financial demand when the goal is actually destruction.
- Social Engineering: Creating fake personas on social media to gather intelligence from targets.
While some groups rely on sophisticated code, others rely on fear. Analysts have noted a rise in “hack-and-leak” operations. In these scenarios, hackers claim they have breached a secure system and leak documents to cause panic. Sometimes, the claims are exaggerated to create psychological pressure on the public.
US Infrastructure Faces Heightened Risk
Most confirmed attacks in this recent wave have hit targets in Israel and the Persian Gulf. However, American organizations remain a primary target for Iranian cyber operators. The United States often shares intelligence and infrastructure with allies in the region.
Federal agencies have previously warned that Iranian actors target Operational Technology, or OT systems. These are the computers that control physical machinery in water plants, energy grids, and factories.
Sectors Under Highest Alert:
- Water and Wastewater Systems: Facilities often use older technology with default passwords.
- Energy Providers: Power grids remain a top priority for state-level disruptors.
- Defense Contractors: Companies in the supply chain for military equipment.
In previous incidents, hackers defaced screens at water facilities to show anti-Israel messages. While those attacks caused limited physical damage, they proved that adversaries could access the controls of vital life-safety systems.
Preparing for a Long Cyber Conflict
Experts agree that this is not a temporary spike in activity. It appears to be part of a long-term strategy involving espionage, psychological warfare, and sabotage. The line between physical war and cyber war continues to blur.
Disinformation campaigns are expected to grow alongside technical attacks. Bots on platforms like X (formerly Twitter) and Instagram may spread false reports of infrastructure damage. This aims to confuse the public and sow doubt in government capabilities.
Security firms urge all organizations to take immediate defensive steps.
- Patch Systems: Update all software immediately to close known loopholes.
- Verify Access: Remove old user accounts that are no longer needed.
- Train Staff: Teach employees to spot phishing emails that pretend to be system updates.
The digital front of this conflict is active and invisible. Organizations in the US must treat these threats as an immediate reality rather than a theoretical risk.
