Escalating tensions between the United States, Israel, and Iran are prompting renewed attention to cyber risk among Western organizations. Cybersecurity specialists note that geopolitical developments often coincide with increased cyber activity targeting infrastructure, financial institutions, and government agencies.
However, analysts caution that the most immediate cyber threats may not originate directly from Iranian government units. Instead, allied groups, hacktivists, and proxy actors could attempt to exploit geopolitical tensions.
Matthieu Chan Tsin, SVP of resilience services at cyber insurance provider Cowbell, said several developments may be influencing where cyber threats originate.
“From a natural point of view, most escalation of cyber threats would come from actors on the ground in Iran, many of whom are tied to the Islamic Revolutionary Guard Corps,” Chan Tsin told Insurance Business. “But recent events suggest that direct cyber operations from inside Iran may actually be limited right now.”
Potential Constraints on Iran’s Cyber Operations
Iran has historically been considered a significant cyber actor. Past campaigns have targeted infrastructure, financial institutions, and government agencies in the United States and its allies. US authorities have previously warned that Iranian hackers conducted disruptive cyber incidents, including distributed denial-of-service attacks and destructive malware operations.
However, Chan Tsin pointed to three developments that may be limiting Iran’s cyber capabilities in the near term.
First, Iranian cyber units may have redirected resources toward domestic activity. Protests against the Iranian government over the past two years have required authorities to focus surveillance and cyber operations internally rather than internationally.
Second, Israel reported on March 4 in a post on X that it struck a compound in Tehran that included a cyber warfare headquarters and an intelligence directorate facility. The extent of the reported damage remains unclear. However, Chan Tsin suggested that the strike could have disrupted parts of Iran’s cybercommand infrastructure.
Third, internet connectivity inside Iran has reportedly declined sharply since late February. Data from internet monitoring organizations showed connectivity dropping to about 1 percent of normal levels during a near-total blackout. Analysts have not determined the cause, which could involve government restrictions or external cyber activity.
Taken together, these developments suggest that any cyber escalation associated with Iran could originate outside the country. According to Chan Tsin, attacks are more likely to come from proxy forces or allied groups aligned with the Iranian regime.
Increased Cyber Activity Claims Remain Uncertain
Since late February, online discussions connected to Iranian-aligned hackers have increased. Hacktivist groups and advanced persistent threat actors have posted warnings and claimed cyber operations against US and Israeli targets.
Nevertheless, analysts say many of these claims remain unverified.
“Iranian-linked groups have historically overestimated their successes or claimed attacks they did not actually conduct,” Chan Tsin said.
Iranian cyber actors are known to deploy several attack methods. These include distributed denial-of-service campaigns, ransomware attacks, credential theft, and destructive “wiper” malware designed to erase systems.
Certain sectors may face elevated exposure. Critical infrastructure operators, such as utilities, government agencies and healthcare organizations, have historically been viewed as potential targets during geopolitical disputes.
“At this point we are still very much in the fog of war,” Chan Tsin said. “Until digital forensics investigations are completed, we cannot say whether Iranian actors were involved.”
Insurers Monitoring Developments
Cyber insurers and incident response providers are closely tracking developments. However, Chan Tsin said it is too early to determine whether geopolitical tensions are affecting cyber insurance claims.
Attribution in cyber incidents can take time. Digital forensics investigations often require weeks to determine the source of an attack.
“Digital forensics investigations can take weeks,” Chan Tsin said. “So even if we eventually saw claims linked to Iranian activity, we would not necessarily know that today.”
Even so, policyholders have raised questions about geopolitical cyber risks. Iran is often considered one of the more aggressive state-linked cyber actors, alongside Russia, China, and North Korea.
Chan Tsin noted that many attacks attributed to Iranian actors rely on basic vulnerabilities rather than highly complex techniques.
“Iranian actors often go after poorly secured networks or internet-connected devices,” he said. “Their success often comes not from the sophistication of the attack but from open doors left by the victims.”
Cybersecurity Controls Remain a Priority
Given that pattern, organizations may benefit from strengthening core cybersecurity practices.
Chan Tsin highlighted three immediate actions companies should consider. First, organizations should quickly patch known vulnerabilities and update network edge devices such as routers, firewalls, and remote access systems.
Second, operational technology and industrial control systems should not be directly connected to the public internet. Systems responsible for physical infrastructure should remain isolated behind firewalls or segmented networks whenever possible.
Third, companies should strengthen identity security practices. Iranian actors have frequently used phishing campaigns, stolen credentials, and password reuse to access corporate systems.
Measures such as strong and unique passwords, restricted access privileges, and monitoring employee identities online can help reduce risk. Multi-factor authentication also remains a widely used safeguard.
For now, cybersecurity specialists emphasize that developments remain fluid.
“At this stage, everything is still developing,” Chan Tsin said. “The best mindset for organizations is to assume attacks may happen and prepare accordingly.”
Get the latest insurance market updates and discover exclusive program opportunities at ProgramBusiness.com.