“As Iran considers its options, the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and U.S.-affiliated military, commercial, or civilian targets,” said Rafe Pilling, the director of threat intelligence with cybersecurity firm Sophos.
The attacks could include the amplification of old data breaches presented as new, unsophisticated attempts to compromise internet-exposed industrial systems, and potentially direct offensive cyber operations, Pilling said.
Activity in the Middle East has increased, said Cynthia Kaiser, a former top FBI cyber official and current senior vice president at anti-ransomware firm Halcyon. Kaiser said the firm has also seen calls to action from known pro-Iranian cyber personas who in the past have carried out hack-and-leak operations, ransomware attacks and distributed denial-of-service attacks (DDoS), which flood internet services rendering them inaccessible.
The current cyber activity may precede more aggressive operations, said Adam Meyers, senior vice president of counter adversary operations with CrowdStrike.
"CrowdStrike is already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks," he said.
Cybersecurity firm Anomali said in an analysis shared with Reuters on Saturday that state-backed Iranian hacking groups were already carrying out "wiper" attacks that erase data on Israeli targets ahead of the strikes.
Although Iran is often mentioned by U.S. cyber officials alongside Russia and China as a threat to American networks, Tehran's previous responses to attacks on its soil have been muted.
In June, after the U.S. struck Iranian nuclear targets, there was little sign of the disruptive cyberattacks often invoked during discussions of Iran’s digital capabilities beyond a short-lived interruption of services in Tirana, Albania's capital, according to media reports.