After the United States and Israel began a bombing campaign on Iran, leading to the decapitation of its political and military leaders, the Middle East has erupted into waves of kinetic warfare. But what should we expect about cyber?

Iran has a formidable offensive cybersecurity capability and is considered one of the four most aggressive nations with respect to a willingness to direct cyberattacks against their adversaries. They have invested over the years to develop a mature set of capabilities and leverage external groups as proxies.

So far, we have seen drones damage three Amazon cloud facilities in the United Arab Emirates and Bahrain, and cyber-attacks from Iran-aligned hacking groups.

I expect more attacks to come in the near future. When the initial bombing occurred, two things happened that disrupted Iran’s cyber-attack coordination. First, the bombs disrupted communications networks. Second, their Supreme Leader and many of the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) leaders were eliminated.

Military and cyber forces were effectively on-their-own, and began to act independently in their retaliatory attacks. Although some denial of service, data leaks, misinformation, and defacement attacks have occurred, large-scale campaigns have not materialized yet.

It has taken some time to reconstitute leadership roles and coordination efforts, but we are now heading into the likely timeframe that focused orders will be given to the cyber forces.

I expect many attacks to occur in the next few days. Hacking crews will leverage the tools they have available and exploit the vulnerabilities they have at hand in a rushed manner. They will be pressured to act quickly to inflict as much damage as possible.

The focus of these attacks will not be pursuing intelligence gathering, data breaches, ransomware, or extortion. Their goal will be simple, do as much damage as possible. Compromise systems, delete, corrupt, and burn down anything they can. This will be a destructive campaign targeting the Western nations and any Arab nations they perceive as allies.

The prioritized targets will be national critical infrastructures, such as electrical grids, transportation, communications, government and military networks, finance, water, and healthcare. Most of these sectors are run by private corporations. These targets will deliver the most impact to citizens, their economy, and health.

Secondary objectives will simply be targets of opportunity. The digital carpet-bombing tactic hopes to affect large numbers of organizations and people to amplify the overall fear, suffering, and political backlash.

Thirdly, there will be misinformation campaigns, but those will likely be delayed in favor of damaging attacks. They will not emerge and gain momentum until kinetic attacks begin to wane.

Right now is the time for critical infrastructure organizations to prepare, take extra steps to harden their environments, and reinforce their response capabilities.

In the next week or two, I expect Iran to deploy everything it can from a cyber perspective. Unless they get really lucky, most attacks on large Western nations will not make a material difference. They may cause limited disruption and damage, but they likely lack the highly complex and mature destructive self-propagating worms that it would take to bring down multiple critical infrastructure sectors simultaneously. Smaller nations may not fare as well and might require international recovery assistance.

It is important for cybersecurity leaders to keep a keen eye on how attacks develop, update their risk assessments, and communicate their recommendations to executive leadership in a timely manner.

As the military conflict in the Middle East moves into its next phase, we should expect cyber-attacks to intensify.

Iran, known for its advanced offensive capabilities, is poised to hit back with digital assaults aimed at causing maximum disruption.

Right now, Iran’s cyber leadership are reconstituting after the initial decapitation attack and will be coordinating assets to focus on destruction rather than espionage, extortion, or data theft. Small nations might be especially vulnerable.

Organizations in the West and Arab nations must harden their defenses now. Preparedness is a strategic advantage.

*** This is a Security Bloggers Network syndicated blog from Information Security Strategy authored by Matthew Rosenquist. Read the original post at: https://infosecstrategy.blogspot.com/2026/03/what-to-expect-from-irans-digital.html