The recent U.S.-Israeli kinetic strikes on Iranian targets and the retaliatory strikes on perceived supporters of the attacks have raised immediate concerns about cyber retaliation. Customers are asking a straightforward question: Is a coordinated Iranian cyber response underway or likely?

As of this writing, there is limited evidence of large-scale, coordinated Iranian cyber operations directly tied to the strikes. That does not mean the cyber domain is quiet or will remain that way for long.

What FortiGuard Labs is seeing currently is a surge in regional cyber activity—loosely affiliated hacktivism, recycled claims, defacements, broadcast disruptions, and opportunistic intrusion attempts—all unfolding in the shadow of kinetic conflict.

What we observed in previous conflicts is that attacks quickly expand outside of the traditional kinetic battlefield as actors target organizations with even the most tenuous link to the adversaries, targeting not only military systems but also civilian, corporate, and cross-border networks, thereby amplifying risks worldwide.

What We Know So Far

Over the past 24 to 48 hours, observations included:

• Defacement and compromise of Iranian applications and media properties, including the widely used BadeSaba calendar app
• Broadcast and media intrusions distributing psychological messaging
• Internet connectivity disruptions inside Iran
• Increased Telegram-based claims of cyberattacks targeting Israel, Jordan, Afghanistan, and other regional entities
• Heightened chatter suggesting potential targeting of financial services and critical infrastructure

Most of these events fall into three categories: psychological operations, hacktivist signaling, and opportunistic exploitation of geopolitical noise.

It is important to note that there is currently no confirmed evidence of destructive Iranian wiper campaigns or large-scale retaliatory infrastructure cyberattacks tied directly to the strikes. That may change. Historically, however, Iranian cyber responses to geopolitical events are not always immediate, but they can be disruptive.

In prior escalations, Iranian-linked operators have demonstrated patience. Access is often staged in advance, and activation may occur days or weeks after the triggering event, when attention has shifted and defensive posture has relaxed. Organizations that interpret the absence of immediate retaliation as a reduced risk may find themselves unprepared if activity later emerges.

The More Pressing Trend: Exploiting the Noise

One pattern deserves close attention more immediately. Periods of geopolitical escalation create a high-noise environment that threat actors, including those not directly tied to the conflict, frequently exploit for their own personal gain. This includes launching phishing campaigns themed around breaking news, distributing fake, malware-laden advisories or spoofed security updates, all masked inside the unfolding chaos.

Several of the observed Telegram claims circulating over the past 24 hours appear loosely affiliated with pro-Russia or regional hacktivist groups that have historically operated outside clear Iranian state coordination. In these darknet communications, some claim cyberattacks against Jordanian, Israeli, or Afghan government entities, but many lack technical validation.

Conflict environments provide cover for malicious activity. Attribution becomes more difficult, distinguishing credible indicators from recycled claims requires more effort, and false-flag operations are easier to stage. As a result, operational risk increases for defenders even when a coordinated, strategic retaliation has not yet materialized.

Tradecraft to Watch

Based on previously reported prior Iranian campaigns and broader regional threat behavior, organizations should prepare for tactics that have historically proven effective, including:

• Wiper malware targeting government or energy sectors
• Distributed denial-of-service campaigns against financial institutions
• Credential harvesting themed around conflict-related updates
• Spoofed mobile app updates or fake software installers
• Defacements of websites intended to drive media amplification

The BadeSaba calendar app compromise illustrates an important point. Large-scale abuse of push notifications implies backend access. That type of access is rarely achieved in a single day. It suggests preparatory compromise or pre-positioning as we warned about in our CISO predictions for 2026. Even if attribution remains unclear, the technique reflects modern tradecraft: gain access early, wait for optimal timing for execution.

Why We May not See Early Warning Signals

This conflict does not resemble a conventional financially motivated cyber campaign. When kinetic operations are involved, operational coordination, if it exists, is unlikely to occur over open channels. Instead, planning activity may shift to restricted or covert communications and occur long before activation. Defenders should not rely on visible ramp-up indicators in public forums as confirmation of risk levels.

Importantly, the absence of public planning signals does not equate to the absence of preparation.

What Organizations Should Do Now

Previous experience can help guide how to prepare for any future cyber retaliation. If broad retaliation develops later, based on previously observed tactics, techniques, and procedures (TTPs), it is likely to rely on known techniques rather than novel zero days. Many geopolitical cyber campaigns succeed because of delayed patching, reused credentials, lack of multifactor authentication (MFA), exposed services, and weak access controls. Those factors, combined with the fact that what appears to be a distant conflict for many, can mean nefarious cyber activity can quickly land on an organization’s cyber doorstep but there are key steps that should be taken to protect your organization.

Geopolitical situational awareness: Understand who’s targeting whom, with what tools, and why. Stay on top of what is happening through your industry’s Information Sharing and Analysis Centers (ISAC) or by subscribing to the Dark Web Intelligence Service from FortiRecon Adversary Centric Intelligence (ACI).

Prioritize cybersecurity training: With proper training, your staff can better protect your organization and become the first line of defense against cyberthreats. Create a cyber-aware workforce with low-cost or no-cost training, such as Fortinet’s NSE training, which is available free of charge. You can also augment training with real-life phishing simulations to assess and improve your organization’s readiness.

Enable MFA on VPN, remote access, and SaaS applications: Even if a username or password is compromised, whether accidentally or intentionally, that user’s overall security is still maintained because actors cannot gain access to the second factor, such as tokens or biometric data, that is also required to gain access.

Set up automated patching and updating: Despite years of guidance advocating timely patching practices, a lack of best practice cyber hygiene processes remains one of the top threats to network security and integrity. Regularly patching vulnerabilities is a fundamental measure to prevent exploitation by cybercriminals. It is imperative to keep all software, operating systems, and applications up to date with the latest security patches. Start by establishing a patch-management process to streamline updates and ensure timely implementation. Look to leverage AI and other systems to automate tedious patching tasks.

While many legacy systems cannot be patched due to their continuous operation of critical processes, they can be shielded from vulnerabilities using compensating controls, such as targeted IPS signatures, to protect them from exploits. With the Fortinet OT Security Platform, for example, you can perform such virtual patching using its integrated management system.

Use strong password security: Use password management tools and MFA to ensure passwords meet essential guidelines. These forms of security hardening will prevent compromised passwords from leading to compromised systems. Services that monitor online forums on the dark web that sell stolen credentials can also serve as an early warning to help ensure passwords are updated before they are exploited. Additionally, ensure that IoT devices, such as cameras, are patched and that default passwords are changed.

Understand and reduce your attack surface: The first step to reducing your attack surface is to understand what you’ve got. Start by performing system audits to find out what applications, hardware, and IoT devices are in your internal environment, and do not forget to look outside your organization. It’s always helpful to get an outsider’s point of view on your network to assist with auditing your systems, identifying what’s there, and determining who has access to what. For example, a continuous threat exposure management (CTEM) service can provide an outside-the-network view of the risks posed to your organization.

Build defense in depth: Assume compromise will happen at some point and build security resilience and rapid detection capability at every level.

• Segment your network to ensure that the impact of a breach is limited in scope, aiding in the rapid recovery of your network while maintaining business resiliency.
• Threat actors can often remain undetected in a network for months. Network detection and response in FortiNDR, deception techniques provided by FortiDeceptor, and rich analytics from FortiAnalyzer can speed up and simplify the detection and remediation of threats. These and similar solutions can reduce the mean time to detection from many days to a few minutes.
• Log all activity to a centralized SIEM solution and build an automated detection capability.

Back up your data: Implement a robust data backup and recovery strategy to ensure data integrity and security. Regularly back up critical data and ensure that backups are stored in secure, isolated and off-network environments. Just as important is to test the recovery of your data to ensure that, in the event of a ransomware attack or data loss, your organization can quickly recover essential information.

Develop and test an incident response plan: Create a comprehensive incident response plan and related playbooks that outline the steps to take in the event of a cybersecurity incident. However, a plan sitting in a drawer is of little value. You also need to regularly test and update your plans to ensure their effectiveness. This includes conducting simulated exercises, such as tabletop drills, to enable your key stakeholders to practice and refine their responses to various types of cyberthreats.

Build trust and partnerships: CISOs and IT teams must recognize that cybersecurity is a shared responsibility, and no single organization has all the answers. One of the most critical components of a strong security posture is building global partnerships and actively sharing threat intelligence. This includes engaging with trusted vendors and participating in sector-specific ISACs.

Report incidents promptly: Timely reporting is essential. Organizations should immediately notify their designated Computer Emergency Response Team (CERT) and local law enforcement in the event of a cyber incident. In the United States, this includes federal agencies such as the Cybersecurity Infrastructure and Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

The Bottom Line

Our observations show there is currently no confirmed large-scale Iranian cyber retaliation tied directly to the recent strikes. However, FortiGuard Labs has observed an increase in regional cyber activity and a measurable rise in opportunistic behavior. In conflicts like this, the first wave is often noise. If a second wave comes, it may be quieter, more coordinated, and more targeted so it is critical to be prepared should that happen.

NOTE: The situation in the Middle East remains fluid. Reporting, attribution, and operational details can change quickly as new intelligence is gathered and validated. FortiGuard Labs will continue to monitor developments and provide updates as conditions evolve, including for activity on Iran-based threat actors through the FortiGuard Labs Threat Actor Encyclopedia.