Almost immediately after bombs dropped by the United States and Israel began falling on Tehran and other sites in Iran on Feb. 28, attention turned to the threat of Iran-backed cyberattacks here and elsewhere in the Middle East.

Over the past decade, Iranian nation-state actors became increasingly adept at infiltrating critical infrastructure – think of the threat group CyberAv3ngers’ compromise of the Aliquippa, Pennsylvania, municipal water system in 2023 – running influence campaigns, impersonation scams, and espionage campaigns.

The day after the military attacks started, Check Point researchers rolled out a list of many of the known nation-state bad actors, ranging from Cotton Sandstorm and MuddyWater to Educated Manticore, Handala and Agrius, all of which represent significant threats to the United States, Israel, and other countries in the region.

However, the war also kicked off a rapid expansion of the number of pro-Iranian hacktivist groups, which may not be officially linked to the Iranian regime but – armed with AI and a keen understanding of the more than 40,000 internet-exposed control systems in the United States – nonetheless pose real dangers, according to researchers with CloudSEK.

Within hours after the attacks by the United States and Israel began, more than 60 such hacktivist groups became active on the Telegram messaging app, none of which need training, expertise about industrial control systems, or backing by Iran, the researchers wrote in one of two reports released late last week.

10-Plus Years in the Making

CloudSEK outlined the growth of the cyber struggle between Iran and the United States and Israel, going back to 2012 when the Shamoon wiper cratered 30,000 Saudi Aramco endpoints and showed Iran’s ability and willingness to run attacks against adversaries’ critical infrastructure. Such attacks historically have needed nation-state resources and industrial control system (ICS) expertise, they wrote.

Iran’s cyber capabilities evolved through this year, they added.

“What changed is the scale, speed, and accessibility of the threat,” the researchers wrote. “The trajectory is clear: what began as nation-state-level ICS capability in 2012 has become, by 2026, something any motivated actor can attempt with free tools and an internet connection. The technical barrier has collapsed. The threat pool has expanded. And the U.S. attack surface has never been larger.”

Those 60-plus hacktivist groups are joining nation-state actors in targeting the United States, they wrote, adding that “the current conflict has produced the largest single-event activation of Iranian-aligned cyber actors ever documented.”

Both the Iranian proxy groups and the hacktivists are operating on ideological grounds rather than through state direction since central command for the Islamic Revolutionary Guard Corps (IRGC) – which directs nation-state actors – has been disrupted.

AI Comes into Play

The hacktivists “are less disciplined than state-directed groups, potentially more reckless, and have no political constraint on civilian impact,” CloudSEK researchers wrote. “They are also the actors most likely to reach for AI assistance to compensate for the technical depth they lack.”

AI has given them significant capabilities that they didn’t have even three years ago. The key barriers to bad actors attacking critical infrastructure were the ability to understand protocols, how devices behaved, how to communicate with a programmable logic controller, and other such factors, something they wrote took years to build and kept ICS attacks limited to nation-state and well-financed criminal groups.

AI took down the barrier.

“It breaks it by making the knowledge barrier irrelevant for the most accessible and damaging attack vector: internet-exposed ICS devices with default or absent credentials,” they wrote. “To exploit these, you do not need to understand how a PLC works. You need to know it exists, where it is, and what password to type.”

DoD, Anthropic, and OpenAI

The conflict between the Defense Department and AI vendor Anthropic – and OpenAI’s subsequent deal with the DoD – also is a factor in the growing Iranian cyber threat. The number of people uninstalling the ChatGPT mobile app after OpenAI’s deal was made reportedly jumped 295% day-over-day February 28, and one-star reviews grew 775% the same day.

This public debate over the DoD contract matters because in 2024, OpenAI reported that CyberAv3ngers accounts used ChatGPT for ICS reconnaissance, looking for industrial protocols and ports, default credentials, steps for scanning networks, and ways to obfuscate bash scripts for post-compromise use.

“The value of AI in this context is speed and accessibility,” the researchers wrote. “A session that surfaces the right Shodan query, confirms a default credential, and explains a protocol in one conversation removes weeks of background research. For a hacktivist group activated in response to a breaking geopolitical event with a specific retaliatory mandate, that compression is operationally significant.”

With the help of AI, tactics used by CyberAv3ngers can now be easily replicated by hacktivists, they wrote.

Nation-State Actors at Work

The dozens of hacktivist groups looking to enter the fray are joining an increasingly active array of nation-state groups. For example, Check Point reported that Iranian groups had infiltrated IP cameras in such Middle East countries as Israel, Bahrain, Qatar, and Kuwait, most likely to assess damage and targets.

Also, Symantec and Carbon Black reported attributed activity on the networks of U.S. companies to the Iranian group Seedworm – also known as MuddyWater, Temp Zagros, and Static Kitten – that began in early February and has continued since the air strikes.

Flashpoint has been putting out daily updates to both the kinetic warfare as well as the cyberspace battle, recently noting among other things that threat groups from other countries are entering the arena, with Russian actor NoName057 using the DDoSia Project distributed denial-of-service (DDoS) toolkit in working with Iranian counterparts to target Israeli defense, telecom, and infrastructure systems.