Following the February 28, 2026 U.S.-Israel strikes on Iran there has been an immediate and significant surge in Iranian-aligned cyber activity targeting U.S. critical infrastructure, with AI now acting as a direct force multiplier for threat actors.
According to the FBI: “Threats from the Iranian regime and its terrorist partners can reach across the globe. The FBI is committed to identifying and disrupting all Iranian intelligence and military operations that threaten American citizens or our nation’s security and critical infrastructure.”
Two CloudSEK research reports look into the cyber dimension of the Iran-US conflict, including developments since the February 28 strikes. Vulnerability is especially high for U.S. utilities since a prolonged period of structural under-investment: water utilities and industrial operators run OT environments with security budgets far below commercial standards.
The scale of this threat is not measured in the sophistication of individual attacks. It is measured in the number of actors, the breadth of the attack surface, and the history of real disruption that has already occurred.
In terms of the threat area, it is estimated there are more than 40,000 US industrial control systems are currently reachable on the public internet, many with default or no credentials, representing an immediately exploitable attack surface.
Extent of rogue actors
The first trend of note is where over 60 Iranian-aligned hacktivist groups activated on Telegram within hours of the February 28 strikes, the largest single-event mobilisation of this ecosystem ever recorded. Furthermore, an Electronic Operations Room was formed on Telegram to coordinate attacks, operating on ideological initiative rather than central state direction, which makes activity harder to predict and constrain.
Ease of attack
The ease of attack is also clear. The reports demonstrate that an actor with no prior ICS knowledge can move from intent to a working list of accessible U.S. industrial targets in under five minutes using AI tools and passive reconnaissance. No scanning, no exploitation, no specialist knowledge required.
The same AI platforms now embedded in U.S. defence operations are accessible to threat actors for offensive reconnaissance, creating a dual-use dynamic that significantly widens the threat.
Attack methods
The expected attack methods to be directed towards the U.S. include:
- Using Distributed Denial of Service (DDoS) against hosting providers.
- Deploying ransomware before wiping an organization’s data and/or using destructionware, or destructive malware, that render system recovery impossible
- Leveraging long-term access for espionage and data exfiltration for destructive attacks and/or to locate dissidents for further targeting.
Despite the threat level being high, Iran’s available Internet connectivity has dropped to between 1-4%. This is due to the extent of targeted missile strikes and this could hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks, at least in the near-term.
