The Iran Conflict’s Cyber Front Is Escalating - And the Most Dangerous Phase Is Still Ahead

Anomali Threat Research

Published on

March 10, 2026

Table of Contents

Iranian state hackers are inside U.S. airports and banks. IRGC operators are on industrial control systems. And for the first time in history, a nation-state has physically destroyed cloud data centers with drones. Here’s what CISOs need to know — and do — right now. Two weeks into Operation Epic Fury / Roaring Lion, the U.S.–Israel–Iran conflict has produced a cyber threat environment unlike anything we’ve seen before. Not because of the volume of attacks — the 149+ hacktivist DDoS campaigns across 16 countries are noisy but largely superficial. The real danger is quieter: Iranian state-sponsored APT groups have confirmed footholds inside U.S. critical infrastructure, an IRGC unit is actively exploiting industrial control systems, and Iran has established an entirely new category of warfare by physically destroying commercial cloud data centers with drone strikes. Meanwhile, CISA — the U.S. government’s primary cyber defense coordinator — is operating under partial shutdown with its acting director reassigned. Organizations cannot rely on federal support at the level they’re accustomed to. This post breaks down the five developments from the past week that every CISO needs to understand, the threat actors driving them, and the specific actions your teams should take in the next 24 hours, 7 days, and 30 days. <h2>What Changed This Week</h2> <table> <thead> <tr> <th> Date </th> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb </td> <td> Operation Epic Fury / Roaring Lion begins — U.S. and Israeli strikes on Iran, including IRGC sites </td> <td> Supreme Leader Khamenei killed; regime-survival dynamic triggers disproportionate retaliation posture </td> </tr> <tr> <td> 2 Mar </td> <td> Microsoft publishes research on OAuth redirection abuse being weaponized </td> <td> Early indicator of cloud identity attack vector maturation </td> </tr> <tr> <td> 3 Mar </td> <td> SecurityWeek reports Iranian state-sponsored attacks “staying low” while hacktivism surges </td> <td> Confirms bifurcation: noisy hacktivism masking quiet APT operations </td> </tr> <tr> <td> 4 Mar </td> <td> CISA acting director reassigned; agency under partial shutdown (CNBC) </td> <td> U.S. federal cyber defense posture degraded at worst possible moment </td> </tr> <tr> <td> 5–8 Mar </td> <td> Iranian drone strikes destroy AWS data centers in UAE/Bahrain — 2 of 3 ME-CENTRAL-1 availability zones go offline </td> <td> First kinetic attack on cloud infrastructure in history; Iran claims strikes were “deliberate and strategic” </td> </tr> <tr> <td> 6 Mar </td> <td> MuddyWater confirmed inside U.S. airport, bank, software company, and NGO using new Dindoor backdoor </td> <td> First confirmed Iranian APT breach of named U.S. critical infrastructure sectors during the conflict </td> </tr> <tr> <td> 6 Mar </td> <td> CISA adds CVE-2021-22681 (Rockwell Automation PLCs, CVSS 9.8) and CVE-2017-7921 (Hikvision cameras, CVSS 9.8) to KEV </td> <td> Both linked to active Iranian exploitation — ICS access and battlefield surveillance </td> </tr> <tr> <td> 6–9 Mar </td> <td> Cisco SD-WAN CVE-2026-20127 (CVSS 10.0) escalates to mass exploitation — described as “hacker free-for-all” </td> <td> Edge device exploitation commoditized; multiple threat actors including potential Iranian opportunistic use </td> </tr> <tr> <td> 9 Mar </td> <td> ThreatStream updates MuddyWater, APT42, Handala, HYDRO KITTEN actor profiles with new IOCs </td> <td> Intelligence community tracking active Iranian operational tempo </td> </tr> </tbody> </table> <h2>Threat Analysis: Five Converging Attack Tracks</h2> <h3>1. MuddyWater’s Dindoor Backdoor — Inside U.S. Critical Infrastructure</h3> Actor: MuddyWater (aliases: Mango Sandstorm, Seedworm, Static Kitten, TA450, MERCURY, COBALT ULSTER, TEMP.Zagros) Affiliation: Ministry of Intelligence and Security (MOIS), Iran Malware: Dindoor (new backdoor, successor to POWERSTATS) MuddyWater — one of Iran’s most prolific cyber espionage groups — has breached the networks of a U.S. airport, a bank, a software company, and an NGO using a previously undocumented backdoor called Dindoor. Reported independently by The Hacker News and Cybernews on 6 March, this represents the first publicly confirmed Iranian APT compromise of named U.S. critical infrastructure sectors since the conflict began. Dindoor follows the lineage of MuddyWater’s POWERSTATS toolkit — expect PowerShell-based command-and-control, spearphishing attachments as the initial access vector, and lateral movement via valid credentials. Known IOC:5.160.228.186 (ASN 42337, Respina Networks, Tehran) — tagged as Rampant Kitten / APT / phishing infrastructure. Severity: very high. Why this matters: MuddyWater doesn’t typically conduct destructive operations — they establish persistent access. The concern is that this access could be handed off to destructive units (like HYDRO KITTEN) or activated for data destruction if the conflict escalates further. <h3>2. HYDRO KITTEN on Industrial Control Systems — The ICS Threat Is Real and Active</h3> Actor: HYDRO KITTEN (aliases: Cyber Av3ngers, BAUXITE, SoldiersOfSolomon, Mr. Soll) Affiliation: IRGC Cyber Electronic Command (IRGC-CEC), Shahid Kaveh sub-unit Malware: IOCONTROL (custom ICS backdoor), Crucio (ransomware), unnamed C++/Golang wipers CVE Exploited: CVE-2021-22681 (CVSS 9.8) — Rockwell Automation RSLogix 5000 / Studio 5000 Logix Designer authentication bypass HYDRO KITTEN — the IRGC unit responsible for the 2024 Unitronics PLC attacks against U.S. water systems — is confirmed to have exploited CVE-2021-22681 to bypass authentication on Rockwell Automation Allen Bradley PLCs. CISA added this CVE to the Known Exploited Vulnerabilities catalog on 6 March with a patch deadline of 26 March 2026. This group targets ICS and IoT devices across energy, water, fuel management, healthcare, government, and defense sectors in the U.S. and Israel. Their toolkit includes IOCONTROL — a custom backdoor purpose-built for operational technology environments — and Crucio ransomware. CrowdStrike’s profile confirms they also maintain C++ and Golang wipers shared with IMPERIAL KITTEN. HYDRO KITTEN’s CVE exploitation portfolio is extensive: CVE-2024-8069, CVE-2024-10914, CVE-2024-1086, CVE-2024-50379, CVE-2024-49112, CVE-2024-53704, CVE-2024-0012, CVE-2024-45519, CVE-2025-2129, CVE-2024-8068, CVE-2024-41713, CVE-2024-9474, CVE-2024-49138, CVE-2024-55591, CVE-2024-6387, CVE-2025-0282, CVE-2024-47575, and more. Why this matters: PLC access is a precursor to destructive ICS attacks. Gaining authentication bypass on Rockwell controllers is the step that comes before deploying IOCONTROL or wipers to manipulate physical processes. This is a leading indicator, not a lagging one. <h3>3. Drone Strikes on AWS Data Centers — A New Category of Warfare</h3> Between 5–8 March, Iranian military forces conducted drone strikes against three AWS data centers in the ME-CENTRAL-1 region (UAE and Bahrain), taking two of three availability zones offline. Iran’s state news agency claimed the strikes were “deliberate and strategic.” Multiple independent sources — Tom’s Hardware, Cybernews, AOL/Business Insider, Detroit News, Daily Caller — confirmed the attacks. This is believed to be the first kinetic attack on commercial cloud data centers in history. Why this matters for every CISO: If your organization has workloads, backups, or disaster recovery in any Middle East cloud region — AWS, Azure, or GCP — your business continuity plans now need to account for physical destruction of cloud availability zones, not just cyber disruption. The assumption that cloud regions are safe from kinetic attack has been invalidated. Iran has signaled intent to continue; the AWS Israel region (IL-CENTRAL-1) and planned Saudi region are likely next targets. <h3>4. Cisco SD-WAN CVE-2026-20127 — From Zero-Day to Free-for-All</h3> CVE-2026-20127 (CVSS 10.0) — an authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) — has escalated from targeted zero-day exploitation (ongoing since 2023) to mass exploitation by multiple threat actors. HealthcareInfoSecurity described it as a “hacker free-for-all” on 9 March. Cisco confirmed two additional SD-WAN vulnerabilities under active attack on 6 March. This is a CVSS 10.0 — unauthenticated, remote, full compromise of network management infrastructure. If you run Cisco Catalyst SD-WAN and haven’t patched, assume compromise. <h3>5. Hikvision Cameras and Iranian Battlefield Surveillance</h3> CVE-2017-7921 (CVSS 9.8) — an improper authentication vulnerability in Hikvision DS-2CD series IP cameras — was added to CISA’s KEV on 6 March. This isn’t a new vulnerability (it dates to 2017), but its addition to KEV now is directly linked to Iranian exploitation of IP cameras for battle damage assessment (BDA) and surveillance. Compromised cameras in facilities near conflict zones — or in organizations of intelligence interest — provide real-time visual intelligence to Iranian operators. <h2>Predictive Analysis: What Comes Next</h2> Based on the convergence of confirmed Iranian APT access, ICS exploitation, kinetic precedent, and the absence of diplomatic off-ramps, we assess the following probabilities for the next 7–14 days: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Destructive wiper deployment against U.S. or allied targets (BiBiWiper, ZeroShred, GoneXML, or new variant) </td> <td> 35–45% </td> <td> MuddyWater has network access; HYDRO KITTEN has ICS access and wiper capability. Regime-survival pressure incentivizes escalation. The absence of wipers after 12 days of conflict is itself notable — either restraint, degraded capability, or pre-positioning not yet activated. </td> </tr> <tr> <td> Additional kinetic strikes on cloud/tech infrastructure </td> <td> 50–60% </td> <td> Precedent established and claimed as deliberate strategy. AWS IL-CENTRAL-1 (Israel) and planned Saudi regions are logical next targets. </td> </tr> <tr> <td> IOCONTROL deployment against U.S. water, energy, or fuel systems </td> <td> 25–35% </td> <td> HYDRO KITTEN’s Rockwell PLC exploitation is a confirmed precursor. IOCONTROL was used against Unitronics PLCs in 2024; Rockwell PLCs are a higher-value target set. </td> </tr> <tr> <td> Cisco SD-WAN exploitation by Iranian actors for initial access </td> <td> ~30% </td> <td> CVE-2026-20127 is now commoditized. Iranian groups may opportunistically leverage it to access networks they couldn’t otherwise reach. </td> </tr> <tr> <td> Escalation of hacktivist DDoS to data destruction </td> <td> 15–20% </td> <td> Hacktivist groups like Handala (UNC5203) and Cyber Toufan have historically exaggerated claims, but the conflict environment could push them toward more destructive action. </td> </tr> <tr> <td> CISA operational recovery to pre-conflict levels </td> <td> LOW </td> <td> Partial shutdown + leadership vacuum = degraded federal coordination for the foreseeable future. </td> </tr> </tbody> </table> The critical watch item: The absence of confirmed wiper attacks against Western targets after 12 days of active conflict. If BANISHED KITTEN (Cotton Sandstorm) wipers — BiBiWiper, ZeroShred, or GoneXML — appear in the wild targeting Western infrastructure, it signals a major escalation threshold has been crossed. <h2>SOC Operational Guidance</h2> <h3>Hunting Hypotheses</h3> <table> <thead> <tr> <th> # </th> <th> Hypothesis </th> <th> ATT&CK Techniques </th> <th> Data Sources </th> </tr> </thead> <tbody> <tr> <td> H1 </td> <td> MuddyWater Dindoor C2 is active in our environment via PowerShell-based beaconing to Iranian infrastructure </td> <td> T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), T1071.001 (Web Protocols), T1105 (Ingress Tool Transfer) </td> <td> EDR telemetry, proxy logs, DNS logs, PowerShell script block logging </td> </tr> <tr> <td> H2 </td> <td> HYDRO KITTEN has exploited Rockwell PLC authentication bypass in our ICS/OT environment </td> <td> T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1565.001 (Stored Data Manipulation) </td> <td> ICS network monitoring, PLC audit logs, NETCONF session logs, OT anomaly detection </td> </tr> <tr> <td> H3 </td> <td> Cisco SD-WAN management interfaces are exposed and have been compromised via CVE-2026-20127 </td> <td> T1190 (Exploit Public-Facing Application), T1078.001 (Default Accounts), T1021 (Remote Services), T1565.002 (Transmitted Data Manipulation) </td> <td> SD-WAN controller logs, NETCONF audit trails, network configuration change logs </td> </tr> <tr> <td> H4 </td> <td> Hikvision IP cameras on our network have been compromised for surveillance/BDA </td> <td> T1190 (Exploit Public-Facing Application) </td> <td> Asset inventory, camera firmware version audit, network traffic from camera subnets to Iranian IP ranges </td> </tr> </tbody> </table> <h3>Prioritized IOCs for Immediate Action</h3> <table> <thead> <tr> <th> IOC </th> <th> Type </th> <th> Context </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 5.160.228.186 </td> <td> IPv4 </td> <td> MuddyWater / Rampant Kitten C2 infrastructure (ASN 42337, Respina Networks, Tehran). Confidence: high. </td> <td> Block at perimeter firewall and proxy. Alert on any historical connections. </td> </tr> <tr> <td> 62.60.130.247 </td> <td> IPv4 </td> <td> Iran-geolocated APT infrastructure (ThreatStream tag: manufacturing targeting). Note: also tagged APT29 — likely shared infrastructure or misattribution; treat as Iranian-nexus in this context. </td> <td> Block and investigate any connections. </td> </tr> <tr> <td> Dindoor malware family </td> <td> Behavioral </td> <td> PowerShell-based backdoor, successor to POWERSTATS. No hashes publicly available yet. </td> <td> Hunt for anomalous PowerShell execution patterns: encoded commands, web-based C2 callbacks, persistence via scheduled tasks. </td> </tr> <tr> <td> IOCONTROL (aka QueueCat, OrpraCab) </td> <td> Behavioral </td> <td> Custom ICS/OT backdoor targeting PLCs and IoT devices. </td> <td> Hunt in OT networks for unauthorized PLC communications, anomalous Modbus/NETCONF traffic, unexpected firmware changes. </td> </tr> <tr> <td> CVE-2021-22681 </td> <td> Vulnerability </td> <td> Rockwell Automation RSLogix 5000 v16–20, Studio 5000 v21+. CVSS 9.8. In KEV. </td> <td> Patch by 26 March (CISA deadline). Isolate unpatched PLCs immediately. </td> </tr> <tr> <td> CVE-2026-20127 </td> <td> Vulnerability </td> <td> Cisco Catalyst SD-WAN Controller/Manager. CVSS 10.0. In KEV. </td> <td> Patch immediately. If unable, isolate management interfaces from all network access. </td> </tr> <tr> <td> CVE-2026-22719 </td> <td> Vulnerability </td> <td> VMware Aria Operations. CVSS 8.1. In KEV. Apply VMSA-2026-0001. </td> <td> Patch within 7 days. </td> </tr> <tr> <td> CVE-2017-7921 </td> <td> Vulnerability </td> <td> Hikvision DS-2CD series IP cameras. CVSS 9.8. In KEV. </td> <td> Audit all Hikvision camera firmware. Segment camera networks. </td> </tr> </tbody> </table> <h3>Detection Priorities</h3> <ol> <li>PowerShell script block logging — Enable on all endpoints if not already active. Hunt for Base64-encoded commands, Invoke-WebRequest / Invoke-RestMethod to unusual destinations, and scheduled task creation via PowerShell.</li> <li>DNS and proxy logs — Alert on connections to Iranian ASNs (particularly ASN 42337 — Respina Networks, ASN 44244 — Irancell, ASN 16322 — Pars Online). Monitor for DNS over HTTPS (DoH) to non-standard resolvers.</li> <li>ICS/OT network monitoring — Baseline normal PLC communication patterns. Alert on unauthorized NETCONF sessions, PLC programming changes outside maintenance windows, and any traffic to/from PLCs that doesn’t match known engineering workstations.</li> <li>SD-WAN controller audit — Review all configuration changes in the past 90 days. Look for unauthorized admin accounts, modified routing policies, or new NETCONF sessions.</li> <li>Cloud region dependency mapping — Inventory all workloads, backups, and DR configurations in AWS ME-CENTRAL-1, ME-SOUTH-1, and IL-CENTRAL-1. Identify single points of failure.</li> </ol> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> MuddyWater has confirmed access to at least one U.S. bank. Financial institutions should: <ul> <li>Immediately hunt for Dindoor indicators (PowerShell C2, connections to 5.160.228.186)</li> <li>Review SWIFT and core banking system access logs for anomalous authentication</li> <li>Engage FS-ISAC for shared indicators from the confirmed bank compromise</li> <li>Stress-test DDoS mitigation — 149 hacktivist attacks across 16 countries means financial services are a primary target for disruptive (if not destructive) action</li> <li>Validate that cloud-hosted trading and payment systems have no dependency on Middle East AWS regions</li> </ul> <h3>Energy</h3> HYDRO KITTEN’s exploitation of Rockwell Automation PLCs directly threatens energy sector ICS environments. Energy operators should: <ul> <li>Emergency patch CVE-2021-22681 on all Rockwell Allen Bradley PLCs or isolate them from network access</li> <li>Hunt for IOCONTROL indicators in OT networks — this malware was designed for fuel management and energy systems</li> <li>Review Unitronics PLC deployments (HYDRO KITTEN’s 2024 target set) for signs of persistent access</li> <li>Engage E-ISAC and coordinate with sector peers on HYDRO KITTEN TTPs</li> <li>Ensure OT networks are fully segmented from IT networks — MuddyWater IT access could be a bridge to OT</li> </ul> <h3>Healthcare</h3> The Cisco SD-WAN “free-for-all” (CVE-2026-20127) poses acute risk to healthcare networks that rely on SD-WAN for multi-site connectivity. Healthcare organizations should: <ul> <li>Patch Cisco SD-WAN immediately — healthcare was specifically called out by HealthcareInfoSecurity as at risk</li> <li>Audit VMware Aria Operations deployments (CVE-2026-22719) — common in healthcare virtualization environments</li> <li>Review medical device network segmentation — compromised SD-WAN infrastructure could provide lateral access to clinical networks</li> <li>Ensure ransomware playbooks are current — HYDRO KITTEN’s Crucio ransomware and wiper toolkit could target healthcare for maximum psychological impact</li> </ul> <h3>Government (Federal, State, Local)</h3> A ThreatStream intelligence report (10 March) specifically warned U.S. state and local governments of Iran-related cyber intrusions. Government entities should: <ul> <li>Engage MS-ISAC immediately for shared indicators and defensive guidance</li> <li>Assume reduced CISA support capacity due to the agency’s partial shutdown and leadership disruption</li> <li>Hunt for MuddyWater indicators across government networks — an NGO was among the confirmed victims, and government entities are MuddyWater’s primary historical target</li> <li>Audit Hikvision IP cameras in government facilities — CVE-2017-7921 enables Iranian surveillance/BDA collection</li> <li>Review .gov domain and email security posture against spearphishing (MuddyWater’s primary initial access vector)</li> </ul> <h3>Aviation & Logistics</h3> A U.S. airport is among MuddyWater’s confirmed victims. Aviation and logistics organizations should: <ul> <li>Immediately initiate threat hunts for Dindoor and MuddyWater TTPs across airport IT and OT systems</li> <li>Review access controls for operational technology (baggage handling, HVAC, access control systems) that may be reachable from compromised IT networks</li> <li>Audit GPS-dependent systems — GPS spoofing has been reported in the conflict theater and could affect navigation and logistics tracking</li> <li>Coordinate with TSA and sector-specific ISACs on indicators from the confirmed airport compromise</li> <li>Review cloud dependencies for flight operations, booking, and cargo management systems — the AWS data center precedent affects any cloud-dependent aviation system</li> </ul> <h2>Prioritized Defense Recommendations      </h2> <h3>🔴 Immediate (Next 24–48 Hours)</h3> <table> <thead> <tr> <th> # </th> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> Patch Rockwell Automation PLCs against CVE-2021-22681 (CVSS 9.8). IRGC-CEC operators are actively exploiting this. If patching is impossible, isolate PLCs from all network access. CISA KEV deadline: 26 March. </td> <td> ICS/OT Security, Plant Operations </td> </tr> <tr> <td> 2 </td> <td> Patch Cisco Catalyst SD-WAN against CVE-2026-20127 (CVSS 10.0). Mass exploitation confirmed. If patching is impossible, isolate SD-WAN management interfaces from the internet immediately. </td> <td> Network Engineering </td> </tr> <tr> <td> 3 </td> <td> Block 5.160.228.186 at all perimeter controls (firewall, proxy, DNS sinkhole). Hunt for any historical connections in the past 90 days. This is confirmed MuddyWater infrastructure. </td> <td> SOC, Network Security </td> </tr> <tr> <td> 4 </td> <td> Initiate threat hunt for MuddyWater Dindoor — focus on PowerShell-based C2, anomalous scheduled tasks, and connections to Iranian IP ranges. </td> <td> Threat Hunting, SOC </td> </tr> <tr> <td> 5 </td> <td> Audit all Hikvision IP cameras for CVE-2017-7921. Update firmware or segment camera networks from corporate infrastructure. </td> <td> Physical Security, IT Asset Management </td> </tr> </tbody> </table> <h3>🟡 7-Day Actions</h3> <table> <thead> <tr> <th> # </th> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> 6 </td> <td> Patch VMware Aria Operations against CVE-2026-22719 (CVSS 8.1). Apply VMSA-2026-0001. </td> <td> Virtualization / Cloud Ops </td> </tr> <tr> <td> 7 </td> <td> Map all cloud workloads in Middle East regions (AWS ME-CENTRAL-1, ME-SOUTH-1, IL-CENTRAL-1; Azure UAE/Qatar; GCP ME). Develop contingency plans for physical destruction of these regions. </td> <td> Cloud Architecture, Business Continuity </td> </tr> <tr> <td> 8 </td> <td> Conduct targeted threat hunt for HYDRO KITTEN TTPs across ICS/OT networks: unauthorized NETCONF sessions, anomalous PLC programming changes, indicators of IOCONTROL or Crucio ransomware. </td> <td> ICS/OT Security, Threat Hunting </td> </tr> <tr> <td> 9 </td> <td> Engage your sector ISAC (FS-ISAC, E-ISAC, MS-ISAC, H-ISAC, A-ISAC) for shared indicators from confirmed compromises. Do not wait for CISA — the agency is operating at reduced capacity. </td> <td> CTI, External Affairs </td> </tr> <tr> <td> 10 </td> <td> Brief executive leadership and the board on the conflict’s cyber dimension. Key message: this is not a theoretical risk — Iranian state actors have confirmed access to U.S. critical infrastructure, and the probability of destructive action is rising. </td> <td> CISO, Executive Team </td> </tr> </tbody> </table> <h3>🟢 30-Day Actions</h3> <table> <thead> <tr> <th> # </th> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> 11 </td> <td> Establish monitoring for OAuth redirection abuse in Azure AD, Google Workspace, and Okta environments. Microsoft confirmed this technique is being weaponized. </td> <td> Identity & Access Management, Cloud Security </td> </tr> <tr> <td> 12 </td> <td> Audit DIB contractor access and GitHub-facing development workflows. An active Iranian campaign uses fake resume lures on GitHub targeting aerospace and defense. </td> <td> Supply Chain Security, DevSecOps </td> </tr> <tr> <td> 13 </td> <td> Review and update incident response playbooks for wiper/destructive attacks. Ensure offline backups are current and tested. The probability of wiper deployment is 35–45% over the next two weeks. </td> <td> IR Team, Business Continuity </td> </tr> <tr> <td> 14 </td> <td> Stress-test disaster recovery for a scenario where a primary cloud region is physically destroyed. The AWS drone strike precedent means DR plans that assume cloud availability need revision. </td> <td> Cloud Architecture, DR/BC </td> </tr> <tr> <td> 15 </td> <td> Increase self-reliance posture. With CISA operating at reduced capacity, organizations should strengthen direct relationships with sector ISACs, commercial threat intelligence providers, and peer organizations for indicator sharing and coordinated defense. </td> <td> CISO, CTI </td> </tr> </tbody> </table> <h2>The Bottom Line</h2> The Iran conflict’s cyber dimension is operating on three tracks simultaneously: <ol> <li>High-volume, low-impact hacktivism — 149 DDoS attacks across 16 countries. Noisy, headline-grabbing, but largely superficial. This is the distraction.</li> <li>Low-volume, high-impact state APT operations — MuddyWater inside U.S. critical infrastructure. HYDRO KITTEN on industrial control systems. Quiet, methodical, and building toward something. This is the real threat.</li> <li>Kinetic-to-digital hybrid warfare — Drone strikes on cloud data centers. No prior analogue. No existing playbook. This is the new frontier.</li> </ol> The most dangerous period lies ahead. After 12 days of conflict with no diplomatic off-ramp in sight, the conditions for destructive cyber operations — wipers, ICS manipulation, coordinated infrastructure disruption — are accumulating. The absence of confirmed wiper attacks so far is not reassurance; it may be the calm before escalation. Do not wait for a federal advisory that may come late — or not at all. Patch the critical vulnerabilities listed above. Hunt for the actors named in this post. Brief your leadership. Test your disaster recovery. And assume that the threat actors already inside U.S. networks are waiting for the order to act. The time to prepare was last week. The next best time is now.

FEATURED RESOURCES

March 10, 2026

Anomali Cyber Watch