What security teams need to know about Iran’s cyber threat right now

Following coordinated U.S. and Israeli strikes on February 28, 2026, Expel intelligence warns of heightened Iranian cyber activity focused on demonstrating impact against critical infrastructure, financial systems, and industrial controllers; expected techniques include ransomware, DDoS as a diversion for deeper intrusions, long-held data exfiltration and aggressive social engineering via fake job offers and attachments. The report emphasizes that Iran leverages proxy/hacktivist groups for plausible deniability, has shifted infrastructure patterns (notably increased use of Asian hosts), and urges organizations to prioritize security fundamentals—patching, log review, legacy system assessment, email-attachment caution, and coordinated threat hunting—while monitoring international intelligence feeds.