It has been nearly three weeks since the Pentagon launched its Operation Epic Fury. Although the military capabilities of Iran have been seriously diminished, there is little reason to believe Tehran’s cyber operations have been impacted. Moreover, there have been reports that Iran has intensified its cyber operations.
Earlier this month, Iranian-linked actors conducted a significant wiper attack against U.S. medical firm Stryker, marking one of the first major destructive cyberattacks during the conflict.
Then there are concerns that, beyond what Iran is doing, other cyber actors may be exploiting the situation to launch attacks unrelated to the Islamic Republic.
Cybersecurity researchers at Akamai reported a sharp rise in malicious online activity following the outbreak of conflict involving Iran, with cybercrime increasing by 245% since late February. That surge has included widespread activity, such as credential-harvesting attempts, automated reconnaissance, and probing of enterprise infrastructure, as attackers capitalize on geopolitical instability.
Cybersecurity Experts Warn of Persistent Threat Activity and Increased Exposure Risk
“The surge in activity following geopolitical tensions is consistent with what we typically see in these environments. Early-stage signals like reconnaissance, credential harvesting, and infrastructure probing tend to increase significantly as attackers look for initial access opportunities,” warned Sunil Gottumukkala, CEO at cybersecurity provider Averlon.
Gottumukkala told ClearanceJobs in an email that enterprises should assume this activity will persist and therefore turn their focus on preparedness. That means cybersecurity teams must stay on top of attack surface and exposure management to reduce exploitable vulnerabilities and ensure known weaknesses cannot be used to gain initial access.
“It also means strengthening identity security and monitoring for credential misuse, since many of these campaigns rely on stolen credentials,” added Gottumukkala. “The organizations that fare best are the ones that treat this activity as a precursor to more targeted attacks and invest in visibility into their exposure and rapid remediation of high-risk issues.”
ATTACK VECTORS: Financial Sector, Credential Theft, and Reconnaissance Lead the Surge
According to the researchers, the financial sector has been the most heavily impacted, accounting for approximately 40% of observed malicious traffic, followed by e-commerce, gaming, and technology companies.
Among the findings:
- Automated reconnaissance traffic – Up 65%
- Credential harvesting attempts – Up 45%
- Infrastructure scanning for exposed services Up 52%
- Botnet-driven discovery traffic – Up 70%
- DDoS reconnaissance – Up 38%
Global Threat Actors Exploit Conflict Beyond Iran’s Cyber Operations
The recent research also warned that hacktivists have been reported to use proxy services in countries such as Russia and China as a source for billions of designed-for-abuse connection attempts. The U.S. may also be so focused on Iran that attacks could come from other places.
“The 245% number is real, but the breakdown underneath it matters more than the headline. Only 14% of the malicious traffic Akamai observed originated from Iranian IPs,” explained Michael Bell, founder and CEO at Suzu Labs.
Bell noted that Russia is now accounting for 35% of the attacks and China for 28%, and said this suggests it isn’t just Iranian retaliation.
“Russia and China are taking a ‘never let a good crisis go to waste’ approach, using the conflict as operational cover to ramp up scanning, credential harvesting, and infrastructure mapping while defenders are focused on the named adversary,” Bell told ClearanceJobs.
Wiper Attacks vs. Silent Intrusions: The “Loud vs. Quiet” Cyber Strategy
Moreover, it may be what we are not seeing that should concern us.
Jacob Warner, director of IT at cybersecurity provider Xcape, Inc., also noted that this recent surge in Iranian cyber activity following Operation Epic Fury highlights a sophisticated “loud vs. quiet” strategic pivot.
“High-profile ‘wiper’ attacks, where large amounts of data are deleted, on entities like Stryker dominate headlines and cause immediate operational paralysis. Meanwhile, state-sponsored actors are simultaneously executing quiet, long-term espionage campaigns,” Warner continued.
He told ClearanceJobs for security professionals that the greatest danger may lie in how “loud” attacks serve as a massive smoke screen, diverting incident response resources from deep-seated persistence in critical infrastructure.
“Defenders must look past the immediate carnage of defacements and wipers to hunt for ‘living off the land’ techniques and compromised administrative tools like UEM (Unified Endpoint Management) and MDM (Mobile Device Management) platforms,” warned Warner. “Prioritizing identity security and behavioral analytics is the only way to catch the quiet intruder while the sirens are blaring. In modern conflict, the wiper attack is just a loud invitation to a heist that has been running for months.”
Reconnaissance Surge Signals Larger Cyberattacks May Be Imminent
The attack mix may indicate that larger attacks are yet to come.
“Botnet discovery traffic up 70% and automated reconnaissance up 65% means most of what Akamai is measuring is the setup phase, not the main event,” said Bell. “The actual attacks that follow this reconnaissance, using the access and mapping being built right now, will be worse than the current numbers suggest.”
Key Takeaways
-
Cyberattack activity has surged 245% since the start of Operation Epic Fury
-
Iran’s cyber operations remain active and may be intensifying despite military setbacks
-
Only 14% of malicious traffic is linked to Iran, with Russia (35%) and China (28%) playing major roles
-
The financial sector is the most targeted, with credential harvesting and reconnaissance leading attack methods
-
Wiper attacks may act as high-visibility distractions, masking deeper long-term intrusions
-
Increased reconnaissance and botnet activity indicate a preparation phase for more severe cyberattacks
-
Organizations should prioritize identity security, exposure management, and rapid vulnerability remediation
