Google threat analyst warns Iran may launch wave of cyberattacks

Cybersecurity researchers say there are already early indications of increased activity

Iran is expected to retaliate against recent US and Israeli air strikes with cyberattacks targeting organisations across the Middle East and beyond, a senior cyber-intelligence expert from Google has warned.

John Hultquist, chief analyst at Google's Threat Intelligence Group (GTIG), said Tehran would "absolutely" respond through cyber operations, potentially affecting countries that host US military bases or have ties to Washington and its allies.

He made the remarks during an event in London organised by the defence think tank Royal United Services Institute (RUSI).

While the discussion was originally intended to examine the threat of Russian cyber disruption in Europe, the rapidly escalating conflict in the Middle East shifted much of the focus to Iran and its cyber capabilities.

Iran has long been regarded by Western security agencies as a significant cyber power, with a record of espionage campaigns and disruptive hacking operations against foreign governments and businesses.

Hultquist said the tactics used by Iranian hackers were unlikely to change significantly. Instead, he warned that the number and variety of targets could expand.

"You're not going to see some secret weapon; it won't be very different from what we've seen going on for the last few years," he said.

"What changes is the targeting. Previously, we were talking about the targeting of a small state with an incredibly mature security capability - Israel. Now we're talking about a host of other targets who may not have the same maturity."

Countries such as Qatar, Jordan, Bahrain, the United Arab Emirates and Kuwait – all members of the Gulf Cooperation Council and home to US military bases – could face aggressive cyber operations, he added.

Blurred lines between hackers and the state

Iranian cyber activity often operates in a grey area between government-backed hackers and independent cybercriminal groups.

Hultquist said Iran has historically used a network of proxy actors and hacktivist collectives to conduct operations while maintaining plausible deniability.

"They're really good at playing in this foggy space," he said.

Some groups claiming to be independent activists may in fact act as fronts for the Islamic Revolutionary Guard Corps (IRGC), he suggested.

He also warned that cyber incidents appearing to be financially motivated ransomware attacks may actually be state-backed operations designed to cause disruption.

Following the escalation of tensions in the region, the UK's National Cyber Security Centre (NCSC) has urged organisations to review their cyber defences.

In a recent alert, the agency warned that companies with operations, assets or supply chains in the Middle East could face an increased risk of cyber threats.

Jonathon Ellison, the NCSC's director for national resilience, said it was "critical that all UK organisations remain alert to the potential risk of cyber compromise".

While the agency said the direct threat from Iran to the UK had not significantly changed, it cautioned that the situation could evolve quickly.

Rising cyber activity

Cybersecurity researchers say there are already early indications of increased activity.

Analysts at Palo Alto Networks' threat research unit, Unit 42, reported that several Iran-aligned hacking groups have claimed responsibility for disruptive operations targeting Israel.

"As activity is likely to continue to intensify throughout the duration of these events, it's important to remain vigilant to potential attacks," the company said.

"Hacktivists and state-supported threat actors have been opportunistic, leading to potentially unexpected sources being targeted," it added.