Become a TechRadar Insider
The Iran conflict is serving as an AI testbed for the next era of cyber conflict. Most organizations are watching the tactics and impact unfold with cybersecurity defenses that are simply not prepared for this level of sophistication.
Meanwhile, technology leaders are seeing AI as both their biggest opportunity and a major new attack vector. Despite this recognition of AI as both notable ally and foe, only one in five CIOs feels highly effective at defending against AI-enabled adversaries.
Vice President of Security Research at LevelBlue.
Concurrently, state-backed groups on all sides are already using AI-enhanced tooling to run highly targeted phishing attacks, moving quickly through networks and hitting critical IT infrastructure.
Put simply, the AI-powered cyber arms race has moved beyond the theoretical and well into a live-testing phase, in a real conflict zone.
Cyber as the first mover
Cyber operations are now an intrinsic part of warfare. US commanders have called cyber and space units the “first movers”, used to blind Iranian systems, cut communications, and shape the battlefield before and during airstrikes.
According to LevelBlue’s analysis, large DDoS attacks, deep hacks into energy and telecoms and manipulation of mobile apps drove Iran’s internet connectivity down to about 4% of normal during the first waves of strikes. It’s clear is that cyber can no longer be thought of as a passive defense tactic.
The same dynamics can now be seen mirrored in Iran’s response. Iranian APTs (Advanced Persistent Threats) like MuddyWater, Charming Kitten, OilRig and Elfin have shifted from quiet pre-positioning to more aggressive cyberattack campaigns, using AI-assisted tooling like GhostFetch and RustyWater.
These AI tools automate scouting, create convincing phishing lures and spread quickly through networks. Business leaders are learning in real time that in a crisis, cyber strikes hit first to blind, confuse decisions and set the scene for future attacks.
If their organization is unable to detect and respond to said strikes at machine-speed, they are already two steps behind.
The reality of AI-accelerated attacks
The ongoing Iran conflict offers a concrete preview of how AI and cyber tactics will interact in future conflicts. War has moved off the battleground onto computer screens and lines of code.
On the offensive side, AI helps sift open-source intelligence, satellite images and telemetry to spot targets faster. This is in line with what US officials have hinted at when talking about “finding and fixing” Iranian military assets.
On the defensive and retaliatory side, Iranian hackers and proxies use AI for scale. This includes hyper-personalized phishing against policymakers and NGOs, automated credential theft and password spraying, in addition to wiper malware hitting factories and hospitals to maximize chaos.
Such attacks are blurring the lines between “activists” and states. Groups using hacktivist-style names, like Handala, are carrying out destructive data-wiping and data-leaking operations that in reality look and feel like government-backed campaigns. However, whether it’s a lone hacker or a nation-state, the impact on a business is the same.
What IT leaders need to know
As the cyberthreat landscape increases in complexity and sophistication amidst ongoing geopolitical conflict, CIOs, CTOs and business leaders in general need to take actionable steps to get prepared:
Firstly, every business leader should assume that AI-driven tradecraft will be used against their organization, whether or not that business is a direct party to a geopolitical dispute. Threat intelligence reports show spillover activity across sectors and regions as Iranian and allied groups probe for soft spots in energy, finance, healthcare and aviation networks beyond the conflict zone.
US medical-device company Stryker has already fallen victim to a state-backed cyberattack. Across the pond, the UK’s National Cyber Security Centre has also urged firms to strengthen their defenses amid the conflict. Therefore, the traditional “we’re not a likely target” thinking is rendered moot and dangerously outdated.
Secondly, investment in AI should be deliberate rather than reactive, to match attackers’ use of AI. Most leaders are now investing in AI for threat detection and faster response, while embedding cyber resilience across the business. The Iran conflict is actively demonstrating why this priority shift cannot wait.
Adversaries are using AI to sift through organizations' complex digital footprints, spotting tiny weaknesses or patterns that can be exploited, which lets them gain access to systems much faster than before.
On the defensive side, AI is already enriching analyst context. AI is being used to combine signals across domains, certificates, telemetry and intelligence sources to surface suspicious activity faster and with greater confidence.
However, clear governance is a must for the wider industry as AI investments only pay off if someone is clearly in charge of them. In practice, this looks like boards actually understanding AI’s trade-offs, having a defined risk appetite and clear cyber metrics that are tied directly to up-time, reputation and regulatory risk rather than just a dashboard of automated alerts.
Third, the cyber-hygiene basics that AI will amplify need to be fixed and maintained. The Iran crisis has exposed how much damage can be done by exploiting long-standing weaknesses like unpatched remote access, flat networks and factory-set passwords on critical control equipment that were never changed.
With more than half the CIOs seeing software supply-chain security and third-party distribution as high risk, 70% of them are investing in enhanced controls there. Enhanced controls in this context mean tightened due-diligence on vendors and M&A targets.
They also mean demanding transparency into code provenance and build-pipelines, in addition to using AI-assisted monitoring to spot anomalies in partner behavior before an incident cascades into an organization's environment.
Finally, if a nation-scale disruption is to be expected (as it should be), it should be rehearsed for. Iran’s near-total connectivity blackout, combined with attacks on critical infrastructure communications, demonstrates the failure of “business-as-usual” assumptions. CIOs are increasingly planning to work with incident-response specialists and threat intelligence providers.
However, many still lack mature, tested continuity plans that assume prolonged outages, disinformation and simultaneous incidents across multiple suppliers. In an AI-driven crisis, businesses that have practiced decision-making under pressure, with partial data and automated attacks, will fare better than those still relying on a static playbook.
Final thoughts
Most organizations around the globe are watching the events in Iran unfold, with defenses designed for a slower, less sophisticated cyber security posture. CIOs and IT leaders are learning in real time that when an attack occurs, there will not be a safe, quiet moment to prepare for it.
If adversaries are using AI to move faster, hide better and hit harder, businesses need to be equipped with governed AI capabilities, hardened basics and rehearsed crisis plans of their own.
Anything less falls equivalent to hoping that the tactics being perfected over an active war-zone will never be turned on your own business, which is simply not a strategy.
We've ranked the best patch management software.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit