The US’s strikes on Iranian nuclear sites have spurred concerns about retaliation in the cybersphere, and whether or not the US is prepared to counter it.
The Israel-Palestine war following the October 7, 2023 attack by Hamas on Israel, arose out of a decades long history between the two countries that has also involved other countries in the region. As of late, Iran has dominated the headlines for their increased engagement in the war, retaliating to Israeli attacks on their military and nuclear sites on June 13, 2025. It’s worth noting that Iran and Israel had previous exchanges in 2024, but these attacks may not have suggested an intent to escalate the conflict. Iran’s current involvement in the war has spurred more intervention from the US, among concerns surrounding possible nuclear weapons in the country. Now, the US in addition to the military and financial aid it gives to Israel, has decided to directly intervene by bombing three nuclear sites in Iran on June 21, 2025.
The move, seen by some as a declaration of war, has caused worry about what retaliation the US can expect from Iran - like a fresh wave of cyberattacks. This anxiety isn’t unfounded; cyberattacks are easier to levy than physical attacks, and Iran’s cyber capabilities have been used to undermine US trust in elections, going so far as to infiltrate presidential campaigns. The country was even listed as a national cyber threat (alongside North Korea, China and Russia) in the Office of the Director of National Intelligence’s (ODNI's) 2025 Annual Threat Assessment.
After Iran first responded to the US’s attack by firing missiles at a US military base in Qatar, the senior vice president at Crowdstrike, Adam Meyers described the anticipation of cyberattacks: “Iran’s kinetic retaliation is already in motion and the digital dimension to that may not be far behind. This cyber element is what lets them extend their reach and there’s an air of deniability to it.”
The Department of Homeland Security (DHS) released a National Terrorism Advisory System Bulletin about the Iran conflict on June 22, 2025. The notice specifically lists the potential for cyber espionage as one of the first threat areas: “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US.” The public advisory also shares the Cybersecurity and Infrastructure Security Agency’s (CISA’s) cybersecurity best practices, and directs Americans to report suspicious activity (as part of the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI)) to local law enforcement or the Federal Bureau of Investigation (FBI). The notice is set to expire in three months, on September 22, 2025.
Brian Boetig, a former FBI official who worked as the director of the National Cyber Investigative Joint Task Force in DC, called for increased vigilance and preparedness as a result of the US bombings. Boetig warned that Iran likely had “cyber sleeper cells” on servers in Western organizations, poised to attack: “They could be hospitals, universities, government systems that are holding Iranian malware. And you could inadvertently be the landlord to a sleeper cell on your network because you failed to keep it patched and up to date, and you have security flaws. It’s just something that’s sitting there quietly, and ready to launch at a moment’s notice when needed, and we’re now in that time period, when that may be needed.”
Already, Iranian groups have increased their cyber activity in response to the US’s recent actions. Trump’s social media platform, Truth Social, experienced a Distributed Denial-of-Service (DDoS) attack that crashed the site soon after he announced the airstrikes. The attack was claimed by the “313 Team”, a hacktivist group that is aligned with Iran. Other hacktivist groups, like Mr Hamza, Cyber Jihad, Mysterious Team and Keymous+, have targeted US banks and financial services and military organizations and companies. Mysterious Team and Cyber Jihad specifically have shared plans to increase their efforts, and more groups are expected to join the fray.
This is in addition to the Iranian state-sponsored actors tracked by Palo Alto researchers in Unit 42. By their count, 120 hacktivist groups (from Israel, Iran, and even Russia) are now active because of current events, which will likely spark an increase in their preferred attack methods - DDoS, destructive malware, website defacements and data exfiltration - globally. Unit 42 also reported that state-sponsored Iranian activity is expected to “project and amplify political messaging (often using destructive and psychological tactics)” and that such campaigns “might target their victim’s supply-chains, critical infrastructure, vendors or providers.”
It remains to be seen if America is ready for the anticipated barrage of cyberattacks. Arnie Bellini, a tech entrepreneur discussed America’s vulnerability after the strikes in an interview with ABC news: “We just showed the world: You don’t want to mess with us kinetically. But we are wide open digitally. We are like Swiss cheese.”
This position may be worsened by the ongoing federal cuts that have significantly reduced CISA’s workforce and budget. Similarly, the National Security Agency (NSA) lost important leadership guiding the Pentagon’s Cyber Command after Trump fired their director. Exacerbating this unpreparedness, FBI agents (including some specializing in national security) have reported being pulled away from their responsibilities to “spend significant amounts of time helping DHS officers track down undocumented immigrants - not traditionally an FBI priority.”
While the US’s national cybersecurity posture appears a bit unsteady, there are still some protective steps that organizations can take. Unit 42 recommends reviewing the DHS bulletin, teaching employees about phishing and social engineering tactics, continuously checking for suspicious activity, confirming that internet-facing infrastructure is updated, and strengthening responses to threat signals. In the meantime, businesses can prepare for a potential attack by enhancing continuity plans for assets sensitive to cyberattacks and ready themselves to respond to data breach claims.
It’s important to emphasize that this is a rapidly developing situation that will require more monitoring before any permanent decisions are reached. This week, Trump took credit for arranging a cease-fire between Iran and Israel, and the arrangement seems to be holding, despite a shaky start. Recent reports suggest the US strikes may not have been as damaging as previously claimed, which could mean more American involvement in the future. Just the same, strengthening national cybersecurity would be a worthwhile protective measure no matter how the situation plays out.