15 July 2025, Geneva

Situation Overview

The Iran–Israel cyber conflict has escalated into a defining case study of modern hybrid warfare. Following kinetic exchanges earlier this summer, both nations have increasingly turned to cyber operations as primary instruments of statecraft. This briefing examines the evolving landscape of offensive and defensive cyber actions, outlines the ratio of sophisticated attacks versus disruptive hacktivist activity, and assesses the broader strategic implications over the coming weeks. It provides actionable insights for leaders seeking to understand and prepare for this rapidly developing situation.

• A fragile ceasefire is holding, but cyber operations between Iran and Israel are surging. Since the truce, approximately 450 cyberattacks have been recorded against Israeli entities.  These have primarily been pro-Iran hacktivists carrying out DDoS, defacements, espionage, and camera hijacks to monitor missile strikes.

• Israeli cyber units (like Predatory Sparrow) have retaliated with surgical cyber strikes on Iranian banks and infrastructure; disruptions to Bank Sepah and a crypto exchange were reported.

Primary Threat Vectors

1. Hacktivist Proxies & State-Backed Teams

   • Over 120 hacktivist groups (e.g., Handala Hack, Cyber Av3ngers) are active in online campaigns supporting Iran.

   • Emergent AI-augmented phishing and deepfakes are being used for disinformation and targeted influence.

2. Destructive & Opportunistic Operations

   • Iran-linked actors continue data wiper incidents and targeted DDoS attacks against Israeli infrastructure.

   • U.S. agencies (e.g., CISA, FBI, NSA) warn of spillover threats to U.S. critical infrastructure such as utilities, transport, and defense contractors, especially those with ties to Israel.

3. Strategic Espionage & Monitoring

   • Hijacked Israeli CCTV and cameras are being leveraged to assess military strike effects in real-time.

   • Targeted espionage and communications interception persist on both sides to anticipate next moves.

Attack Data Breakdown

Recent analyses reveal the following attack distribution in the ongoing confrontation:

• DDoS Attacks - 81%

• Data Breaches & Leaks - 7%

• Phishing/Initial Access - 4%

• Website Defacements - 3%

• Wiper/Malware Incidents - 2%

Approximately 13% of attacks show signs of sophistication, while 87% of attacks are unsophisticated (high-volume DDoS floods and defacements).

This breakdown indicates most activity is disruptive noise, but interestingly, the sophisticated minority has caused disproportionate damage to critical systems.

Escalation Outlook

• 1–2 Weeks:
  Surge in low- to mid-intensity DDoS, web defacements, AI-driven phishing campaigns targeting Israeli & U.S. assets.

• 2–4 Weeks:
  Possible coordinated wiper/ransomware strikes on financial and infrastructure targets in Iran, Israel, and U.S./EU spillover. Espionage intensifies.

• 4+ Weeks:
  Expanded disinformation and deepfake narratives targeting diaspora and global audiences; potential OT/ICS previews aimed at utilities and transport linked to Israel.

Geopolitical & Strategic Implications

• Normalization of cyber domain in warfare: Ransomware and destructive malware are now conventional tools alongside espionage and influence. Use of internet-connected, compromised cameras to assess damage of strikes to assess kinetic strike effectiveness.

• Proxy escalation risk: Collection of hacktivist groups enables Iran to strike broadly with strategic ambiguity.

• Global collateral: Allied firms, diaspora communities, and geopolitical domains (like the UK, Australia, EU) are increasingly under cyber threat.

• Strategic messaging: Use of cameras for strike verification and AI-driven misinformation campaigns show a hybrid cyber-psychology operation in play.

Recommended Actions

Immediate 

• Boost DDoS defenses, deploy edge protection, and activate cloud-based scrubbing.

• Increase phishing awareness and deepfake detection drills.

Short-Term (1–4 Weeks)

• Harden OT/ICS assets and isolate backups; implement advanced network segmentation.

• Collaborate with sector ISACs to share threat intel on linked TTPs.

Strategic 

• Enhance AI-infused narrative monitoring to detect and counter influence campaigns.

• Develop crisis escalation roadmaps and threshold frameworks to trigger alerts with international partners.

• Prepare executive-level briefing templates for cyber escalation clusters affecting Israel and allied nations.

Summary

The Iran-Israel confrontation has entered a rapid escalation cycle, driven by hacktivist proxies, AI-enabled influence operations, and the use of cameras as strategic sensors. The next four weeks are likely to see intensified cyber offensives across multiple domains, with growing risk for allied nations. Proactive defense, sector-wide coordination, and multi-modal threat intelligence are key to mitigating the impact on likely targets.