State-Backed Cyberattacks: What the Iran Conflict Reveals

Why Geopolitical Cyber Conflict Is a Business Security Problem

Most organisations outside the Middle East read headlines about Iranian hackers targeting Israeli hospitals and file them under 'not our problem.' That is a mistake. The tools, techniques, and infrastructure developed during state-level cyber conflicts do not stay contained to the battlefield. They migrate. They get sold, leaked, and repurposed by criminal groups operating in every region, including the UK and Australasia. Iran-linked hacking groups — including those attributed to the Islamic Revolutionary Guard Corps (IRGC) — have been observed running high-volume, low-sophistication attacks against healthcare systems, water utilities, and communications infrastructure during the ongoing conflict. According to reporting by SecurityWeek, these groups are increasingly using AI to scale their operations, automating reconnaissance, phishing content generation, and vulnerability scanning in ways that were previously resource-intensive. The pattern matters. When state actors prove a method works at scale, that method enters the wider threat ecosystem within months.

What Are Iran-Linked Threat Actors Actually Doing?

Iranian cyber operations in the current conflict have taken two distinct forms. The first is opportunistic, high-volume disruption: defacing websites, knocking services offline, and flooding systems with traffic. These attacks are designed for psychological and reputational impact rather than deep infiltration. They are cheap to execute and difficult to fully prevent. The second form is more dangerous: targeted spyware deployment against specific individuals and organisations. Groups linked to Iranian state intelligence have been observed planting mobile spyware on devices belonging to journalists, activists, and healthcare workers operating in or adjacent to conflict zones. This spyware gives operators persistent access to communications, location data, and credentials. AI is accelerating both approaches. Automated tools now allow threat actors to scan millions of IP addresses for unpatched vulnerabilities in hours rather than days. Generative AI produces phishing emails in fluent local languages, stripping away the grammatical errors that previously helped recipients identify suspicious messages. The barrier to running a convincing, wide-net campaign has dropped considerably.

• High-volume disruption: website defacement, DDoS, and service interruption at scale
• Targeted spyware: persistent access to communications, credentials, and location data
• AI-assisted reconnaissance: automated vulnerability scanning across large IP ranges
• AI-generated phishing: grammatically accurate lures in multiple languages
• Credential harvesting: fake login portals mimicking legitimate healthcare and government services

Why Hospitals Keep Getting Hit

Healthcare has become a preferred target in cyber warfare, and the reasons are operational rather than symbolic. Hospitals run legacy systems. Many NHS trusts and equivalent health bodies in New Zealand and Australia operate on infrastructure that has not been patched in years, partly because taking clinical systems offline for maintenance carries patient safety risk. That calculation produces a dependency that attackers exploit directly. Beyond legacy infrastructure, healthcare data is extraordinarily valuable. Patient records contain identity information, financial data, and sensitive personal details that fetch high prices on dark web markets. A single electronic health record can be worth many times more than a standard stolen payment card, according to threat intelligence firms that track dark web pricing. The 2024 Change Healthcare ransomware attack in the United States, which disrupted prescriptions and billing for weeks across thousands of providers, demonstrated the cascading real-world consequences when healthcare IT fails. That incident was criminal rather than state-sponsored, but Iranian groups have demonstrated willingness to cause equivalent disruption in active conflict zones. The difference between a geopolitical motive and a criminal one matters less to a hospital that cannot access patient records. For UK NHS trusts and New Zealand DHBs, the lesson is that conflict-zone targeting patterns set precedents. Tools and methods proven effective against Israeli hospitals in 2024 and 2025 will appear in criminal toolkits used against British and Australasian healthcare within a predictable window.

How AI Is Changing the Scale of These Attacks

State-sponsored groups have always had resources. What AI changes is the ratio of output to resource. A team of ten operators can now run campaigns that previously required fifty, because the time-consuming manual elements — writing convincing lures, identifying exploitable targets, customising malware for specific environments — can be partially or fully automated. For defenders, this creates a specific problem: volume. Security operations centres are already under pressure. When the number of alerts, phishing attempts, and scanning events multiplies by an order of magnitude, human analysts cannot keep pace using traditional triage methods. Fatigue and false-positive noise increase. Real threats get missed. This is precisely where AI-assisted attack surface management becomes operationally relevant rather than aspirational. Platforms like Hadrian continuously map and test an organisation's external-facing assets, identifying exposures before attackers find them. When threat actors are running automated scans across millions of targets, knowing your own attack surface in real time is the minimum viable defence. Organisations that conduct annual penetration tests and consider that sufficient are running a quarterly map against a daily threat. The other dimension is data exfiltration. Iranian threat actors conducting spyware operations are not just disrupting systems — they are stealing data continuously and quietly. Standard endpoint detection catches known malware patterns but can miss the slow, low-volume exfiltration that advanced persistent threats prefer. Anti data exfiltration technology, such as that provided by BlackFog, monitors data movement at the device level and blocks unauthorised transfers regardless of whether the underlying tool is classified as malware. That distinction matters when dealing with novel or state-developed tooling that has not yet entered threat signature databases.

What UK and New Zealand Organisations Should Take From This

The direct risk to a UK accounting firm or a New Zealand logistics company from an Iranian IRGC hacking group is low. The indirect risk is not. There are three pathways through which conflict-driven cyber techniques reach commercial organisations in the UK and Australasia. First, criminal adoption. Techniques proven effective in state operations get packaged into ransomware-as-a-service toolkits and sold. The LockBit and BlackCat ransomware ecosystems demonstrated how quickly sophisticated methods become commoditised. Second, supply chain exposure. If your suppliers, partners, or cloud providers operate infrastructure that handles traffic from conflict-adjacent regions, or if they run software developed or hosted by companies targeted in these campaigns, you carry inherited risk. Third-party supply chain risk management is not theoretical — it is the vector through which many organisations discover they were involved in an incident they never directly experienced. Panorays exists specifically to map and monitor that inherited exposure. Third, collateral impact. NotPetya, the most costly cyberattack in recorded history, was a state-sponsored Ukrainian-targeted operation that destroyed systems at Maersk, Merck, and Mondelez. Total damages exceeded $10 billion (USD), according to White House estimates from 2018. The affected organisations were not the intended targets. They were collateral casualties of a conflict they had no part in. For UK businesses managing endpoint, email, and cloud security through a platform like Coro, or for Australasian enterprises relying on ESET for enterprise endpoint protection, the practical question is whether their current stack would detect and contain a novel tool developed for conflict-zone deployment. That question deserves a direct answer, not an assumption.

The Security Controls That Close the Exposure Gap

No security stack eliminates risk from a determined, state-resourced attacker. That is an honest starting point. What security controls do is raise the cost of attack, reduce dwell time, and limit the blast radius when something gets through. Against high-volume, AI-assisted campaigns, those properties matter enormously. Continuous external attack surface visibility addresses the reconnaissance phase. If a threat actor's automated scanner finds an exposed admin portal or an unpatched VPN appliance before your team does, the initiative has already shifted. Hadrian's continuous assessment model means that newly exposed assets are identified and flagged in real time, not at the next scheduled audit. At the endpoint level, behavioural detection that does not rely solely on known-malware signatures is the relevant capability against state-developed tooling. Sophos XDR and MDR provide 24/7 detection and response across endpoints, networks, and cloud environments, with human analysts reviewing high-confidence alerts. That human layer is what catches the edge cases that automated detection misses. For the data exfiltration component — the spyware-style slow drain of sensitive information — BlackFog's anti data exfiltration technology operates independently of signature databases, monitoring actual data movement behaviour. If a device starts sending data to an unusual destination at unusual hours, it is flagged and blocked before the exfiltration completes. Finally, supply chain monitoring through Panorays provides visibility into the third-party risk surface that most organisations cannot see directly. In an environment where state actors target suppliers to reach primary targets, that visibility is not optional infrastructure — it is core risk management.

The Broader Pattern Worth Watching

The Iran conflict is one example of a broader shift in how geopolitical disputes are conducted. Ukraine, Gaza, Taiwan Strait tensions, and South China Sea disputes all have active cyber dimensions. The groups involved share tools, sell access, and operate in ecosystems that overlap with criminal networks. What this means for security planning is that threat modelling can no longer treat geopolitical risk as separate from organisational risk. The two are connected, and the connection is tightening as AI lowers the cost of running high-volume operations. Organisations that treat cybersecurity as a compliance checkbox rather than a live operational discipline will continue to be surprised by incidents that were, in hindsight, predictable. Those that maintain continuous visibility into their attack surface, monitor their third-party exposure, and run detection that does not depend entirely on known signatures will be better positioned to absorb the techniques that migrate from conflict zones into mainstream criminal campaigns. If you want to understand where your organisation's current exposure sits against these threat patterns, the Kyanite Blue team can run an assessment. The conversation starts with your attack surface.

Frequently Asked Questions