Iran Cyber Threat Intelligence Assessment 2026
CYBER THREAT INTELLIGENCE
This cyber threat intelligence assessment examines the evolving cyber security risks linked to escalating geopolitical tensions between Iran, Israel and the United States in the Persian Gulf.
Understand the cyber threat landscape as the US-Israel-Iran conflict evolves. LRQA's specialist threat intelligence team has produced an urgent assessment of Iranian cyber actor capability, intent, and activity - giving your organisation the situational awareness needed to act now.
What’s inside
-
Expert profiles of Iranian APT groups: OilRig (APT34), MuddyWater, Void Manticore, Scarred Manticore, Peach Sandstorm (APT33), Lemon Sandstorm, Pink Sandstorm and Prince of Persia, including behaviours, targets and tooling
-
Immediate impact assessment: how the internet blackout and kinetic strikes have affected Iranian cyber actor capability, opportunity and intent
-
Reported activity since the conflict began: DDoS claims, a SCADA compromise in Jordan, SMS phishing spoofing Israel's national alert service, and hacktivist sock puppet activity
-
Strait of Hormuz cyber risk: threats to shipping, energy infrastructure and global supply chains, including the precedent set by the 2025 Lab Dookhtegan attack
-
Kinetic impact on cloud infrastructure: AWS data centre strikes, widespread UAE banking disruption and what physical attacks mean for digital resilience
-
Future threat projections: regime change scenarios, targeting shifts and the long-term cyber risk outlook for organisations with Gulf exposure
What organisations need to know
The joint US-Israel military operation launched on 28 February 2026 has created one of the most rapidly evolving cyber threat environments in recent history. Iran cyber threat intelligence has never been more critical for organisations operating in or with exposure to the Middle East, energy, finance, and critical infrastructure sectors.
Iran has spent two decades building one of the most sophisticated state-aligned cyber ecosystems in the world. Groups including OilRig (APT34), MuddyWater, and Peach Sandstorm (APT33) operate with advanced tooling and well-established infrastructure. That capability does not disappear with a change of government or a period of internet disruption. As this assessment shows, actors such as Void Manticore have already adapted - using Starlink IP addresses to sustain operations during the January 2026 connectivity blackout.
Who is most at risk?
Iranian cyber actors have historically prioritised energy, defence, finance, telecommunications, and government sectors across the US, Israel, Gulf Cooperation Council states, and Europe. The current conflict has intensified this targeting, with additional focus on critical infrastructure and industrial control systems. Organisations with any supply chain exposure to the Gulf region, and those operating cloud infrastructure in the Middle East, should treat this as an elevated threat period.
Iranian Cyber actor capability in 2026
Iran has spent two decades building one of the most sophisticated state-aligned cyber ecosystems in the world. Groups including OilRig (APT34), MuddyWater, and Peach Sandstorm (APT33) operate with advanced tooling and well-established infrastructure. That capability does not disappear with a change of government or a period of internet disruption. As this assessment shows, actors such as Void Manticore have already adapted - using Starlink IP addresses to sustain operations during the January 2026 connectivity blackout.
Threat ready where it matters most
Trusted by organisations worldwide to identify, manage and respond to cyber risk at scale.
Cyber vulnerabilities managed every year
Confirmed incidents handled annually
Crest accreditations - one of the only organisations worldwide with a full suite
Managed SOC Services and Incident Response teams
