SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Editorial world map middle east highlight network warning lines
#
Gaming
#
Firewalls
#
Network Security

NCC Group warns Iran cyber threats spread worldwide

Tue, 24th Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

NCC Group has warned that cyber activity linked to the Iran conflict has intensified and spread beyond the Middle East. Organisations with ties to Israel or the US remain at heightened risk.

The cyber security firm said hacktivist operations had increased in volume, geographic reach and actor diversity, while Iranian state-linked groups continued to function despite domestic internet restrictions. Distributed denial-of-service attacks, website defacements and data leak claims still dominated, although data leak incidents made up a larger share of reported activity during the latest review period.

The assessment suggests the conflict is increasingly being fought online as well as through military action. NCC Group described the digital space as a parallel battleground, with influence operations expanding and AI-generated content making information harder to verify.

Iran's cyber posture appears to have been weakened but not disabled, according to the report. Iran's near-total internet blackout was likely largely self-imposed to control information flows, while core backbone connectivity remained in place.

This suggests Iranian operators may still be able to conduct or scale operations using access already established in overseas networks, along with infrastructure and front organisations outside Iran. The report said these workarounds, including proxy actors and offshore systems, had become more important as domestic connectivity tightened.

Iranian groups linked to the Ministry of Intelligence and Security were highlighted as still retaining effective cyber strength. Among them, APT34, also known as OilRig, was described as one of the best-documented Iranian actors, with a history of targeting government, energy, telecommunications, financial and chemical organisations, mainly in the Middle East but also in Europe, North America and parts of Asia.

APT34's campaigns typically focused on long-term access and intelligence gathering rather than immediate disruption. The group was said to favour stealth and persistence, using a mix of open-source tools and custom malware.

Proxy activity

The report also examined the role of proxy and hacktivist groups that can give Tehran plausible deniability. It said Handala Hack, which it linked to the MOIS, had maintained one of the highest tempos among Iran-aligned actors during the conflict period.

The group has been associated with attacks on Israeli and Gulf targets and was also linked by the report to the cyber incident at medtech company Stryker. NCC Group described the attack on Stryker as the most notable incident since the conflict began, although attribution claims have not been fully corroborated by the company involved.

The researchers said Iranian operators were also likely to benefit from intrusions that predated the current phase of the conflict. Existing footholds inside foreign organisations would require only limited communication with operators inside Iran, making them less dependent on domestic internet access.

The report cited MuddyWater as an example of a group that had reportedly already compromised organisations in the US and Canada before the latest strikes. It added that APT34 had shown signs of operational silence that could indicate covert pre-positioning rather than inactivity.

Global reach

Hacktivist activity has not been confined to Israel and neighbouring states. Western-aligned countries and organisations had also been targeted, including entities in Australia, Romania and Cyprus.

Some of these incidents appeared intended to send a political message rather than cause lasting operational damage. The firm said claims by hacktivist groups often form part of wider information campaigns and may exaggerate technical impact.

The report also pointed to warnings circulated online against US technology companies operating in Gulf states, naming large American firms. NCC Group said this appeared designed to generate fear and disrupt business activity rather than signal a credible immediate threat.

Beyond state-linked and ideological activity, opportunistic cybercrime has risen sharply during the conflict, according to NCC Group. It cited wider reporting showing a jump in malicious traffic, including credential harvesting, automated scanning and botnet reconnaissance, particularly against financial services, eCommerce, gaming and technology organisations.

For companies trying to assess their exposure, risk remained broadly tied to geography, commercial links and perceived political alignment, NCC Group said. Organisations operating in Israel, or maintaining commercial or government relationships with Israel or the US, were seen as the most exposed.

"Iranian state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity." the UK's NCSC said.

Related stories
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack