Operators of critical US infrastructure have raised their alert level amid warnings of possible Iran-backed cyber retaliation following the Feb. 28 strikes on Iran, according to Axios.
The concern is less about splashy data leaks and more about disruptions, with experts expecting an uptick in denial-of-service attacks that can knock services offline, while still warning that higher-impact intrusions remain possible against energy, water, transportation and telecommunications systems.
Axios said the risk could be compounded by a Department of Homeland Security funding crisis and shutdown that has cut staffing at the Cybersecurity and Infrastructure Security Agency to about 38%, raising fears adversaries could exploit the gap.
The warning reflects a pattern of past Iran-linked activity, including operations by actors tied to the Iranian government and others of unclear affiliation that have targeted sensitive US systems such as water and gas, even outside periods of open war.
Axios cited US cybersecurity firm CrowdStrike as saying Iran-aligned groups and self-described hacktivists have stepped up activity against targets in the Middle East, the US and parts of Asia since the strikes. The report said Hydro Kitten, a group aligned with Iran’s Islamic Revolutionary Guard Corps, has signaled plans to target the financial sector.
Retired Gen. Paul Nakasone, the former head of the National Security Agency and US Cyber Command, described Iran’s cyber capabilities as a “very potent, hostile power” that requires sustained vigilance, Axios reported.
Precautions
The report said US cybersecurity firm SentinelOne sent a memo to clients and partners on the day the war erupted, warning that Iranian cyber activity by groups believed to be indirectly linked to Iran, described as “state-adjacent,” is likely to escalate soon. It said the potential focus includes the US, Israel and their allies, particularly sensitive sectors such as government, critical infrastructure, defense, financial services, universities and media.
At the same time, the memo cautioned against overstating Iran’s technical capabilities or those of pro-Iran groups, saying it had not observed major malicious activity directly tied to recent developments and had no indications SentinelOne or its clients were being specifically targeted because of those events. It suggested much of the noise that accompanies wars can precede, or even occur without, clear technical evidence.
SentinelOne said any Iranian cyber response could follow several tracks.
First, it said Iran-linked actors could go after government, defense and diplomatic networks with spear-phishing and data theft to gain access to email and work platforms, prioritizing intelligence collection to shape political and military decisions rather than immediately crippling systems, including against US and Israeli institutions.
Second, it warned of disruptive and destructive attacks, from denial-of-service campaigns and takedowns of public-facing sites to a growing risk of “wiper” malware designed to erase data and knock systems offline, leaving recovery costly and, without solid backups, potentially impossible.
Third, SentinelOne flagged information operations aimed at sowing confusion and mistrust, including amplifying or fabricating claims about battlefield losses, leaking stolen documents after manipulating them, or declaring major breaches without evidence to embarrass an adversary and inflame public debate.
Fourth, it said attackers could stage infrastructure “proof-of-access” incidents, slipping into exposed control interfaces or poorly protected services tied to water, energy, transportation or suppliers, then publishing screenshots or messages to signal reach even if they do not cause immediate major damage.
Separately, the British security software and hardware company, Sophos, warned that periods of direct military escalation in the region often raise concerns about cyber activity led by actors aligned with the Iranian state or ideologically driven groups.
But the company said that despite a surge in hacktivist noise on channels such as Telegram and X after the Feb. 28 strikes, especially from pro-Iran figures and groups such as Handala Hack and APTIran, the activity observed through March 2 largely centered on DDoS disruptions, website defacements and unverified breach claims targeting Israeli infrastructure.
Sophos added that many purported achievements posted on social media remain unverified, and that newer or older groups such as Cyber Toufan and others tend to rely on basic tactics and sweeping claims. It urged a strict distinction between claims and confirmed intrusions, while raising readiness against service disruption, password attacks, hacking-and-leak campaigns, and ransomware.
Against that backdrop, federal and local law enforcement agencies across the US have raised their alert level for a potential Iranian response after US and Israeli strikes inside Iran, ABC7 Chicago reported.
The station quoted Jake Braun, a former Department of Homeland Security adviser and head of the Cybersecurity Policy Initiative at the University of Chicago, as expecting any potential wave to include patterns “Iran has used before,” such as targeting the banking sector and systems linked to oil supply chains and parts of critical infrastructure like water, along with election-related disinformation. He warned weak points often lie in legacy or unpatched systems.
Texas Gov. Greg Abbott announced that the state raised its digital readiness level in anticipation of any potential Iranian response to the US strikes, saying the security plan includes boosting cybersecurity capabilities among Texas agencies alongside other protective steps.
