Why the Iran cyberattack everyone warned about hasn’t really happened yet
When the U.S. began “major combat operations” against Iran in late February, the warnings about an online counterattack from Iran and groups tied to the nation came from every corner. But more than six weeks later, there have been no known significant intrusions.
The hackers have been busy in other regions. Groups linked to the Iranian regime have hit Jordanian gas firms, as well as businesses in the United Arab Emirates and Qatar, as part of its Great Epic cyber offensive. But the incursions in the U.S. have seemed fairly minor in comparison.
Iran-linked hackers, for instance, struck medical equipment maker Stryker, which saw a global outage across its system. FBI director Kash Patel saw his personal (but not agency) email compromised. And the Iran-linked Handala group claimed last month to have published the personal data of dozens of Lockheed Martin employees stationed in the Middle East.
None of that is trivial. Still, it falls short of what authorities warned about. The attacks identified so far have been opportunistic, exploiting the kind of vulnerabilities many hacker groups target, rather than approaching the scale of the digital Pearl Harbor some feared.
“Much of the activity from the involved hacktivist groups has been high volume but low impact,” says Marijus Briedis, CTO at NordVPN. “Reported DDoS [distributed denial-of-service] attacks, website defacements, and data dumps generate headlines but don’t fundamentally damage critical systems.”
Hiding beneath the surface?
It is also possible, of course, that significant cyberattacks have occurred and simply haven’t been reported yet. There is often a lag with breaches, and some companies never disclose them publicly. It is just as plausible, says Matt Hull, vice president of cyber intelligence and response at the information assurance firm NCC Group, that some attacks have not been detected at all.
“Early-stage cyber activity tends to prioritize disinformation generation, intelligence collection, access development, and operations that directly support military objectives,” Hull says. “The absence of widely reported incidents should not be interpreted as a lack of activity, but rather as an indication that much of it is occurring below the threshold of public detection.”
It’s further possible that tales of the extent of Iran’s cyberwarfare program were overstated. That’s a theory floated by Georgia Tech professor and cybersecurity specialist Jon R. Lindsay in a recent New York Times op-ed.
“Even if its digital spies are working quietly, Iran’s cyberwarfare thus far does not inspire confidence that it is good at this, in the open or behind the scenes,” Lindsay wrote. “A more likely possibility is that Iran’s capacity for cyberwarfare is overrated, degraded, or both.”
Heavy losses
The U.S. and Israeli attacks on Iran could be a significant factor in the lack of a cyber response so far. At least two Iranians accused of running cyber operations against Western entities were reportedly killed in the strikes. Israel, meanwhile, says its bombs hit the cyberwarfare headquarters of the Iranian Islamic Revolutionary Guards Corps (IRGC), which has been linked to several major cyber operations against the U.S., including hacking and leaking information from Donald Trump’s 2024 presidential campaign. (Majid Khademi, the intelligence chief of the IRGC, was also reportedly killed last week.)
Further complicating matters is the fact that Iran has been under an almost total internet blackout since late February. There are, however, an estimated 50,000 Starlink terminals in the country, according to Holistic Resilience, a nonprofit that helps citizens bypass internet censorship. As a result, some of the current hacking efforts against the U.S. may be routed through U.S.-built technology.
“Iran’s own infrastructure might have been degraded, with near-total internet blackouts and reported strikes on its cyberwarfare headquarters in Tehran,” says NordVPN’s Briedis. “Sophisticated cyberattacks require months of reconnaissance and custom tooling, and much of that preparatory work may have been disrupted by the conflict itself.”
Sergey Shykevich, threat intelligence group manager at Check Point Research, agrees that the attacks on the country’s internet may have impacted cyberattacks so far. “We don’t think that Iran now has the capabilities for wide disruption activity in the U.S., but they utilize different opportunities when they see a weak security posture of organizations and the targeting aligns with their geopolitical strategy,” he says.
Don’t poke the bear
It’s equally possible, notes Jake Mullins, a recent graduate of Brigham Young University and member of its National Security Student Association, that Iran is deliberately avoiding a major cyberattack on U.S. soil for now, given the potential to swing public opinion in favor of the war against Iran.
“The shattered Iranian leadership knows their only hope is for internal American pressure to stop this war once Americans feel real economic pain,” Mullins wrote in a BYU blog. “The Iranians know that if anything resembling a terrorist attack happens on American soil, the U.S. military will have a blank check to flatten Tehran, and Iran will lose its ability to negotiate.”
Regardless of the lack of headline-making attacks, officials are warning American businesses and agencies to remain on alert. Last week, for example, the federal Cybersecurity and Infrastructure Security Agency said Iran-linked hackers were targeting critical industries such as the U.S. energy and water sectors, though there were no reports of major successes. Authorities also warned organizations across critical infrastructure sectors to apply cybersecurity mitigations to their operations and process control devices.