A Shadow Cyber War with Iran Targets Oil, Cloud, and Critical Infrastructure

By any measure, the past few days have marked a dramatic military escalation across the Middle East. But according to multiple cybersecurity leaders, the digital phase of this conflict was already well underway long before the first drone crossed a border.

Security researchers describe a coordinated surge in API probing, industrial control system targeting, and disruptive infrastructure attacks that suggest a hybrid campaign blending kinetic strikes with cyber operations designed to destabilize economies and public confidence.

API Probing as a Prelude to Conflict

Ted Miracco, CEO of Approov, says the early warning signs were visible in application traffic.

“A silent prelude to attacks has been conducted via API probing. While much of the public focus is on the military strikes, the digital battlefield has been simmering for weeks. In the fortnight leading up to this weekend’s events, Approov observed a significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments. These sophisticated maneuvers were specifically designed to evade initial defenses. We have analytical indications that the presumed Iranian actors were scouting and gauging regional infrastructure vulnerabilities.

Fortunately, by deploying over-the-air (OTA) software updates to the apps and new policies to the cloud, we were able to harden these apps before the probes could turn into full-scale service interruptions or data breaches.”

API attacks often escape public scrutiny because they do not immediately disrupt service. Instead, they quietly map authentication flows, scrape metadata, and test rate limits. In a geopolitical crisis, those reconnaissance efforts can become the blueprint for rapid disruption.

Miracco warns that destructive cyber phases may still be ahead.

“Groups like the CyberAvengers have already proven that our water and power systems are vulnerable through the hardware and mobile interfaces that control them. Depending on who is in power, we could expect a 'scorched earth' approach next. Currently, Iran's domestic cyber infrastructure is in a defensive crouch following the massive digital blackout.

As they regain control, they will likely move from probing or persistence to destruction. This means moving beyond standard DDoS attacks to wiper malware and API-based disruptions that could cripple the mobile apps global users rely on for everything from banking to emergency alerts. The sophistication we saw in the Gulf suggests they are capable of striking once they recover their footing. It will only matter who gives the orders, as whatever penetrations they could pull off were completed before the first strike occurred.”

Oil, Cloud, and Grain Under Fire

Flashpoint analysts report that the conflict expanded between March 1 and 2 into direct strikes on economic infrastructure. Iranian Shahed-136 drones reportedly hit Saudi Aramco’s Ras Tanura facility, one of the world’s largest oil processing and export hubs. In the UAE, Amazon Web Services confirmed that a regional data center experienced temporary disruption after physical impacts caused sparks and fire.

At the same time, pro-Iranian hacktivist groups claimed successful intrusions into industrial control systems tied to a Jordanian grain silo operator, alleging manipulation of temperature and weighing systems. While those claims remain under investigation, they signal a troubling shift toward food supply targeting.

Jacob Warner, Director of IT at Xcape, Inc., says this pattern fits Tehran’s historical playbook.

“During open conflict, Iran has historically favored asymmetric cyber tactics. These tactics are deniable, disruptive, and psychologically impactful rather than those that are overtly destructive. U.S. critical infrastructure - especially water utilities, energy operators, healthcare systems, telecommunications, the media, and regional government networks - could experience increased attacks.”

He expects DDoS campaigns, ransomware, spear phishing, and intrusion attempts aimed at undermining public trust.

“Groups like CyberAv3ngers have previously targeted poorly secured industrial control systems (ICS). This indicates a continued interest in operational technology (OT) environments with low cybersecurity maturity. We might also observe website defacements, data leaks, or influence operations intended to heighten domestic political and social tensions.”

Warner also points to Tehran’s history of throttling domestic internet access during unrest, arguing that the current blackout is likely deliberate containment rather than external sabotage.

For private sector operators, he advises immediate defensive action.

“For private sector organizations, resilience should be the priority: patch vulnerable systems, enforce multi-factor authentication, segment operational technology (OT) from information technology (IT) networks, and practice incident response playbooks. Lastly, users everywhere need to be reminded to be aware of unsolicited emails so that they can avoid compromising their organizations through susceptibility to phishing.”

The Silence of APT34

Some analysts are more concerned about what is not happening.

Denis Calderone, Principal and CTO at Suzu Labs, notes that Iran’s advanced persistent threat group APT34 has gone unusually quiet.

“Recent trends have most analysts keeping focus on DDoS and ransomware right now, and those are real concerns. But what's been concerning us more is the stuff we can't see. Iran's most capable espionage group, APT34, has gone completely quiet during the most significant crisis in their country's modern history. We worry that it might just mean they're getting ready.”

He believes cyber operations may represent Tehran’s most viable lever if conventional options narrow.

“Since it appears that conventional military options are looking increasingly to be off the table, cyber is what Iran has left. And even with their own internet down, pre-positioned implants and operators based outside Iran can still execute. If you're in energy, water, financial services, or defense, assume you're a target. Start hunting for anomalous access in your environment now. Don't wait for something to break.”

Calderone also warns European organizations not to assume geographic insulation.

“European organizations need to pay attention here too. Iran's cyber operations don't stop at US borders, and the proxy groups operating on Iran's behalf are even less predictable in their targeting. When the motivation is retaliation and the conventional military is gone, cyber operators cast a wide net.”

His most urgent concern is wiper malware against energy and financial firms.

“The immediate concern for European critical infrastructure is wiper malware. We're already seeing reports of wiper deployments against Western financial and energy firms from Iranian proxy groups, and although many of these have been traditionally against Israeli targets, there's no reason to suggest that targeting won't expand with recent developments. If you're in energy or critical infrastructure, treat this as a heightened threat period. Review your incident response plans, make sure your backups are isolated and tested, and pay close attention to any unusual activity in your OT environments. This is not a drill.”

Blackouts and Retaliation

Hom Bahmanyar, Global Enablement Officer at Ridge Security, frames the cyber response as strategic asymmetry.

“There is a significant possibility that Iran’s Islamic regime would respond to US and Israeli military strikes with large-scale cyberattacks, particularly given its inability to match the conventional military capabilities of the US and Israel. Cyber operations may be viewed by the regime as a more attainable and potentially effective means of retaliation compared to military confrontation.”

He also suggests that the nationwide connectivity drop reported by NetBlocks may be intentional internal control.

“Based on the regime’s past practice of imposing internet shutdown to restrict the flow of information during internal crises or domestic unrest, such as the January crackdown on protesters, the current nationwide internet blackout and reduction in connectivity to 4% as reported by NetBlocks is likely a deliberate government response to make it more difficult for pro-democracy forces to communicate with the outside world, rather than the direct result of Israel’s cyberattacks on their infrastructure.”

A Hybrid War Without Borders

The broader strategic picture is one of convergence. Missile strikes now target oil refineries and cloud infrastructure. Drone attacks have reportedly reached RAF Akrotiri in Cyprus. Hezbollah’s missile launches from Lebanon have opened a second front. European powers including the UK, France, and Germany have signaled willingness to intervene militarily.

In parallel, cyber actors linked to groups such as CyberAv3ngers, HANDALA, and the Cyber Islamic Resistance Axis are claiming intrusions into industrial systems, logistics operators, and Gulf government networks.

The conflict has expanded from battlefield exchanges to economic warfare. Oil facilities, data centers, and grain storage systems are now in scope. APIs that power banking apps, emergency alerts, and digital government services are being scanned and stress tested.

The emerging pattern suggests that modern conflict no longer separates kinetic and digital domains. Infrastructure is both a physical and software-defined target. And as several experts warn, the quiet reconnaissance phase may prove more consequential than the loudest missile strike.

For global CISOs and infrastructure operators, the message is consistent: assume pre-positioning has already occurred, harden external interfaces, isolate operational technology, and prepare for destructive scenarios rather than temporary disruption.

The hybrid war is already live. The question now is how far it spreads.