Cyber as the second front line: what Iranian cyber operations mean for CISOs

A blended threat landscape

Research from Palo Alto Networks’ Unit 42 points to a clear shift. There has been a surge in Iran-linked cyber operations following geopolitical escalation in early 2026. The techniques themselves are largely familiar, but the way they are deployed is not. Attacks are faster, more coordinated, and executed at greater scale, marking a change that CISOs cannot afford to overlook.

What stands out is the diversity of actors involved. State-sponsored groups, hacktivist collectives, and cybercriminals are operating in parallel and at times appear loosely aligned. This overlap blurs traditional lines of attribution and complicates both detection and response.

At the same time, intent is converging. Espionage, disruption, and influence are increasingly combined within single campaigns. Cyber activity is no longer a series of isolated incidents. It has become an integrated instrument of geopolitical strategy.

Familiar tactics, new intensity

At a technical level, many of the observed attacks rely on familiar techniques. Unit 42 reports widespread use of phishing, exploitation of known vulnerabilities, DDoS campaigns, and data leak operations. What has changed is the way these techniques are combined, scaled, and operationalised.

For example, multiple groups carried out coordinated DDoS and website defacement campaigns against government and infrastructure targets, often amplifying their impact through online channels. Phishing and social engineering remain key entry points, used to gain access and support broader operations.

The report also shows how attackers are operating with greater coordination and tempo. Campaigns are launched in parallel by different groups, increasing pressure on targets and complicating response efforts.

At the more disruptive end of the spectrum, there are indications of activity aimed at operational impact, including claims of destructive or wiper-style attacks. While not yet the dominant pattern, this suggests a potential shift beyond espionage and data theft toward disruption.

Why this matters for CISOs

Although the primary targets of Iran-linked operations are tied to regional conflicts, the impact is not contained. European organisations face indirect exposure through supply chains, geopolitical alignment, and the interconnected nature of critical infrastructure. Sectors such as energy, logistics, ports, and public services are particularly vulnerable, especially in highly digitalised economies like the Netherlands, where disruption in one domain can quickly cascade into others.

For CISOs, this creates a dual challenge: separating credible threats from the noise generated by numerous hacktivist claims, while responding to attacks that move faster and come with less clear attribution. In this context, traditional security models focused mainly on prevention are no longer sufficient.

The priorities are clear: reduce exposure by patching known vulnerabilities faster, strengthen defences against phishing and identity-based attacks, improve visibility across endpoints, networks, and cloud environments, and integrate geopolitical developments into risk assessments and scenario planning. Above all, organisations need to improve detection and response speed, which is increasingly the determining factor in limiting impact.

The broader shift is undeniable. Geopolitical conflict now translates directly into cyber risk, requiring CISOs to expand their scope beyond technology and factor global developments into their security strategy.