Security Advisory: Heightened Cyber Risk Related to Iran Conflict + Cloud Service Disruption Planning
What’s happening
As geopolitical tensions around Iran continue to escalate, multiple threat intelligence and government sources are warning organizations to prepare for retaliatory cyber activity, including disruptive attacks and data theft.
At the same time, recent reporting indicates physical attacks against cloud infrastructure in the Middle East have caused Amazon Web Services (AWS) outages and service disruption, underscoring the need for resilience planning even when your organization is not the direct target.
Separately, recent coverage continues to highlight staffing and budget strain across the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which can affect the broader response environment during periods of increased threat activity.
What we expect to see
Iran-aligned actors and associated hacktivist groups commonly lean on “loud” disruption tactics during conflict spikes, including:
- Distributed denial-of-service (DDoS) attacks against public-facing sites and customer portals
- Website defacement and opportunistic exploitation of exposed systems
- Credential theft, phishing, and targeted intrusion attempts for data theft or “leak operations”
- Destructive activity such as wiper malware in higher-risk scenarios
What to do now
Focus on fast, high-impact hardening steps that reduce your exposure to disruption and ransomware.
Protect public-facing systems first
- Confirm you have DDoS protection enabled for web properties (CDN, WAF, rate limiting).
- Review WAF rules and block obvious abuse patterns (bots, excessive requests, known bad geographies if appropriate).
- Ensure your external attack surface is accurate (domains, subdomains, VPN portals, remote access, SaaS admin pages).
- Confirm RDP, SSH, and admin portals are not directly exposed to the public internet.
- Validate that cloud storage buckets are not publicly accessible.
Reduce account takeover risk
- Enforce multifactor authentication (MFA) everywhere, especially for email, virtual private network (VPN), privileged accounts, and cloud admin.
- Rotate credentials for any accounts that are shared, stale, or over-privileged.
- Verify conditional access policies are working as intended (new device sign-ins, impossible travel, high-risk logins).
- Audit dormant global admin and privileged roles.
- Alert on new inbox rules, especially those moving messages to RSS or archive folders.
Prepare for ransomware and destructive events
- Validate backups are recent, immutable where possible, and tested for restoration.
- Confirm endpoint detection and response (EDR) is healthy across servers and endpoints.
- Tighten admin paths: limit local admin, segment critical servers, restrict remote management ports.
Cloud resilience and continuity
Given recent AWS disruption reporting in the region, confirm your continuity posture even if you do not operate there.
- Verify disaster recovery assumptions: “single region” is a risk decision, not a default.
- Confirm your recovery point objective (RPO) and recovery time objective (RTO) match contract and business expectations.
- Ensure critical applications have a documented failover plan, and run a tabletop if you have not in the last 90 days.
Operational readiness
- Reconfirm your incident response escalation path and after-hours contact process.
- Increase monitoring attention on authentication anomalies, admin actions, and web traffic spikes.
- Remind users to report suspicious login prompts and unexpected MFA requests immediately.
If you suspect suspicious activity
Treat these as urgent and escalate quickly
- Unusual traffic spikes, public website instability, repeated login prompts, or suspicious account activity, (notify ISI immediately)
- Unusual administrator logins, new mailbox rules, or unexpected OAuth app grants
- Ransom notes, endpoint “wiper” behavior, mass file renames, or backup deletion attempts
Immediate actions
- Isolate affected endpoints and servers from the network.
- Preserve logs and evidence (do not wipe systems before collecting what you can).
- Reset credentials for impacted accounts and invalidate active sessions.
- Notify your internal incident response lead and engage external support as needed.
What ISI Can Do to Help
If you open a support ticket (support@dodsecurity.com) or call the helpdesk at (202) 792-3042, we can triage and respond per our incident response process.
We will contain and investigate right away, which may include endpoint or account isolation, telemetry review, identity and session checks, and other remediation actions aligned to our incident response playbooks.
We will also run a targeted hunt for relevant indicators of compromise across your environment and remediate as needed to confirm scope and reduce the risk of persistence or lateral movement.
Stay safe, stay secure.
-ISI Cybersecurity Team