This Is Not Just a Political Event. It’s a Cybersecurity Flashpoint.

Iran’s Supreme Leader Ayatollah Ali Khamenei was killed today in a joint U.S.-Israeli military strike on Tehran. The 86-year-old leader who ruled Iran for 36 years is dead. The Iranian government has declared 40 days of mourning.

But while the news focuses on missiles and airstrikes, cybersecurity experts are sounding a different alarm: Iran’s digital army is now the regime’s primary weapon of retaliation — and American infrastructure is in the crosshairs.

This isn’t speculation. It’s already happening.

Why Cyber Is Now Iran’s Only Option

According to a threat intelligence report from cybersecurity firm Anomali, today’s military operation ‘has destroyed Iran’s conventional military options, making cyber operations the regime’s sole remaining instrument of asymmetric retaliation.’

Iran-linked cyber units were reportedly ‘activated and retooling before the kinetic trigger’ — meaning they were preparing for this moment before the first bombs fell.

Here’s the reality: Iran can’t win a conventional war against the U.S. and Israel. Their air defenses have been decimated. Their military leadership has been killed — including the IRGC commander, the Defense Minister, and multiple senior intelligence officials. Israel even launched what’s being called the largest cyberattack in history alongside the airstrikes, dropping Iran’s internet connectivity to just 4% of normal traffic.

But cyber warfare doesn’t require aircraft carriers or air superiority. It requires computers, skilled operators, and targets. Iran has all three.

Iran’s Cyber Capabilities: What We’re Facing

Under Khamenei’s leadership, Iran developed one of the most sophisticated state-sponsored cyber programs in the world. Here’s what they built:

The IRGC Cyber-Electronic Command (IRGC-CEC): The Islamic Revolutionary Guard Corps runs Iran’s primary offensive cyber operations, directly under the Supreme Leader’s control. They operate advanced persistent threat (APT) groups including APT33 and APT35.

Ministry of Intelligence (MOIS): Iran’s civilian intelligence agency runs additional cyber units including APT34 (OilRig) and MuddyWater — groups that have targeted critical infrastructure worldwide.

Hacktivist Proxies: Iran has deliberately cultivated ‘hacktivist’ groups that provide plausible deniability. Groups like CyberAv3ngers claimed to be independent activists but were later revealed to be IRGC operations. This allows Iran to attack without official attribution.

Proven Infrastructure Targeting: Iranian hackers have already successfully compromised U.S. water treatment facilities, energy systems, and healthcare networks. Between November 2023 and January 2024, IRGC-affiliated hackers compromised programmable logic controllers (PLCs) at dozens of U.S. facilities across water, energy, food manufacturing, and healthcare sectors.

As one cybersecurity expert put it: ‘Iran possesses some of the most creative and dangerous cyber operators in the world, and with the current escalation, their incentive for restraint is significantly reduced.’

What Could Happen Next

Experts are warning of multiple potential attack vectors in the coming days and weeks:

Critical Infrastructure Attacks

‘They don’t need to win a naval battle in the Gulf to hurt the U.S.,’ said Tatyana Bolton, a cybersecurity policy expert. ‘They can simply hold our power grids, water systems, and hospitals hostage from halfway around the world to force our hand at the negotiating table.’

Specific targets could include:

• Power grids and energy infrastructure
• Water and wastewater treatment facilities
• Healthcare systems and hospitals
• Banking and financial systems
• Transportation networks

Industrial Control System (ICS) Exploitation

Former CISA official Brian Harrell warned of ‘a surge in state-sponsored hacking activity, specifically targeting operational technology and critical infrastructure through the exploitation of internet-facing industrial control systems and vulnerable programmable logic controller hardware.’

Many industrial systems — the computers that control physical processes like water treatment, power generation, and manufacturing — are connected to the internet with inadequate security. Default passwords. Unpatched software. No network segmentation. These are the soft targets Iran will exploit.

Ransomware and Destructive Malware

Iran has deployed destructive malware in the past, including the infamous Shamoon wiper that destroyed 30,000 computers at Saudi Aramco. Expect ransomware attacks against businesses and government agencies, potentially with no intention of actually providing decryption keys.

Disinformation and Psychological Operations

‘By combining disruptive attacks with psychological operations, Iran will seek to erode public trust in government institutions and project domestic strength during periods of heightened conflict,’ Harrell noted.

This means hack-and-leak operations, social media manipulation, and coordinated campaigns to spread fear and uncertainty.

Website Defacements and DDoS Attacks

The most visible (if least damaging) attacks will likely be website defacements and distributed denial-of-service (DDoS) attacks designed to knock systems offline. These are propaganda tools — visible demonstrations of capability meant to demoralize and intimidate.

The Timing Couldn’t Be Worse

Here’s what makes this particularly dangerous: the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — the federal agency responsible for tracking threats and alerting the public — is currently operating with sharply reduced staffing due to funding issues at the Department of Homeland Security.

‘This is a bad time for Washington’s cyber agency to be operating with limited staff,’ said Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. This ‘limits the ability of the federal government to provide timely cyber threat information to the private sector.’

In other words: the watchtower is understaffed just as the enemy approaches the gates.

What This Means for You

If you run a business, manage IT systems, or simply use connected technology, the next few weeks demand heightened vigilance. Modern warfare doesn’t stop at missiles — it moves to malware. And geography provides no protection.

Here’s what you should do right now:

Immediate Actions

• Increase monitoring. Watch for unusual network activity, failed login attempts, and unexpected system behavior. If you have security logging, actually look at it.
• Patch everything. Update all systems, especially internet-facing devices. Iranian hackers consistently exploit known vulnerabilities that have available patches.
• Check for default passwords. Any device with a default or weak password is a target. This includes routers, IoT devices, cameras, and industrial equipment.
• Prepare for phishing campaigns. Expect a surge in phishing emails exploiting the news cycle. Train your team to be skeptical of unexpected emails, especially those creating urgency.
• Backup critical data offline. If ransomware hits, your only recovery option may be restoring from backup. Make sure those backups exist and aren’t connected to your network.

If You Manage Industrial or Operational Technology

• Disconnect unnecessary internet connections. Control systems should not be directly accessible from the public internet.
• Segment your networks. IT systems and OT systems should be separated so a breach in one doesn’t automatically compromise the other.
• Review remote access. If vendors or staff can access systems remotely, ensure those connections are secured and monitored.
• Watch for geopolitical-themed malware. Attackers often use current events as lures. Be suspicious of any files or links related to the Iran situation.

For Everyone

• Be skeptical of sensational news. Disinformation campaigns will exploit confusion. Verify information through multiple reliable sources.
• Watch your personal accounts. Nation-state actors sometimes target individuals to gain access to organizations. Use strong, unique passwords and enable multi-factor authentication everywhere.
• Report suspicious activity. If you see something unusual, report it. CISA can be reached at report@cisa.gov or 888-282-0870.

The Battlefield Is Now in Code

When power shifts at the top, digital retaliation follows fast.

Iran’s conventional military has been devastated. Their leadership has been killed. Their options for physical retaliation are limited. But their cyber capabilities remain intact — thousands of trained operators with the skills, tools, and motivation to strike back.

The front line isn’t just in the Middle East anymore. It’s in every network, every connected device, every industrial control system in America.

The question isn’t whether Iran will attempt cyber retaliation. It’s where, when, and whether we’ll be ready.

Stay vigilant. Stay patched. Stay prepared.

Need Help Securing Your Business?

At Pendergrass Consulting, we help businesses assess their cybersecurity posture and implement practical protections against exactly these kinds of threats. If you’re concerned about your exposure — or just want someone to review your security setup — we’re here to help.

Pendergrass Consulting provides cybersecurity, IT support, and technology consulting services throughout the Triangle area, including Raleigh, Durham, Chapel Hill, Cary, Apex, and the surrounding communities.