Escalating geopolitical tensions in the Middle East are increasingly translating into escalating cyber activity. According to analysis by Palo Alto Networks, since the beginning of 2024, there has been a rapid increase in the number of attacks carried out by hacktivist groups and state-affiliated entities, particularly Iran. The conflict is not limited to military action – information systems, supply chains and social media have become an equally important arena.
The phenomena observed are part of a long-term trend in which cyber attacks are used not only as tools of espionage, but also to destabilise key sectors – from critical infrastructure to the financial sector. In the new technological reality, the importance of so-called ‘influence operations’, disinformation campaigns and wiper attacks, targeting an adversary’s strategic objectives, is growing.
Cybercriminals can be extremely creative. Our analysts recently discovered that an organised group had created and then used a fake website to impersonate a German modelling agency and effectively conduct so-called cyber intelligence. We recently observed how the Agent Serpens group used GenAI to create a malicious PDF file impersonating a document from the US research organisation RAND. This file was used together with malware. Such campaigns are aimed at destabilising the state, as well as shaping the public perception of various important issues by means of, among other things, disinformation campaigns, emphasises Wojciech Gołębiowski, vice president and managing director of Palo Alto Networks in Central and Eastern Europe.
Along with Russia, China and North Korea, Iran is among the major cyber players whose activity is systematically monitored by Unit 42, Palo Alto Networks’ threat analysis team. Experts note that Tehran is developing both offensive and disinformation digital capabilities, often supported by generative AI. It is through this that more convincing social engineering campaigns can be prepared – for example, using crafted PDF documents or fake sites impersonating trusted institutions.
Cyberspace knows no borders. The attacks identified in recent months were global in scope – from Israeli universities and technology companies to European public institutions. The activity of around 120 hacktivist groups indicates that the world is entering a phase of digital instability, the consequences of which will be difficult to predict. For those covered by the EU’s DORA and NIS 2 regulations, this implies a need to redefine the approach to cyber risk management.
The threat is not limited to Iran. The past has shown that some states – such as Russia – are able to take over the infrastructure of other actors by conducting false flag operations. At the same time, organised cybercrime groups operating for profit are taking advantage of the atmosphere of uncertainty to intensify phishing and ransomware campaigns.
The growing use of disinformation as a tool of social influence is also worrying. Combined with destructive attacks, this can lead to a weakening of citizens’ trust in public institutions, especially in democratic states. Increased activity at the intersection of politics, security and technology poses new challenges for both government and the private sector.
The conflict in the Middle East may be the catalyst for a new phase of global cyber-conflicts. Increasingly, it is no longer about spectacular attacks, but about continuous, low-level pressure – difficult to detect but effective in eroding security and stability. It is a situation where digital resilience is becoming not an option, but a condition for survival.
