Cyber spillover risks amid the February 2026 Middle East escalation

The conflict in the Middle East entered a new phase on February 28, 2026, when Israel and the United States conducted coordinated strikes on Iranian military and nuclear sites. The escalation triggered a hybrid response across physical and cyber domains.

National cybersecurity agencies in the UK and Canada issued precautionary guidance. The Canadian Centre for Cyber Security assessed that Iran would very likely use its cyber program in response to the strikes, increasing risk for Western organizations aligned with the United States and Israel. The United Kingdom’s National Cyber Security Centre warned of a credible spillover risk, noting no confirmed surge in direct attacks but emphasizing that the situation is volatile and could shift quickly.

Both advisories highlighted that geopolitical escalation may increase the likelihood of opportunistic or retaliatory cyber activity, particularly for organizations with regional exposure or critical infrastructure roles.

Beginning February 28, researchers observed a wave of hacktivist claims in open channels, including alleged DDoS attempts, website defacements, and data leaks. Unit 42 and other intelligence sources also reported a spike in hacktivist activity originating outside Iran and targeting Iran’s adversaries. These operations appear opportunistic, their success remains unconfirmed, and none of the claims to date have been verified as high-impact or coordinated.

The conflict’s physical dimension has also affected some technology infrastructure. Drone strikes damaged Amazon Web Services data centers in the Middle East, causing service disruption and demonstrating how kinetic attacks can result in digital instability.

Threat assessment

The escalation has renewed concerns about cyber spillover, but there is still no indication of large-scale, coordinated, or high-impact Iranian cyber activity. The situation remains fluid, and our teams continue to monitor it across trusted intelligence channels.

Field Effect’s previous reporting characterized Iran nation-state’s cyber activity as steady, opportunistic, and adaptive, demonstrated by campaigns such as MuddyWater, which combined evolving malware with rapid exploitation of vulnerabilities. Iran’s operators are not as advanced as China or Russia, but they have been effective at exploiting exposed systems and under-secured environments, as well as targeting users with convincing social engineering techniques. As the political situation inside Iran becomes more unstable, this posture may shift, and changes in regime dynamics could influence both the scale and direction of future cyber operations.

Iran’s reach is expanded through a proxy ecosystem of state-aligned and ideologically motivated groups collectively known as the Axis of Resistance. This network includes state partners such as Russia, China, and Syria, as well as factions within Iraq, alongside nonstate groups including Hezbollah, the Houthis, Hamas, Palestinian Islamic Jihad, and elements of Iraq’s Popular Mobilization Forces. During periods of escalation, these aligned actors, and hacktivists sympathetic to them, often amplify cyber activity even when Iran’s own operational capacity is constrained.

Organizations with personnel, infrastructure, or supply-chain dependencies in the Middle East face the highest exposure. Sectors such as energy, finance, telecommunications, and critical infrastructure may experience indirect effects from opportunistic hacktivist activity or regional service disruption. Remote access systems, unmanaged identities, and internet-facing services remain common entry points for opportunistic actors.

Bottom line

Across Field Effect’s investigations, strengthening identity pathways, securing edge infrastructure, and maintaining disciplined patching practices consistently deliver the most immediate and measurable reductions in risk. While the threat level has increased, the overall risk for Field Effect MDR users who follow ARO guidance remains moderate due to layered protection, continuous monitoring, and rapid response capabilities.

Field Effect’s mission is to ensure clients remain secure, informed, and resilient regardless of external events. Our detection logic is continuously updated, and our teams conduct real-time monitoring, indicator sharing, and threat analysis across trusted networks. We encourage business leaders to stay informed but not alarmed. Field Effect continues to monitor developments closely and provide intelligence to support strategic decision-making and business continuity.

To navigate this period of uncertainty, organizations can reduce exposure by focusing on reinforcing core controls and limiting opportunities for intrusion to mitigate risk.

Organizations benefit from:

• Strengthening identity pathways and enforcing strong authentication
• Securing edge infrastructure and remote access tools
• Monitoring for anomalous logins and privilege escalation
• Reviewing dependencies on Middle East cloud regions
• Applying patches promptly and rotating exposed credentials
• Expanding detection coverage across endpoints, networks, and cloud environments

These measures directly address the weaknesses most often exploited by Iranian state-aligned and proxy groups.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up