Iran Has One Card Left—It’s Pointed at Your Network
In light of today’s attack by the U.S. and Israel on Iran, it is prudent to ask: What can Iran do? Strip away everything Iran had a year ago and ask yourself what’s left.Their nuclear program? Set back years, maybe a decade.
Building an AI Agent for Adaptive MFA Decisioning
In light of today’s attack by the U.S. and Israel on Iran, it is prudent to ask: What can Iran do? Strip away everything Iran had a year ago and ask yourself what’s left.Their nuclear program? Set back years, maybe a decade. Their air defenses? Dismantled across two conflicts. Hezbollah? Degraded to the point of near irrelevance as a military force. Their ballistic missile arsenal is burning through inventory faster than they can replace it. Their economy is in freefall. Their population is in the streets.Iran is not a superpower on the ropes. Iran is a cornered regime with one meaningful asymmetric capability still largely intact.Cyberspace.And we taught them how to use it.We Built This ProblemLet’s not pretend this threat appeared out of nowhere. Before Stuxnet, Iran’s cyber capabilities were modest. Mostly defacement, some basic intrusion, nothing that kept serious people awake. Then in 2010, the U.S. and Israel deployed the most sophisticated cyberweapon ever used in conflict, buried it inside Iran’s nuclear facilities, and destroyed nearly a thousand centrifuges without firing a shot.Iran studied every line of it.Within two years, they stood up the Supreme Council of Cyberspace. They recruited, they funded, they built. By 2012 they were hitting U.S. financial institutions in Operation Ababil. Forty-six banks, coordinated DDoS, real disruption. That same year they wiped 35,000 workstations at Saudi Aramco with Shamoon. They took what we showed them and weaponized it against us.We cracked the door open. They walked through it and built a house on the other side.Today that house has three layers. State-sponsored APT groups like OilRig, APT33 and the IRGC Cyber-Electronic Command running long-duration intrusion campaigns. A network of proxy hacktivist groups providing deniability and reach. And criminal ransomware operators collaborating with IRGC affiliates, monetizing access while the state achieves its objectives. It is not one threat. It is an ecosystem, and it has been running at scale for years.The Hacktivist Cover Story Is a Lie We Keep BelievingWhat frustrates me every time we go through one of these cycles is how predictable it is.The group everyone called ideologically motivated hacktivists, CyberAv3ngers, turned out to be IRGC operators running a state campaign. The Treasury Department confirmed it within weeks of their most visible operations. They wore a hacktivist jersey the whole time. We debated attribution while they were already in the next target.During the twelve-day Israel-Iran war last June, researchers tracked over 178 hacktivist and proxy groups mobilizing simultaneously across Telegram. Attack timing synchronized. Target lists shared. Tooling passed between groups. That is not organic activism. That is a commanded operation wearing a costume.Iran figured out something important a long time ago. In cyberspace, the costume works. Attribution takes time. Damage does not wait. By the time the intelligence community confirms who did what, the operational window has closed and they are already somewhere else.We keep falling for it because we want clean lines between state actors and non-state actors. Iran deliberately erases those lines. Until we stop being surprised by that, we are going to keep being behind.Nobody Is Actually Ready and We All Know ItWe have had years of warnings. Joint advisories from CISA, NSA, FBI and DC3. Congressional testimony. Sector-specific alerts. After the Gaza conflict began in 2023, IRGC-affiliated actors compromised Israeli-made programmable logic controllers at water facilities across the United States. Not sophisticated targets. Vulnerable ones. Default credentials. Unpatched systems. Internet-facing OT with no business being internet-facing.In June 2025, the same joint advisory apparatus told us Defense Industrial Base companies with Israeli ties were at elevated risk. Critical infrastructure operators needed to act immediately. The water sector, the energy sector, healthcare, all named.Today, with a full military conflict underway, the baseline security posture of American critical infrastructure has not fundamentally changed. We patch slowly. We defer OT security upgrades because they are expensive and disruptive. Facilities are still running default manufacturer passwords on industrial control systems. We know this. The government knows this. Iran knows this.Add to that our current government shutdown and CISA on skeleton crews. Maybe not a great time to launch an attack against a cyber savvy adversary?Iran does not need zero-days. They need Shodan and patience. We have made it that easy.Cyber Is the Weapon, but Do Not Stop ThereA desperate regime does not stay in its lane.Iran’s pattern is to escalate asymmetrically when conventional options run out. Cyber is their primary remaining instrument of power projection. But history shows that instrument does not stay digital when the pressure gets high enough.The FBI has disrupted Iranian-linked assassination plots on U.S. soil. The RCMP foiled Iranian-directed attacks in Canada. European intelligence services have tracked Iranian operatives planning physical attacks against dissidents, journalists and Jewish community targets across the continent. This is not ancient history. This is the last two years.When a regime is really losing, not just being pressured but genuinely losing, the calculus changes. Cyber operations offer deniability and precision. Cyberterrorism, attacks on physical infrastructure that cause real-world harm, bridges the gap between keyboard and kinetic. Actual terrorism, physical attacks directed or inspired by a desperate state, is the next rung on that ladder.We are watching a regime absorb strikes on its capital, its nuclear program and its military infrastructure for the second time in eight months, while its population protests and its economy collapses. Desperate regimes do desperate things.The security community needs to be thinking beyond network perimeters right now. Physical security at critical infrastructure facilities. Threat awareness for executives and public figures connected to Israeli or U.S. defense interests. Coordination between cyber and physical security teams that rarely talk to each other. The threat does not respect the organizational chart.What This Moment Actually RequiresFor too long we have treated Iranian cyber operations as an annoyance. Disruptive, occasionally serious, but manageable. Something that happens to other organizations, or that generates an incident response engagement but not an existential moment.That thinking is wrong, and today it became dangerously wrong.Iran is not a nuisance actor. Iran is a regime that has lost most of its conventional leverage, been publicly humiliated on the military stage, is internally unstable, and has one meaningful instrument of power projection left. They are going to use it. All of it. With less restraint than before, because restraint requires believing you have something left to lose.Cyber. Cyberterrorism. And if the pressure keeps building, terrorism, with a keyboard as the opening act.The Shimmy TakeWe showed Iran how to play this game with Stuxnet. We left critical infrastructure exposed for years after every warning. We kept letting them hide behind a hacktivist costume. And now we can’t act surprised that perhaps their last weapon standing is the cyber and cyber terrorist card.Iran did not end up here by accident. Neither did we.The question is not whether they are coming. The question is whether we have finally decided to take it seriously, before the next alert, the next advisory, the next compromised water plant, or something far worse.Because when a cornered regime runs out of options, it does not stand down.It swings.
About Author
