Australian companies may be physically far from the fighting in Iran, but security experts say they should assume they are exposed to a shadow cyber war that began long before the first bombs fell – and could continue long after the conflict subsides.

The compromise of Iran’s popular BadeSaba app – which Israel hacked as the bombs started falling with messages urging Iranian’s military to fight its regime – showcased the early role of cyberattacks that were moderated by the internet blackout imposed by the Iranian government.

“Cyberspace is a key domain where the Iranian regime’s response will unfold,” a Center for Strategic and International Studies (CSIS) analysis said.

“Cyber is a distinct domain of conflict,” it said, that “is playing a more central role in shaping modern battlefield dynamics – with Iranian and allied hackers working to disrupt communications, damage information and operational systems, and damage AI systems supporting military action.”

Iranian hackers have been spotted hacking cameras for reconnaissance, launching distributed denial of service (DDoS) attacks, staging infostealer and other malware to target Israel and other regional neighbours, and probing regional infrastructure for vulnerabilities to compromise.

Just one day into the new conflict, Check Point noted, Iranian hacking group Cotton Sandstorm reactivated Altoufan Team, a dormant splinter faction that targets Bahrain.

“This reflects the reactive nature of the actor’s campaigns and a high probability of their further involvement in intrusions across the Middle East,” it said, noting that while Israel is the primary target “there is nothing that prevents them from expanding this activity to other countries.”

Some 60 hacktivist groups ramped up operations within the first three days of bombing, security firm CyberKnow noted in a roll-call of reactivated Iranian hacking groups including Cyber4vengers, Golden Falcon, Hand of Justice, FYNIX, Lulzsec Black, and pro-Russian group NoName057(16).

And while the BaqiyatLock ransomware-as-a-service group offered free access to groups targeting Israel, Sophos advised that many reactivated groups “are primarily engaging in unsophisticated tactics, broad and embellished claims, and amplifying retaliatory messaging.”

Many groups “exaggerate operational impact or recycle previously leaked data to amplify effects,“ it said, advising “heightened vigilance for DDoS activity, credential attacks, hack-and-leak campaigns, and opportunistic ransomware operations framed as ideological retaliation.”

When political conflict becomes cyber action

The conflict may seem remote from Australia, but those same groups can target other countries on a whim – with security specialists warning Australian companies to beware of inadvertent or intentional spillover as the conflict spreads and intensifies.

“What we are watching now is hybrid warfare at scale,” said Arctic Wolf vice president of threat intelligence research Ismael Valenzuela, noting “coordinated kinetic operations, pre-emptive cyber activity, and influence campaigns that blur the line between battlefield and home front.”

“Organisations worldwide must assume that their operational technology, data centres, AI integration layers, and information ecosystems are part of this contested terrain, whether they see themselves as ‘targets’ or not.”

Australia could be high on the list after the government last year expelled Iranian diplomats after blaming the Islamic Revolutionary Guard Corps (IRGC) – also known for its aggressive hacking capabilities – for two arson attacks against Jewish community targets in Australia.

Cybersecurity firm CyberCX warned about the “elevated” risks of cyberattacks against Australian government, defence, financial services, media, energy and water utilities sector targets, which it said “face a heightened threat from Iranian espionage and disruptive cyber operations.”

The “blurring of lines” between nation-state, cybercriminal and insider threats often saw cyberattacks obfuscated, with “nation-state threat actors’ use of proxies and relationships with non-state groups [making] it harder for organisations to detect and respond to threats.”

Iranian hackers will absolutely launch “aggressive” cyberattacks as retribution, Google Threat Intelligence group John Hultquist chief analyst said at a recent London thinktank event, adding that the attacks “won’t be very different from what we’ve seen going on for the last few years.”

“You’re not going to see some secret weapon,” he said, “but what changes is the targeting” because Iran’s previous attacks were directed at Israel and its mature cyber defences – but retaliation against less-secure targets will produce “a very different attack surface”.

AI likely to come into the crosshairs

The field is likely to get even more crowded as the current conflict grinds on: last year, Cyberknow identified at least 119 pro Israel, pro Iran, and anti-Iran groups in play – noting that “Iran is more polarising” than many other issues.

With the US military already known to be using AI to support its campaign – and other governments sure to be doing the same – the surge in nation-state and hacktivist activity may also catalyse the testing and creation of new ways to target and compromise AI systems.

That could see attacks on AI’s supporting cloud infrastructure – Amazon Web Services (AWS) is still restoring services after three sites in the UAE and Bahrain were damaged by drone strikes – as well as low-key efforts to undermine trusted systems using AI data poisoning.

Recent reports suggest AI poisoning is incredibly simple, raising the prospect that malicious groups could skew the operation of evolving AI systems in ways that may not always be obvious, just as the Stuxnet worm did to Iran over 15 years ago – and companies will be as vulnerable as armies.