Then regime loyalists quickly struck back.
The next 48 hours are likely to be a period of “extreme volatility” where hacktivists and proxies “take the lead in escalation to fill the vacuum left by Tehran’s central command,” Flashpoint noted in an update. These actors are allegedly using Telegram and Reddit as a coordination hub, posting screenshots of alleged attacks as proof, although it takes weeks and sometimes months to verify accuracy, said Kathryn Raines, a former NSA expert who is now a threat intel team lead at Flashpoint.
The BadeSaba hack demonstrates the template that Iranian proxy groups could now try to deploy in reverse against Western companies and others. Plus, with Iranian leadership effectively decimated by Saturday’s strikes, the command structure that oversaw Tehran’s cyber operations is essentially gone, said Raines.
“The Iranian leadership vacuum is likely going to lead to more unpredictable, decentralized proxy attacks,” she told Fortune.
In practice, that means aligned hacktivists and proxy groups are making their own targeting decisions, without approval from central authorities. So if a highly aggressive group decides to hit a mid-sized logistics firm because to make a statement, the risk cascades beyond Tehran, Washington, D.C., or New York, said Raines.
“It’s in the hands of a 19-year-old hacker in a Telegram room with really no oversight or direction,” she warned.
“Aggressive and creative resistance is baked into the ethos of the Iranian security apparatus and across the Islamic Republic of Iran,” said Carbaugh, who previously served as chief of staff to two CIA directors. “For business leaders and those protecting businesses and making decisions at a very high level, they need to be prepared for this to continue on for some time and for the conflict to take a number of different courses of direction and swerve around the road.”
As U.S. and Israeli attacks degrade Iran’s conventional military capabilities, cyber attacks appear more attractive, said Carbaugh. It’s low-cost to deploy, difficult to attribute, and extremely capable of creating outsized psychological and operational disruption relative to the investment required. Iran has shown that it is capable of emulating and building on cyber attack methods first shown by Russia, for example.
“The Islamic Republic has always had great pride in cyber capabilities within the security services,” said Carbaugh. That pride isn’t likely to evaporate with the loss of senior leadership, and may intensify as other options narrow.
“Companies aren’t really prepared for what I’ll call nihilistic psychological operations that are really meant to target the mental state and trust of their workforce,” she explained, contrasting them with attacks designed to steal data and disable systems.
It could manifest in businesses like this: Staff in the Gulf region start getting what appear to be urgent messages, perhaps deepfake audio attributed to their regional leader or CEO, or communications purportedly from the company on evacuations. But with local news offline and scant internet service, people will have very little ability to fact check anything.
Few companies have plans in place for what employees’ reality will be in the hours that follow, while risk modeling is often based on state behavior and assumed “red lines” that prevent total war, Raines noted.
For boards and C-suites convening this upcoming week, key questions for security leaders will have to do with the maximum amount of time business functions can be offline before it hits revenue and reputation, she predicted.
“We’re less interested in the block rate, and more interested in recovery time,” said Raines.
Carbaugh said if he were on a board call this week, he would want to know if the business was at an elevated level of risk based on what’s happening in Iran. If the answer is yes, he would want to know what’s being done to mitigate. If the answer is no, he would ask even more questions.
Leaders should find out what steps have been taken to ensure businesses aren’t at risk, figure out how companies have engaged with partners and others to find out how they’re detecting attacks, and how AI is currently being used in doing so, Carbaugh said.
He reiterated that this isn’t a crisis with a near-term resolution, and it translates into cyber risk that won’t immediately dissipate.
“This conflict could take many twists and turns and move in a lot of different directions,” said Carbaugh. “I don’t think this is going to be one we’re going to tidily wrap up and move on from in a few days. This will require constant vigilance and protection of our cyber networks, physical security, and all other assets.”
