Iran’s cyber warfare: legal implications for businesses

The conflict in the Middle East has rapidly extended into the cyber domain. Iranian state-sponsored actors and a large ecosystem of pro-Iranian hacktivist groups are actively targeting Western commercial, financial, energy and critical infrastructure organisations.

As of early March 2026, security researchers have tracked over 60 active threat groups aligned with this conflict - 53 of them operating on the pro-Iranian side. Activity has accelerated sharply and, contrary to some initial assessments that Iranian cyber capabilities had been degraded by kinetic strikes, adversary operations have intensified rather than diminished.

A rapidly evolving timeline

The cyber dimension of this conflict did not emerge suddenly. It is understood that Iranian Advanced Persistent Threat (APT) groups have conducted sustained espionage and disruptive operations against Gulf energy infrastructure and US networks since at least early 2025. The pace and severity of activity escalated sharply during the 12-day hostilities.

In the last few weeks, pro-Iranian hackers have claimed an attack on a North American medical device company, a foiled attack on Poland’s nuclear sector has been attributed to Iranian actors, DDoS attacks targeting Gulf Cooperation Council (GCC) infrastructure have been identified, and phishing campaigns mimicking official alert applications were launched across the region.

This past weekend the UAE Cyber Security Council urged individuals and organisations to remain vigilant against wiper malware.  For those who are unaware, wiper malware is designed to permanently delete data on targeted systems. The security professionals that our team regularly work with are advising a “shields up” posture, anticipating further wiper malware deployments, DDoS campaigns, and widening regional and Western spillover.

Who is being targeted?

The targeting patterns seen in this conflict are broad and reflect both strategic intent and opportunistic exploitation. Sectors facing elevated exposure include:

• Energy and utilities - where disruption can have physical consequences.
• Financial services – particularly institutions with Middle Eastern operations or correspondent relationships.
• Aerospace, defence and logistics – supply chain targeting is a priority for Iranian APTs.
• Healthcare – both for disruption value and the sensitivity of the data held.
• Cloud and telecommunications infrastructure – as an enabler of downstream attacks on multiple sectors simultaneously.
• Critical national infrastructure more broadly, including water utilities, where pro-Iranian groups have claimed access to operational control systems.

Importantly, organisations with no direct connection to Israel, the United States or the conflict itself are being targeted opportunistically. The breadth of hacktivist mobilisation means that any high-profile or symbolically significant organisation may attract attention.

The types of attacks being used

Iranian state actors and affiliated groups employ a layered attack methodology:

• Spear phishing and credential harvesting – targeting employees, executives and supply chain contacts with convincing lures, including AI-generated phishing content.
• VPN and edge device exploitation – unpatched remote access infrastructure is a primary initial access vector.
• Wiper malware – designed not to encrypt data for ransom but to permanently destroy it, making recovery impossible without offline backups.
• DDoS attacks – used for both symbolic disruption and to mask concurrent intrusion activity.
• Hack-and-leak operations – where sensitive data is exfiltrated and published online.
• Supply chain compromise – targeting cloud providers, logistics platforms and managed service providers to achieve downstream access at scale.
• Physical attacks on digital infrastructure – drone strikes on Amazon Web Services data centres in the UAE and Bahrain caused structural damage and cloud service disruptions, demonstrating that the boundary between cyber and physical attack has collapsed.
• Smishing and fake application campaigns – civilian-facing phishing using spoofed government alert apps to harvest credentials and spread malware.
• AI-enhanced operations – groups are deploying AI-assisted phishing tools which materially improve attack velocity and credibility.

1. Sanctions and compliance obligations

Iranian APT groups use infrastructure – servers, domains, payment accounts – that may be controlled by sanctioned entities. Paying a ransom or making any transfer of value that ultimately benefits a sanctioned party could constitute a sanctions violation, even where the organisation is itself a victim. For instance, under US law, specifically the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), US organizations wherever located are prohibited from engaging in transactions, “directly or indirectly,” with individuals or entities on the Specially Designated Nationals and Blocked Persons List created by the Treasury Department’s Office of Foreign Assets Control (OFAC). This list also includes regional embargoes. Iran and many organizations with Iranian ties are on this list. This includes directing a payment to be made by a non-US company on its behalf. Violation of these prohibitions can result in civil fines (up to $311,562 under IEEPA, $91,816 for each violation under TWEA, or twice the amount of ransom paid), as well as criminal prosecution of the organization’s management.

Organisations should ensure they have clear internal guidance on the sanctions dimension of any incident response involving Iran-aligned threat actors, including the need to conduct sanctions screening before any ransom payment is considered. Legal advice should be obtained promptly if an attack occurs.

2. Regulatory and reporting obligations

A cyber incident of sufficient severity will trigger multiple legal reporting obligations simultaneously, regardless of whether it is attributable to a state actor:

• Data Protection – Many countries now have regulations in force which mandate that a personal data breach must be reported to the relevant supervisory authority and/or data subjects within a certain timeframe of awareness. A wiper attack that destroys records containing personal data, or exfiltration of sensitive data, will often engage these obligations.
• Operators of essential services and relevant digital service providers - Under the Network and Information Systems (NIS) Regulations 2018 in the UK and NIS2 in Europe, organisations may have separate incident reporting obligations to their competent authority. Likewise, in the UAE, telecom providers/certain digital infrastructure operators must report incidents to the Telecommunications and Digital Government Regulatory Authority.
• Sector-Specific Regulators – Many financial institutions have their own separate regulatory reporting requirements such as to the Financial Conduct Authority in the UK, the Central Bank in the UAE and potentially multiple regulators in the US.  Also, unique to the UAE, healthcare providers and entities handling health data who are impacted may also need to notify one of the relevant healthcare authorities.
• Critical National Infrastructure – Organisations operating CNI may have obligations under the forthcoming Cyber Security and Resilience Bill (UK), which is expected to expand reporting requirements and impose stronger security duties on a wider range of organisations.

A single incident could therefore trigger multiple reporting requirements across numerous jurisdictions and to a range of different regulatory bodies. 

3. Business interruption and third-party liability

Wiper malware and destructive DDoS attacks are designed to cause operational shutdown. Unlike ransomware, where systems may be restored on payment, a wiper attack means data and systems are gone unless offline, immutable backups exist. Incidents of this nature will result in legal and commercial consequences:

• Contractual liability – Organisations unable to perform contractual obligations due to a cyber-attack will need to assess whether force majeure clauses are engaged. 
• Supply chain liability – Where an organisation is a supplier whose systems are compromised, leading to downstream damage to customers, third-party liability claims may follow. The AWS data centre attacks in the UAE and Bahrain are illustrative: businesses relying on cloud services suffered disruptions caused by physical attacks on infrastructure they did not control.
• Director and officer liability – Boards have a duty to ensure adequate cyber security governance. Where a breach follows from a failure to implement reasonable controls – for example, a known VPN vulnerability left unpatched – questions of board liability may arise. This is a particular concern in some of the Middle Eastern jurisdictions which have the ability to impose criminal sanctions on individuals within an organisation in certain circumstances.

The cyber dimension of the Middle East conflict is not a contained regional matter. It is also a live and escalating risk for businesses, infrastructure operators and their insurers across Europe and North America. The combination of state-directed APT operations, ideologically motivated hacktivism, AI-enhanced attack capabilities, and the demonstrated willingness to cause physical damage to digital infrastructure makes this one of the most complex and consequential cyber threat environments faced to date.