Despite surge in wartime cyber incidents, pro-Iran attackers rely on familiar, low-tech methods
Even as cyber incidents spike during the Israel-Iran war, attackers are largely reusing basic techniques and targeting exposed infrastructure rather than deploying new capabilities.
“The majority of the victims that can be attacked are already being attacked,” says Amir Preminger, CTO at Claroty.
“We do see more groups that are targeting the same publicly exposed services. They are using the same tactics, taking screenshots, trying to control, so we see more and more adversaries trying to get the same targets, but we don't see new capabilities coming into play.”
A recent report from Claroty’s research arm, Team82, points to a growing focus among cyber attackers on internet-connected physical systems, including control and monitoring systems in power plants, water infrastructure, industrial production lines, transportation and aviation infrastructure, hospitals, sensors, and cameras. These environments, often part of operational technology (OT) networks, are increasingly exposed online and present accessible entry points.
The findings come against the backdrop of the ongoing war between Israel and Iran, which has coincided with a sharp rise in cyber activity. Since the start of the conflict, the Israel National Cyber Directorate (INCD) has reported a significant influx of incidents, handling 1,600 cases within the first nine days alone. That number has continued to climb in the weeks since, reflecting sustained pressure on both public and private sector systems.
Still, according to Preminger, the underlying tactics have remained consistent. Although Claroty’s dataset is based on incidents from 2025 and the months leading up to the war, “the tactics have stayed the same.”
“The only new thing that we’ve seen is that some attackers may have found a new service that was not exploited in the past, but it's not in big numbers,” he adds.
Rather than deploying advanced or novel capabilities, attackers are largely exploiting basic weaknesses. “They're still using simple methods, nothing unique. You won't see any major cyber capability coming out of nowhere and all of a sudden causing darkness within Israel,” Preminger says. He notes that many groups focus on “low-hanging fruit,” pointing to one case in which a supermarket’s refrigeration systems were compromised, causing an entire stock of produce to defrost.
Even so, the potential consequences remain significant. “Attackers are using relatively simple technological means to impact critical sectors, from manufacturing to water and wastewater, to power generation and healthcare systems, industries where disruption can lead to severe and even dangerous consequences,” Preminger says.
Alongside infrastructure-focused activity, there has also been a rise in socially engineered attacks targeting civilians. “There's a lot of what we call social engineering attempts, calling people on their phones or sending out SMS in relation to Homefront Command for example, that are trying to trick people into using malicious software. This is what we call social engineering on steroids,” he says.
“This is something that's not actually connected to what we're seeing in terms of critical infrastructure, but we do see the same groups leveraging the situation, trying to cause much more harm - not on an organizational scale, but targeted at individuals. Stealing data, carrying out psychological attacks and gaining influence, stuff like that,” Preminger notes.
Organizations, for their part, have responded by increasing vigilance. Many of Claroty’s customers are raising their level of monitoring, paying closer attention to access points and known attack vectors. Still, Preminger says “we don't see some major new impacts coming into play.”
That assessment aligns with messaging from the INCD. “Iranian actors and affiliated groups are under significant pressure and are trying to strike wherever they find an opening in cyberspace,” said Yossi Karradi, Head of the Israel National Cyber Directorate, in a recent INCD report. “Despite these attempts, Israel’s critical infrastructure and essential national assets have not been compromised. Years of resilience efforts and close cooperation between the Directorate are proving their value today.”
