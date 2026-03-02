Iran will likely respond in cyberspace with ransomware and cybercrime, former FBI cyber chief warns as UK told to brace for spillover. Picture: Alamy

By EJ Ward

Security chiefs have urged British organisations to urgently review their cyber defences as tensions in the Middle East risk spilling into the digital domain, with a former top FBI agent warning Tehran’s retaliation is likely to look like criminal ransomware and sabotage rather than overt state action.

Listen to this article Loading audio...

Iran is expected to strike back in cyberspace, deploying ransomware, destructive malware and proxy hacker groups, according to Cynthia Kaiser, former Deputy FBI Director of Cyber and now head of research at cybersecurity firm Halcyon. “Iran will likely respond in cyberspace. It will probably look like cybercrime and ransomware,” she said. Kaiser revealed Halcyon’s intelligence and analyst teams are already seeing increased activity in the Middle East, alongside calls to action from the DDoS botnet HydraC2, hacktivist group Handala and ransomware group Sicarii. Her warning comes as the UK’s National Cyber Security Centre, part of GCHQ, issued a fresh alert urging organisations to review their cybersecurity posture in light of rapidly evolving events in the region. Read more: 'We didn’t start this, but will finish it,' says US War Secretary as he reveals details of Iran’s ‘nuclear blackmail’ plan Read more: 'It was mayhem': Brit honeymoon couple tell of terror as Iranian bombs fall metres from hotel in Dubai Jonathon Ellison, the NCSC’s director for national resilience, said: “In light of rapidly evolving events in the Middle East, it is critical that all UK organisations remain alert to the potential risk of cyber compromise, particularly those with assets or supply chains that are in areas of regional tensions. “Today, the National Cyber Security Centre has published an alert outlining the current cyber threat to the UK and the practical steps organisations should take in response.”

The NCSC said there is “likely no current significant change in the direct cyber threat from Iran to the UK”, but warned that assessment could change quickly. It added there is “almost certainly a heightened risk of indirect cyber threat” for organisations with a presence or supply chains in the Middle East. Iranian state and Iran-linked cyber actors “almost certainly currently maintain at least some capability to conduct cyber activity”, the agency said, urging businesses to prepare for possible DDoS attacks, phishing campaigns and targeting of industrial control systems. Critical national infrastructure operators have been told to review guidance on preparing for severe cyber threats, while organisations more exposed to regional risk are being encouraged to adjust their security posture accordingly. The NCSC is also pushing firms to sign up to its early warning service for real-time alerts. Kaiser said Iran’s cyber playbook is well established and increasingly blended with criminal tactics. From disabling US financial websites between 2011 and 2013, to wiping data from the Las Vegas Sands casino in 2014, to defacing websites and issuing online threats after the death of Iranian military commander Qasem Soleimani, Tehran has repeatedly used cyber operations as retaliation. In July 2022, Iranian state hackers launched a destructive attack on Albanian government networks, combining ransomware, extortion and data-wiping tactics while masquerading as a fictitious hacktivist group. “In practice, Iran’s destructive cyber operations often emerge from a murky blend of state sponsorship, personal profiteering and outright criminal behaviour,” Kaiser said. Hackers may monetise access gained through government-backed campaigns, blurring the lines between espionage and extortion. Tehran has historically tolerated or turned a blind eye to private cyber operations against targets in the US, Israel and allied nations, giving it deniability and options.