If you have been following the news — and if you are in cybersecurity, you absolutely should be — you already know that February 28, 2026 was a turning point. The joint U.S.-Israeli strikes on Iran under what is being called Operation Epic Fury killed Supreme Leader Ayatollah Ali Khamenei and decimated key IRGC leadership. Almost immediately, Iran responded with ballistic missiles targeting Gulf state infrastructure, and the cyber dimension of this conflict kicked into high gear.
I am going to be honest with you: this is not a distant Middle Eastern problem. If you are sitting in Manila, Singapore, Jakarta, Bangkok, or Tokyo reading this — this matters to you. And I am going to explain exactly why.
What Actually Happened in Cyberspace
Within hours of the strikes, researchers at Palo Alto Networks Unit 42 were tracking over 60 hacktivist and state-affiliated groups spinning up coordinated cyber operations. Not all of these are sophisticated nation-state actors — many are loosely organized collectives aligned with Iran or Russia who coordinate via Telegram (yes, the same Telegram I wrote about last week). But the volume is significant, and some of the groups in that mix absolutely are sophisticated.
You can make use of my Channel Monitor to pull messages and translate them automatically, you can just get it here standalone, or as part of the entire platform, where its more of a UI based approach:
- GitHub – osintph/channel-monitor: A TG Channel Monitor for different languages that downloads messages and translates them while retaining the media.
- GitHub – osintph/darkweb-scanner: Keyword monitoring tool for .onion sites – threat intelligence & brand monitoring and more.
What makes this particularly interesting, but also concerning, is that the pre-positioning happened before the bombs dropped.
MuddyWater, an Iranian APT group operating under the Ministry of Intelligence and Security (MOIS), had already planted a previously unknown backdoor called Dindoor — which runs on the Deno JavaScript runtime, meaning there are no existing signatures for it — inside a U.S. bank, a U.S. airport, and a defense-adjacent software company weeks before February 28. Symantec and Carbon Black published their findings on March 5. The cyber war did not start when the missiles launched. It started much earlier, quietly.
This is a pattern I have written about before in the context of other conflicts. Nation-state actors do not improvise. They get ready ahead of time, they know its coming one day. They pre-position. By the time kinetic operations begin, the access is already there, waiting to be activated.
Why This Reaches Asia
Here is where I want to spend a bit of time, because I think a lot of people in our region are underestimating their exposure.
The remittance angle. The Philippines alone sends and receives tens of billions of dollars annually through Gulf Cooperation Council countries — the UAE, Saudi Arabia, Bahrain, Qatar, Kuwait — exactly the states that Iranian missiles have been targeting. When AWS data center facilities in the UAE and Bahrain took damage, that was not just a story for cloud architects in San Francisco. That had real downstream effects on payment rails, remittance platforms, and correspondent banking systems that millions of OFWs and their families depend on.
The cloud dependency. Virtually every fintech startup, digital bank, and e-commerce platform in Southeast Asia runs on AWS, Azure, or GCP. All three of those providers have infrastructure in the Gulf region. The outages that already happened are a preview of what a sustained disruption could look like.
The sanctions and crypto exposure. This one is less obvious but potentially more impactful for the region. As Gulf transit routes for sanctioned Iranian capital get disrupted, compliance analysts are warning, and I think they are right, that alternative jurisdictions will pick up that flow. Southeast Asia has several markets with growing crypto adoption and, frankly, maturing but not yet mature AML/CFT frameworks. That makes us a more attractive channel for illicit financial flows. Whether you are in compliance, threat intelligence, or financial services, this is something to pay attention to.
The geopolitical spillover. China has already signaled it may use the current chaos in the Middle East as cover for escalated pressure on Taiwan. The AFP Cyber Command here in the Philippines has separately been tracking increased Chinese cyber activity linked to West Philippine Sea disputes. We are not living in a single-threat environment. These pressures compound each other.
The Threat Actor Landscape — What You Should Know
Let me give you a quick rundown of who is actually active right now, because the names matter if you are doing threat intelligence work or running a SOC.
I wrote a bit of a Threat Brief on this, more focused on FSI / Banking / Fintech — get the full Brief as PDF here:
This table from the brief is also relevant for the article, it shows a few of the more important groups to watch:
The Intelligence Picture Nobody Is Talking About Enough
I want to flag something that I think is being underreported in the coverage I have seen so far.
Iran’s domestic internet connectivity dropped to between 1 and 4 percent after the strikes. This is not new, this has happened from time to time, during protests, during the 12 day war, and a couple of other times, you can follow this here:
That means state-directed APT activity from inside Iran is temporarily constrained. The groups that are most active right now are the geographically dispersed ones — proxies, contractors, diaspora-linked actors — and the ones that already had access established before the internet went down.
That is important for how you think about attribution and timing. The Dindoor implant at the U.S. bank was not placed reactively in response to Epic Fury. It was placed when conditions were good for it. The activation followed the kinetic trigger, but the access was pre-existing.
This is exactly what the CSIS analysts are calling Iran’s “distributed cyber-operational model”: intelligence-driven access development, influence operations, psychological pressure, and opportunistic disruptive action are not separate lines of effort. They are parts of a single strategic continuum.
What You Can Do About It — Practically
I am not going to give you a 200-point security framework here. That is not useful. What I will give you is a short, honest list of things that are directly relevant to the current threat picture.
Right now, today:
- If you have internet-facing VPN appliances, check their firmware version and patch if needed. Fox Kitten is actively looking for these.
- Enable MFA on Microsoft 365 and Azure AD if you have not already. APT33’s password spraying is not sophisticated — it just works against accounts without MFA.
- Pull your Azure Sign-In logs and filter for go-http-client user agents originating from Tor exit nodes.
- Tell your staff that phishing lures referencing the Iran conflict, stranded workers, and emergency fund transfers are actively circulating.
In the next week or two:
- If you use managed IT providers, ask them specifically about unauthorized RMM tools in your environment. The MuddyWater supply chain playbook is real and documented.
- If you run any DNS monitoring, add detection rules for tunneling patterns — OilRig exfiltrates through DNS and it is easy to miss if you are not looking for it.
- Hunt for Deno.exe on endpoints. No legitimate corporate application uses the Deno runtime. If you see it, investigate immediately.
If you are in compliance or fintech:
- Pull updated OFAC, UN, and EU sanctions lists. They have been changing rapidly since the killing of Khamenei and the designation of new IRGC leadership. I am going to add some of this info to my threat intel platform in the coming week or so.
- If your platform handles crypto, look for USDT flows involving privacy-leaning blockchains, cross-chain bridges, or P2P exchanges with unusual routing. The displacement of sanctioned capital from disrupted Gulf channels is already being discussed by intelligence analysts.
A Note on OPSEC for Researchers
If you are an OSINT analyst working this conflict — and given that I built the Telegram channel monitor specifically for monitoring Farsi-language channels in this context, some of you reading this definitely are — a couple of reminders.
The same Telegram channels that are valuable intelligence sources are also being actively monitored by Iranian MOIS and IRGC-affiliated groups. They watch who joins their channels. They track IP addresses. Use a dedicated device and a non-attributable SIM for this work. The TextVerified approach I described in the previous article applies here.
Also: multiple pro-Iranian hacktivist groups have explicitly announced plans to target analysts and researchers they identify as working against Iranian interests. This is not theoretical. Take your own operational security seriously.
My Take
The thing that strikes me most about this situation is the speed at which the cyber dimension has evolved. In previous conflicts, even the June 2025 12 day war, the Iran-Israel exchange, there was a clearer lag between kinetic events and cyber responses. What we are seeing now is pre-positioned access being activated almost instantaneously, coordinated hacktivist campaigns launching within hours, and a level of operational readiness that suggests this was not improvised.
For those of us in the Philippines and across Southeast Asia: we are not primary targets. But we are connected enough, through remittance infrastructure, cloud dependencies, correspondent banking relationships, and crypto platforms, that we are absolutely exposed to the second and third-order effects. And in cybersecurity, second and third-order effects can hit just as hard as direct targeting.
Stay alert, patch your stuff, and watch your logs.
As always, I am happy to hear from you. If you are working on something related to this and want to compare notes, reach out.
You can reach me via Session Messenger: 059db238ab37c3d92615c5cc24b694da29c598cc13e27886053722404118e14271
- OSINT PH – Digital Forensics & Cybersecurity Consulting
- CyberNewsPH – Philippine Cybersecurity & Data Privacy News
The Iran Conflict and What It Means for Cybersecurity in Asia and Everywhere Else was originally published in OSINT Team on Medium, where people are continuing the conversation by highlighting and responding to this story.