- Key insight: Iranian state-sponsored groups and proxies are highly likely to target U.S. and Israeli-linked financial organizations following the recent military strikes.
- What’s at stake: Banks face the threat of severe operational disruptions and compromised sensitive data from tactics like DDoS attacks, wiper malware and deepfakes.
- Supporting data: Past Iranian cyber campaigns hit 46 major financial institutions with up to 140 gigabits of garbage data per second, causing tens of millions of dollars in damages.
Overview bullets generated by AI with editorial review
Processing Content
Renewed military conflict between the United States and Iran has swiftly expanded into the digital realm, putting the U.S. banking, financial services and insurance sectors on high alert for retaliatory cyberattacks.
Coordinated military strikes by the U.S. and Israel hit locations in Iran on Feb. 28, resulting in the death of Iran’s Supreme Leader, Ayatollah Ali Khamenei in an attack dubbed Operation Epic Fury. Iran has retaliated with missile attacks of its own in the region.
A newly established Iranian “Electronic Operations Room” began coordinating digital offensives the same day as the initial strikes, amplifying the risk of spillover cyberattacks on commercial targets, according to Unit 42, the threat intelligence arm of cybersecurity vendor Palo Alto Networks.
Financial organizations with U.S.-linked assets or Israeli business ties are now prime targets for these indirect strikes, threatening banks’ sensitive data and operational stability.
Iranian state-sponsored groups and affiliated proxies have a
The threat actors use tactics ranging from disruptive network operations to psychological manipulation. They increasingly rely on generative artificial intelligence to craft convincing spear-phishing lures, fake narratives and deepfake content, according to a Tuesday threat advisory from cybersecurity firm SISA.
Retaliatory cyberattacks against banks based in the Arabian Gulf that are perceived as aligned with the U.S. or Israel “are now a high-probability scenario, not a theoretical one,” according to SISA.
Timely advisories on new threats
Several cybersecurity firms have issued escalated threat assessments following the February 28 strikes.
Analysts at Sophos X-Ops issued an assessment of an “Elevated” threat level on March 1 and warned that disruptive, opportunistic or influence-oriented operations pose an immediate to short-term risk to financial services and other critical infrastructure sectors.
Similarly, Unit 42 noted a surge in hacktivist activity and warned that state-sponsored groups could escalate attacks in the coming weeks.
Banks can expect Iran to use multiple threat vectors, including distributed denial-of-service (DDoS) attacks, credential-driven intrusions and the deployment of destructive wiper malware, according to SISA.
State-sponsored groups are also known to target IT providers, supply chains and cloud infrastructure to gain access through banks’ third-party IT vendors.
Despite these stark warnings from private-sector cybersecurity firms, the Department of Homeland Security has not yet issued any alert regarding Operation Epic Fury and its impact on cybersecurity for U.S. critical infrastructure.
When reached for comment, a DHS spokesperson provided a statement from Kristi Noem, the secretary of homeland security:
“I am in direct coordination with our federal intelligence and law enforcement partners as we continue to closely monitor and thwart any potential threats to the homeland,” Noem said.
Previous Iranian retaliation targeting U.S. banks
The U.S. financial sector has borne the brunt of Iranian cyber retaliation in the past. The most often cited Iranian cyber campaign against U.S. banks came between late 2011 and mid-2013 in a coordinated attack known as Operation Ababil.
Hackers working on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps (IRGC), launched massive DDoS attacks against 46 major financial institutions, such as Bank of America, the New York Stock Exchange and Capital One, according to federal prosecutors.
These attacks overwhelmed bank servers with up to 140 gigabits of garbage data per second, disabling customer access to online accounts for hundreds of thousands of users, according to an indictment filed in 2016 against seven Iranian nationals accused of executing the state-sponsored cyberattacks.
Federal prosecutors characterized the campaign as an asymmetric response to U.S. economic sanctions, demonstrating Iran’s willingness to use cyber-enabled economic warfare. The targeted banks incurred tens of millions of dollars in remediation costs to mitigate the onslaught, prosecutors said.
Recent Iranian cyberattacks against U.S. banks
More recently, following Operation Midnight Hammer in June 2025, the Financial Services Information Sharing and Analysis Center (FS-ISAC) reported a significant spike in DDoS attacks disproportionately targeting the global financial sector.
In August 2024, the FBI and CISA warned that Iran-based cyber actors were accessing networks in collaboration with ransomware affiliates to extort U.S. organizations.
Two months later, in October 2024, another federal advisory cautioned that Iranian actors were conducting brute-force password spraying and multifactor authentication abuse to compromise critical infrastructure, including the financial sector.
Furthermore, in late 2023 and early 2024, the U.S. government sanctioned IRGC-affiliated actors for exploiting default passwords in programmable logic controllers used in water systems and other critical infrastructure.
To carry out these disruptive operations at scale, the Iranian state deliberately relies on a decentralized ecosystem of seemingly independent proxy groups to provide plausible deniability, according to Jiwon Lim, research intern at the Center for Strategic and International Studies.
Organizations such as “CyberAv3ngers,” “Handala Hack,” and the “FAD Team” operate under a smokescreen of hacktivism while mirroring the tactics, techniques and procedures of state-sponsored advanced persistent threats, according to Lim.
“In developing its cyber ecosystem, Iran has made deliberate efforts to deputize hacktivist proxies in state actions without state attribution,” Lim wrote in a blog post in January.
