OT SecurityCyber ResilienceCloud SecurityCloudSecurity
Blog11 minute read

The Art of Conflict: Cyber at War - How Iran's Retaliation is Shaping Critical Infrastructure and Global Enterprise Risk

Iran's retaliation model signals a period of active cyber probing coupled with sustained infrastructure targeting rather than a one-time shock event.

In this blog

  1. Summary of the active conflict, retaliation and infrastructure exposure 
  2. The strategic significance of this moment 
  3. Iran's cyber trajectory over the last decade  
  4. What the AWS disruption changes 
  5. Operational resilience under active conflict 
  6. Organizational realities leaders should assume 
  7. What leadership should do next 
  8. Strategic takeaway 

 Summary of the active conflict, retaliation and infrastructure exposure 

The recent U.S.-Israeli military strikes on Iran mark a meaningful escalation that extends well beyond conventional military dynamics. While immediate attention has focused on kinetic activity, the broader strategic signal is clear: modern conflict increasingly unfolds through simultaneous military, cyber and infrastructure effects, placing critical digital systems directly in scope as targets within the operational environment. 

 U.S. government advisories have already warned that Iranian-affiliated cyber actors may target vulnerable networks, including critical infrastructure environments, particularly where weak identity controls, outdated systems and unresolved insecure remote access remain. For critical infrastructure owners, operators and their technology providers, this moment should prompt a reassessment of long-held assumptions about widespread dependency, escalation paths and operational resilience. 

Open-source reporting highlights growing exposure across cloud, communications and operational technology environments.  While specific attribution for these infrastructure disruptions is unresolved at this time, the reported power and connectivity disruptions affecting AWS facilities in the Middle East underscore an important shift: hyperscale cloud infrastructure now shares many of the same geopolitical vulnerabilities historically associated with more traditional critical national infrastructure targets, including ports, grids, airports and telecommunications hubs.  

The strategic takeaway is not simply that cyber accompanies conflict. That reality has already been established; the more significant shift is that digital infrastructure itself is increasingly part of the battlespace. The distinction between a cyber incident, a cloud outage, an infrastructure disruption and a geopolitical escalation is becoming increasingly difficult to separate in practice. The Iranian strike on the AWS data center in the UAE is a clear example that disrupting infrastructure is part of the playbook of conflict.  

This assessment combines open-source reporting, official advisories and evolving operational developments to offer executive-level guidance during an actively unfolding situation. 

Key takeaway: Iran's retaliation model signals a period of active cyber probing coupled with sustained infrastructure targeting rather than a one-time shock event. 

 The strategic significance of this moment 

There is a temptation in moments like this to reduce the risk conversation to familiar questions: 

  • Will Iran retaliate in cyberspace?

The more useful question is broader: 

  • What does retaliation look like when cyber, proxies, cloud dependence, physical infrastructure and strategic signaling operate together?

Iran is not a peer to China in cyber power, but it is a capable and dangerous adversary. Nor does it consistently operate with the same battlefield-linked cyber destructiveness associated with Russia. Iran's role is different – they are an opportunistic, asymmetric retaliator. Iran is often politically reactive, ideologically motivated, and willing to use cyber quickly when it offers deniability, psychological effect, disruption, or symbolic payoff.  Most importantly, they have demonstrated that they are willing to take aggressive, dangerous actions without regard for consequences. Taking pages from other geo-political adversaries, ransomware attacks on hospitals, attempting to disrupt water supplies, or even interference in the US presidential elections, there are no boundaries off limits. 

This matters now because intent and opportunity are converging, and we must prepare and pay attention. The warnings were already there before the strikes. DHS's June 2025 NTAS bulletin warned that conflict involving Iran was contributing to a heightened threat environment in the United States and that low-level cyber-attacks by pro-Iranian hacktivists were likely, alongside possible activity by actors affiliated with the Iranian government.  

The greater danger is not uncertainty around Iranian intent. It is the reality that many organizations remain vulnerable to the precise access vectors Iranian actors have already proven effective. 

 Iran's cyber trajectory over the last decade  

Iran's cyber history over the past ten years shows a pattern: persistent, politically relevant, sometimes noisy, occasionally destructive and increasingly comfortable operating across espionage, disruption, influence and critical infrastructure exposure. 

  • 2016: Financial-sector attacks and U.S. infrastructure-adjacent intrusion (Bowman Dam) signal coercive intent beyond espionage.
  • 2020: Sustained campaigns trigger coordinated U.S. interagency disruption efforts.
  • 2022: Destructive cyberattack against Albania demonstrates willingness to use cyber for state coercion.
  • 2023: Targeting of Israeli water and industrial control systems elevates operational technology risk.
  • 2023–2024: Conflict-driven surge in cyber-enabled influence and signaling operations.
  • 2024: Increased use of identity compromise, MFA abuse, and exploitation of basic vulnerabilities.
  • 2025: U.S. agencies issue explicit warnings of Iranian targeting of critical infrastructure environments.

Those warnings matter more now because they predated this weekend's strikes and the events that are still developing. The risk posture was already elevated before retaliation pressures intensified. 

The key takeaway for executives: Iran does not need to be the most sophisticated cyberpower in every category to pose a serious risk. It needs political will, basic access, timing and defenders who have left too many obvious weaknesses unresolved.  

 What the AWS disruption changes 

The AWS disruption changes the discussion because it collapses with a lingering illusion that the cloud is adjacent to infrastructure rather than part of it. 

Reuters reported that AWS suffered a major outage in the UAE after unidentified objects struck a facility, causing sparks and a fire, and forcing a shutdown of two data center clusters, with restoration expected to take at least a day. Reuters also reported spillover effects across Bahrain and noted that institutions relying on AWS experienced far-reaching, impactful service disruption. 

Even without final attribution, that is strategically important. It means cloud concentration risk, regional availability risk and the physical exposure of hyperscale infrastructure must move much closer to the center of operational resilience planning, with proven restoration plans. For years, many organizations treated the cloud as the answer to physical instability. Given the activities we have seen in the initial stages of this conflict, cloud architecture must also be designed to account for the possibility that the cloud region itself becomes part of the unstable environment. 

 For boards and CEOs, the lesson is uncomfortable but necessary:  

  • Operational resilience planning, with true restoration plans and failover plans, is only as real as your last tested regional outage scenario
  • Understanding which business services, customers, regulatory obligations, and operational dependencies fail first when a cloud region or supporting infrastructure layer degrades
  • An organization's cyber posture is incomplete if it does not account for the physical exposure of its digital backbone

This is why the AWS event should not be treated as a side note of this current conflict. It is the bridge between the Iran retaliation story and the broader infrastructure story. 

 Operational resilience under active conflict 

  • Plan for infrastructure instability as a baseline condition. Organizations should assume that geopolitical crises can result in power outages, degraded regional connectivity, cloud service interruptions, and third-party outages. The AWS disruption in the UAE is a sharp reminder that cloud availability should not be treated as immune from conflict-zone realities.
  • Integrate geopolitical tripwires into cyber operations. Cybersecurity cannot be decoupled from geopolitical analysis. Organizations should define triggers that elevate monitoring, restrict access, tighten vendor pathways, accelerate backup cycles, prepare failover, and activate executive coordination before the first direct impact is felt.
  • Strengthen intelligence and coordination. Executive awareness of current threat reporting is essential, as is strong public-private coordination and sector ISAC participation to facilitate this reporting, especially if coupled with internationally based source reporting. In a nation-state campaign, imperfect early warning is often more valuable than perfect hindsight.
  • Architect for containment instead of just prevention. Recent U.S. fact sheets stressed that Iranian actors often exploit preventable weaknesses. Strong segmentation between enterprise IT, cloud-connected services, and OT environments, coupled with disciplined control of remote access and hardening identity dependencies, remains foundational.
  • Design for prolonged disruption, not brief interruption. Recovery assumptions should reflect geopolitical reality, not only service-level agreements. That means out-of-region recovery options, tested failover, segmented backups, offline recovery paths, and validated manual operating procedures for safety-critical functions. Where cloud services are essential, organizations should know exactly what fails when a region, provider service, or supporting network layer becomes unavailable.

 Organizational realities leaders should assume 

  • Organizations should assume that retaliation, if it occurs, may not unfold as a single dramatic cyber event. It is more likely to appear as a mix of opportunistic intrusion, hack-and-leak activity, cloud or telecom instability, persona-driven amplification, proxy activity and pressure against infrastructure-adjacent targets.
  • Organizations should assume identity remains a primary vulnerability. The June 2025 U.S. guidance from CISA is clear on this point: exposed services, weak passwords, default credentials, outdated software, and insecure remote access continue to present accessible pathways for Iranian-affiliated actors.
  • Iranian actors are skilled at scanning for preexisting vulnerabilities that should already be closed.  These openings become the start of a compromise. Careful evaluation of your vulnerability posture is key, with a focus on the CISA KEV (Known Exploited Vulnerability) List.
  • Assume IT, cloud, and OT convergence increases blast radius. The more identity, administration, monitoring and vendor support are shared across enterprise and operational environments, the more a disruption in one layer can cascade into another.
  • Understand how regional conflict can create collateral consequences even where the organization is not the intended target. If operations depend on Middle East cloud regions, telecom paths, energy supply chains or strategic vendor ecosystems, proximity and dependence may matter as much as direct targeting.

 What leadership should do next 

  • For Boards, this is not a narrow cyber issue. It is simultaneously impacting all areas of considered risk, including operational, financial, geopolitical, third-party and national security. It must be governed as such.
  • For CEOs and executive teams, the immediate need is alignment and disciplined coordination, tested regularly. Legal, cyber, communications, operations, continuity, and business leadership should be aligned and understand their respective roles when considering risk topics, including escalation thresholds, accountabilities, regional dependencies and the external response posture.
  • For CISOs and critical infrastructure leaders, priority actions should be practical, actionable and immediate: review privileged identities and MFA changes, validate remote access restrictions, identify internet-exposed OT and edge devices, confirm segmentation between enterprise and operational environments, reassess cloud failover assumptions and ensure manual operating procedures remain viable where safety-critical functions depend on degraded digital systems. (CISA)
  • For technology providers serving critical infrastructure, the standard is rising. Products and services must be built for degraded conditions, intermittent connectivity concerns, cloud instability and constrained remote operations. Recoverability, transparency and fail-safe design are no longer secondary engineering virtues. They are trust requirements.

 Strategic takeaway 

  • No matter what happens over the next few weeks, this is not an isolated Iran story. It is a story about the new normal we are all facing as an industry. The convergence of cyber retaliation, cloud dependency, infrastructure exposure, and state competition.
  • Iran matters because, like many of our other adversaries, it is willing to use cyber as an asymmetric retaliatory tool. China has already started prepositioning for conflict with Volt Typhoon operations. Russia has normalized the use of infrastructure disruption as an instrument of coercion. Together, they are forcing a change in how critical infrastructure leaders must think about resilience.
  • The immediate risk to most organizations is not the cinematic cyber-catastrophe we all pay to see. It is something more plausible and, in many ways, more dangerous: opportunistic intrusion against exposed systems, disruption of cloud-dependent services, exploitation of weak identity controls, pressure through third parties, and cascading operational consequences in organizations that still treat cyber, cloud, and infrastructure resilience as separate conversations.

  A few of the ways WWT can help 

  • Board and executive briefings: Translate Iranian retaliation risk, cloud dependency and critical infrastructure exposure into operational, financial and governance implications.
  • Critical infrastructure advisory support: Help operators and executive teams align cyber defense, operational continuity and geopolitical risk monitoring into a single resilience posture.
  • Cyber and operational resilience planning: Design resilience strategies for deliberate disruption across cyber, cloud, OT, and third-party environments.
  • Identity, segmentation and recovery readiness: Assess and strengthen identity dependencies, segmentation, remote access design, backup architecture, and recovery sequencing across IT, OT, and cloud.
  • Scenario planning and tabletop exercises: Run realistic exercises aligned with geopolitical retaliation, regional cloud outages, infrastructure disruptions, and cascading dependency failures.

WWT's approach is defensive and resilience-focused, helping organizations prepare for, withstand, and recover from deliberate disruption in a threat environment where cyber, infrastructure and geopolitics increasingly converge.