US financial services and critical infrastructure operators have moved to heightened vigilance amid escalating Iran–US conflict, with industry groups and analysts warning that geopolitical shocks often correlate with increased cyber activity. Reuters reporting cited by teiss says US intelligence assesses Iran-aligned hacktivists could conduct low-level attacks against US networks—particularly DDoS—and that banks are increasing monitoring and resilience measures given the sector’s role in payments, clearing/settlement, and market infrastructure.
Separate threat research argues the conflict environment increases the likelihood of ICS/OT-focused activity, emphasizing that US critical infrastructure presents an attractive retaliation surface due to civilian impact and a large internet-exposed OT footprint. CloudSEK highlights rapid activation of numerous hacktivist groups after late-February 2026 strikes and points to prior public reporting on long-dwell intrusions and campaigns affecting ICS devices; a SecuritySenses episode similarly describes state-linked hacktivist activity targeting OT (including Unitronics PLCs) and broader spillover effects beyond the region. Other items in the set—an ISC/SANS guest diary on opportunistic scanning and a Dark Reading piece on higher attack volumes in Latin America—do not describe the Iran-related escalation and are not directly part of this specific event narrative.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
A U.S. intelligence assessment cited on 2026-03-05 said Iran-aligned hacktivists could carry out low-level attacks such as DDoS against U.S. networks. The warning contributed to elevated concern across the financial sector.
By 2026-03-05, U.S. banks and other financial services firms were reported to be on heightened alert for possible cyberattacks as war involving Iran escalated. Industry groups and advisors increased monitoring and emphasized operational resilience in anticipation of Iran-aligned hacktivist activity.
As the conflict evolved in June 2025, retaliatory cyber activity was said to affect financial infrastructure in addition to industrial targets. This marked an escalation from influence operations and OT targeting into the financial sector.
The same June 2025 campaign reportedly expanded to operational technology, including Unitronics PLCs used in water and industrial facilities. The effects were described as spreading beyond the Middle East, with U.S. water utilities among the targets and IT/OT connectivity and supply-chain weaknesses cited as attack paths.
During the June 2025 escalation, groups including Cyber Avengers and Handala were reported to conduct psychological operations and mass SMS spoofing as part of coordinated influence and disruption activity. These actions were presented as state-linked hacktivist operations accompanying the broader conflict.
In June 2025, a kinetic operation referred to as "Operation Rising Lion" was followed by a sharp cyber escalation that some analysts described as Iran's "12 days of cyber war." The campaign was framed as a hybrid conflict blending physical strikes with cyber operations.
In 2023, a ransomware attack on ICBC's U.S. broker-dealer unit disrupted settlement of some U.S. Treasury trades. The incident was cited as a prior example of how cyberattacks can affect financial market operations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybercenter.space
Open sourcecloudsek.com
Open sourceteiss.co.uk
Open sourcesecuritysenses.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.