TL;DR: During the 2025 conflict, Iranian state actors, proxies, and aligned hacktivists used reconnaissance, phishing, malware delivery, data theft, and DDoS, showing how kinetic escalation now drives cyber disruption across energy, transport, government, and supply chains, according to SecurityScorecard. Attack surface reduction and third-party visibility become the decisive controls when geopolitics expands into everyday operations.
NHIMG editorial — based on content published by SecurityScorecard: cyber spillover risk from the Iran conflict
Questions worth separating out
Q: What breaks when organisations leave third-party access standing during geopolitical escalation?
A: Standing third-party access expands the blast radius because one compromised vendor can provide repeated entry into several connected environments.
Q: Why do conflict-driven attacks increase the risk around service accounts and remote tools?
A: Conflict-driven attacks reward speed and reach, which makes service accounts and remote tools attractive because they often already hold broad access.
Q: How can security teams tell whether third-party trust is becoming an exposure problem?
A: A third-party trust relationship is becoming an exposure problem when access exists without a clear owner, a current business purpose, or a defined offboarding trigger.
Practitioner guidance
- Inventory exposed administrative paths List every internet-facing remote access route, including VPNs, support portals, email gateways, file-sharing services, and cloud admin endpoints.
- Map third-party trust to named business owners Assign an owner, purpose, and removal trigger to each vendor or MSP connection.
- Revoke standing remote credentials during escalation Review service accounts, API keys, support tokens, and remote IT tooling credentials for persistence that is not operationally necessary.
What's in the full article
SecurityScorecard's full analysis covers the operational detail this post intentionally leaves for the source:
- The article's conflict-specific breakdown of Iranian cyber activity and the behaviours STRIKE observed across the 12-day war.
- The vendor's prioritisation logic for exposed infrastructure, third-party dependencies, and identity pathways under crisis conditions.
- Examples of the types of systems SecurityScorecard says are most likely to be exploited during escalation, including edge devices and external services.
- The reporting lens used to brief public-sector leaders, boards, and agency heads during geopolitical tension.
👉 Read SecurityScorecard's analysis of Iran-linked cyber spillover risk →
Cyber spillover from conflict: what governments need to prepare for?
Explore further
Cyber spillover is now an identity governance problem, not only a threat-intelligence problem. The article shows that conflict expands the value of remote credentials, vendor access, and externally exposed administrative pathways. That changes the governance burden for IAM and NHI teams because the question is no longer only who owns access, but which access paths become newly dangerous when the political environment changes. Practitioners should treat geopolitical escalation as a trigger to reassess standing access and third-party trust.
A question worth separating out:
Q: Who is accountable when a vendor connection is abused during a cyber conflict?
A: Accountability should sit with the business owner of the dependency, the control owner for identity governance, and the operational team that approves or revokes the access. Frameworks such as the NIST Cybersecurity Framework 2.0 and NIST SP 800-53 both require clear ownership, monitoring, and access control discipline. If no one can revoke it quickly, no one truly owns it.
👉 Read our full editorial: Iran-linked cyber spillover exposes critical infrastructure risk