Cybersecurity in Wartime: How Iran War-Related Threat Actors Target Exchanges, Banks, and Critical Infrastructure

Cybersecurity in wartime has become a defining risk for financial services and critical infrastructure as Iran war-related threat actors blend espionage, disruption, influence, and financially motivated crime. Public alerts from FINRA and advisories from CISA in 2026 underscore an elevated, persistent threat environment where exchanges, banks, water utilities, and energy operators should assume continuous probing and targeted intrusion attempts.

Why Cybersecurity in Wartime Looks Different in 2026

Wartime cyber risk is not limited to a single category of attack. In the current Iran conflict context, defenders face overlapping threat streams that can arrive simultaneously:

• State-sponsored or state-aligned intrusions focused on intelligence collection and prepositioning.

• Disruptive operations such as ransomware, wipers, and DDoS campaigns designed to degrade public trust and operational continuity.

• Hacktivism and influence operations that amplify fear, spread propaganda, or exaggerate impact.

• Fraud and crypto scams that exploit war narratives to steal credentials, funds, or seed phrases.

FINRA's March 16, 2026 alert warned broker-dealers of heightened risk from Iranian state-sponsored and Iran-aligned actors, including intrusions, data theft, ransomware, destructive attacks, and DDoS. Even where regulators reported no major confirmed Iran-related incidents against financial services at that time, they still highlighted active targeting - consistent with broad scanning, credential harvesting, and attempted intrusions that are blocked or contained before becoming public.

Latest Developments: Financial Services and Critical Infrastructure Are Both in Scope

Regulators Are Explicitly Elevating Iran-Related Cyber Risk

Multiple regulatory bodies have publicly confirmed that Iran-linked cyber activity is not hypothetical. In addition to FINRA guidance for member firms, banking regulators and ratings agencies have directed regulated institutions to increase vigilance. Fitch Ratings has cautioned that hacktivists, state-sponsored groups, and individual actors may all participate in cyber responses to Middle East military actions, expanding the risk surface beyond any single actor type.

OT and ICS Targeting Is Accelerating

CISA and partner agencies issued an advisory in April 2026 highlighting Iranian-affiliated activity against programmable logic controllers (PLCs) in water and energy facilities, including unauthorized access and manipulation of operational data displayed to operators. Separately, Palo Alto Networks Unit 42 reported that a cluster tracked as CL-STA-1128, also known as Cyber Av3ngers or Storm-0784, expanded targeting to Rockwell Automation and Allen-Bradley SCADA devices and PLCs after earlier campaigns focused on Unitronics PLCs. CISA corroborated exploitation of Rockwell and Allen-Bradley PLCs during the same period.

A critical takeaway for defenders is that these campaigns often succeed through basic security failures, not sophisticated zero-day exploits. Repeated expert analysis points to common weaknesses: default credentials, poor remote access configuration, and direct internet exposure of OT assets.

How Iran War-Related Threat Actors Target Banks and Broker-Dealers

Iran-linked activity against financial institutions frequently relies on familiar tradecraft, executed persistently and timed around geopolitical volatility. FINRA and threat intelligence reporting document a spectrum of tactics capable of supporting espionage, fraud, or disruption.

1) Initial Access: Phishing, Credential Theft, and Known Vulnerabilities

Financial organizations should expect conflict-themed lures that combine urgency with operational realism. Common entry points include:

• Spearphishing using geopolitical, sanctions, payments, or HR-related themes.

• Fake login portals mimicking banks, brokerages, SSO pages, or payment platforms to harvest credentials.

• Exploitation of known vulnerabilities in VPN gateways, web applications, and remote access tooling when patching lags behind disclosure.

2) Credential Abuse and MFA Pressure Tactics

Multi-factor authentication (MFA) reduces risk substantially, but wartime operators routinely attempt to bypass it through user manipulation and account control changes. FINRA highlighted MFA push bombing, social engineering for one-time codes, and modifications to MFA registrations or email forwarding rules to retain access and suppress alerts.

3) Persistence and Lateral Movement in Complex Enterprise Networks

Once inside, actors harvest additional credentials and expand control. Banks and broker-dealers are especially exposed where:

• Legacy systems remain accessible from user networks.

• Privilege is over-granted and not continuously reviewed.

• Segmentation between trading, back-office, and support systems is incomplete.

4) Disruptive Outcomes: Ransomware, Wipers, DDoS, and Hack-and-Leak

FINRA warned of elevated risk across disruptive and destructive actions, including ransomware with data theft, wiper malware, DDoS campaigns that impair customer access, and hack-and-leak operations that combine theft with reputational damage through public disclosure.

A notable 2026 example outside the financial sector was the global disruption reported by medical equipment company Stryker, with the Iran-linked group Handala claiming responsibility according to Check Point Research reporting cited by Banking Dive. The incident illustrates the potential scale of business disruption if similar approaches were directed at global financial networks and their third-party dependencies.

Exchanges and Web3 Platforms: Targeted Theft and War-Themed Deception

Crypto exchanges and Web3 platforms sit at the intersection of financial value, identity, and geopolitical narrative. In a wartime cyber environment, this creates dual exposure: direct compromise attempts and indirect abuse through impersonation and scams.

Why Exchanges Are Attractive Targets

• High liquidity and irreversible transfers make theft operationally efficient.

• Sanctions and intelligence interest increase focus on exchange flows, wallets, and associated infrastructure.

• Brand leverage allows attackers to impersonate trusted platforms and steal user credentials and seed phrases.

Common Crypto-Specific Attack Patterns

Unit 42 observed war-related donation and fundraising scams, phishing campaigns using conflict lures, and fake portals mimicking government and corporate sites. These operations typically aim to capture:

• Seed phrases via fake wallet connection prompts and malicious dApp flows.

• Exchange credentials via cloned login pages and SSO lookalikes.

• Payment card details through fraudulent donation forms and payment gateways.

Threat infrastructure frequently rotates domains and subdomains to evade takedowns and blocklists while maintaining realistic UI copies to reduce user suspicion.

Critical Infrastructure Targeting: The OT and ICS Playbook

Iran-aligned operators have demonstrated repeated interest in water and energy facilities. CISA reporting and expert analysis point to a recurring pattern: scanning for exposed industrial assets, exploiting weak authentication or outdated firmware, and then manipulating what operators see or how processes behave.

What Makes OT and ICS Compromise Uniquely Dangerous

• Process integrity risk: manipulated PLC logic or setpoints can create unsafe operating conditions.

• Operator deception: altering HMI displays or operational data can mislead response teams during active incidents.

• Psychological impact: defacements and propaganda messages can intimidate staff and erode public trust.

Groups such as CyberAv3ngers have historically combined intimidation and propaganda with access to industrial interfaces. Even when physical damage does not result, unauthorized access and operator deception create serious safety and reliability risks.

Exposure at Scale: Thousands of Internet-Visible Industrial Endpoints

Unit 42 observed approximately 5,600 IP addresses globally exposing Rockwell Automation or Allen-Bradley SCADA devices and PLC-related services in early April 2026. That figure reflects a persistent systemic problem: the OT attack surface remains large and slow to shrink, creating repeated opportunities for low-to-moderate sophistication intrusions.

What Organizations Should Do Now: Practical Defensive Priorities

Preparing for Iran war-related cyber threats requires coordinated readiness across identity security, endpoint hardening, and OT-IT governance. The priorities below align with regulator warnings and observed tradecraft.

For Banks, Broker-Dealers, and Payment Firms

• Harden external access: patch internet-facing systems, reduce exposed services, and review VPN and remote access configurations.

• Strengthen MFA resilience: train staff to recognize push bombing, enforce number matching where available, and monitor MFA registration changes.

• Detect account manipulation: alert on new email forwarding rules, OAuth consent abuse, and anomalous login patterns.

• Segment and minimize privilege: reduce lateral movement paths from user networks to sensitive trading and settlement systems.

• Test disruptive scenarios: rehearse ransomware, DDoS, and wiper recovery with realistic recovery time objectives.

For Exchanges and Web3 Platforms

• Brand protection: monitor for lookalike domains, cloned login pages, and malicious ads targeting your users.

• User safety controls: add high-friction checks for sensitive actions and educate users on seed phrase and wallet-connection scams.

• Incident readiness: build playbooks for credential stuffing, session hijacking, and social engineering-led account takeover.

For Critical Infrastructure Operators (Water, Energy, Industrial)

• Remove direct internet exposure: PLCs and SCADA services should not be reachable from the public internet.

• Fix the basics first: eliminate default credentials, enforce strong authentication, and update firmware where operationally feasible.

• Segment OT from IT: limit remote access paths, restrict bidirectional connectivity, and log all engineering workstation activity.

• Validate operator view integrity: implement checks to detect manipulated HMI displays and inconsistent telemetry.

• Coordinate with sector partners: work with CISA, ISACs, and local authorities to share indicators and response plans.

For professionals building these capabilities, structured training helps standardize skills across security teams. Relevant programs from Blockchain Council include certifications such as Certified Cybersecurity Expert, Certified SOC Analyst, and Certified Ethical Hacker, as well as AI-focused programs covering secure automation and threat analysis for organizations adopting intelligent detection workflows.

Outlook: Persistent Targeting and More Blended Operations

Analysis from CSIS and threat intelligence reporting point to sustained adversary motivation. Even where Iran faces operational constraints - including periodic connectivity disruptions and leadership disruption - experts assess that Iranian state or proxy actors will continue targeting U.S. critical infrastructure throughout the conflict period. Ongoing fraud and phishing campaigns using war narratives will also continue to affect exchange users and enterprise employees.

A key forward-looking risk is more integrated IT and OT operations, where enterprise compromise is leveraged to reach industrial environments and industrial defacements or leaks are used for psychological effect. For banks and exchanges, the parallel concern is a blended playbook combining credential theft, MFA abuse, data exfiltration, and disruptive extortion timed to geopolitical events.

Conclusion

Cybersecurity in wartime requires that exchanges, banks, and critical infrastructure operators treat Iran war-related threat actors as a continuous operational risk, not a periodic headline. The most consistent lesson from recent advisories is that many successful intrusions still rely on preventable failures: exposed services, weak authentication, and gaps in segmentation and monitoring. Organizations that prioritize identity hardening, rapid vulnerability management, OT visibility, and incident rehearsal will be best positioned to reduce disruption, limit blast radius, and maintain operational trust during periods of geopolitical instability.