The Iran War: What You Need to Know

Three Dimensions of the Conflict

In addition to the latest geopolitical, cyber and influence operations updates above, earlier developments in this conflict remain relevant for understanding the current situation.

Geopolitical Landscape

The Strait of Hormuz: from contested governance to conditional reopening. The Strait of Hormuz has shifted from a disruption event to a sustained contest over the waterway's governance. Iran moved during the ceasefire period to institutionalize administrative control — requiring vessels to coordinate directly with the IRGC Navy, vetting transits individually, collecting fees payable in cryptocurrency or Chinese yuan, and designating the primary Traffic Separation Scheme lanes as a mine-hazard zone. On April 13, the US responded by enacting a naval blockade of all ships entering or departing Iranian ports. In the days that followed, competing narratives emerged: CENTCOM claimed 14 vessels turned around under blockade enforcement, while maritime tracking data indicated at least two sanctioned Iranian supertankers transited the Strait despite the blockade. On April 18, Iran and the US both announced the Strait is open to commercial shipping following a Lebanon ceasefire agreement — though Iran stipulated ships must take a "coordinated route" running close to its coastline, and President Trump confirmed the US blockade of Iranian port traffic remains in place. Insikt Group assesses that while the announcement represents a meaningful de-escalation signal, the divergence between Iranian route requirements and the continuing US blockade means the Strait's governance remains contested — and the risk of renewed disruption remains elevated until the terms are codified.

Leadership assassinations. Supreme National Security Council Secretary Ali Larijani and Basij chief Brigadier General Gholamreza Soleimani were both confirmed killed in targeted Israeli strikes on March 16–17. Intelligence Minister Esmaeil Khatib was killed in a separate IDF strike in Tehran on March 18 — he had served since 2021 and was assessed to have led Iranian intelligence's global terror activities against Israeli and American targets worldwide. Former National Security Council Secretary Saeed Jalili is reported as the likely interim replacement for Larijani. Insikt Group does not assess that these deaths will lead to near-term regime collapse or substantially diminish Iran's internal security capacity.

South Pars strike and Gulf energy threat. A US-Israeli coordinated strike on March 18 targeted Iran's South Pars gas field — the world's largest, accounting for 70–75% of Iran's natural gas production. In response, the IRGC issued explicit threats of retaliatory strikes against Gulf energy facilities, calling on Saudi Arabia, the UAE, and Qatar to evacuate specific sites including Jubail Petrochemical, SAMREF Refinery, Al Hosn Gas Field, Mesaieed Petrochemical Complex, and Ras Laffan Refinery.

First combat use of the GBU-72 A5K. CENTCOM confirmed that March 17 airstrikes on Iranian coastal missile sites near the Strait of Hormuz marked the first combat use of the 5,000-pound GBU-72/B Advanced 5K deep penetrator munition. Target facilities contained anti-ship cruise missiles used against international shipping.

US internal dissent. On March 17, NCTC Director Joe Kent resigned in protest of US military action against Iran — the first US official to do so publicly. DNI Tulsi Gabbard reaffirmed the administration's position. No replacement has been named.

Iran's strategic fork. Two paths remain: pursue a deal with the US that normalizes economic engagement and offers a path to regime survival, or endure the bombing, crack down domestically, export enough oil to China and India to sustain the patronage system, and wait for the geopolitical environment to shift. The Strait closure and accelerating elimination of senior leadership are rapidly narrowing the window for the second option. Insikt Group assesses that diplomatic stalemate — not imminent breakthrough — is the current baseline, and that the risk of further escalation remains elevated.

Leadership & Succession

Mojtaba Khamenei, son of the late Supreme Leader Ali Khamenei, has been elected Supreme Leader. His election preserves hardliner continuity and underscores the IRGC's political dominance — they shaped the outcome in favor of their preferred candidate despite reported objections from some clerics. Mojtaba appears to have been wounded in the US-Israeli strikes that killed his father, mother, wife, and one son. He has not appeared in person since his televised announcement — almost certainly to avoid providing a digital or physical signature that could enable US or Israeli targeting. Any public appearance will be a significant signal of his consolidation of authority and perceived security.

What this means strategically. Mojtaba is neither a credible Islamic scholar nor an experienced administrator — the two traditional prerequisites for the position. He lacks the authority his father spent two decades consolidating. Iran is effectively being run by committee. Key power brokers now include IRGC chief Vahidi, parliamentary speaker Ghalibaf, and President Pezeshkian. These individuals are realists, even if labeled hardliners, and have a broader range of options than Khamenei Senior ever permitted.

Civil-military tension persists. President Pezeshkian's public apology over strikes on Iran's neighbors drew immediate backlash from hardliners and military leaders — a reflection of the weakness of the elected government relative to the security apparatus. His stated diplomatic conditions (reparations, international guarantees) now align with Mojtaba Khamenei's public statement, suggesting a coordinated political-diplomatic posture even as civil-military tensions continue beneath the surface.

Regime stability signals. IRGC units have reportedly denied medical aid and supplies to regular army (Artesh) units. Group desertions have been reported, highest among conscripts. Four Iranian diplomats have applied for asylum in Western countries since early 2026. Israel has begun targeting street-level security checkpoints — a deliberate effort to degrade the regime's suppression infrastructure rather than purely its military capacity. The IRGC has explicitly threatened to deal with any street unrest "with a blow even harsher than that of January 8."

Cyber Threat Landscape

Insikt Group continues to observe a reduction in Iran's more advanced cyber activity since March 1, driven by the internet blackout that has impaired operational tempo and coordination among state-sponsored groups. That window is narrowing. Treat this period as one in which Iran-aligned operators are regrouping, prioritizing recovery and defense, and setting conditions for future operations — not as a sign of diminished threat.

State-Sponsored Espionage

GreenGolf (MuddyWater / Boggy Serpens) remains the most active Iran-nexus APT since the conflict began, attributed to Iran's Ministry of Intelligence and Security (MOIS). Palo Alto Networks reported on March 16 that GreenGolf has expanded its toolset with Rust-based malware variants LampoRAT and BlackBeard, UDP-based backdoors, and AI-assisted development techniques. The shift to Rust likely reflects efforts to evade defenses and achieve longer-term persistence with reduced visibility, particularly against diplomatic organizations and critical infrastructure in the energy, maritime, and finance sectors.

APT34 and Moses Staff C2 infrastructure was degraded in Israeli operations. Insikt Group is actively monitoring for that infrastructure coming back online — when it does, expect these groups to resume operations and potentially act as C2 for other Iranian APTs. A rise in malicious traffic with Iranian source origination will signal renewed operational tempo.

Conflict-themed phishing campaigns are expanding. Since March 1, ProofPoint has documented six coordinated phishing and espionage campaigns exploiting the conflict as a lure, originating from actors aligned with China, Belarus, Pakistan, Hamas, and Iran. Targets include Middle Eastern governments, European diplomatic organizations, and a US think tank. Common patterns across all campaigns include conflict-themed lures, compromised government email accounts used for legitimacy, credential harvesting as a primary objective, and geofencing to selectively target victims. Groups observed include UNK_InnerAmbush (China-aligned), TA402/Gaza Hacker Team, UNK_RobotDreams (Pakistan-aligned), UNK_NightOwl, TA473/TAG-70 (Belarus-aligned), and TA453/APT35 (Iran-aligned). Security and IT teams should treat any conflict-themed email referencing Iran, the Strait of Hormuz, or the strikes as a high-suspicion lure regardless of apparent sender.

OT/ICS Targeting

The joint FBI/CISA/NSA advisory of April 7 confirmed that Iran-linked APT actors have been exploiting internet-exposed programmable logic controllers (PLCs) — including Rockwell Automation and Allen-Bradley devices — to target US government, water, and energy sectors since at least March 2026. Actors gained initial access by connecting to public-facing PLCs from overseas IP addresses using legitimate engineering software (Rockwell Studio 5000 Logix Designer) to establish trusted sessions, deployed Dropbear SSH over port 22 for C2, and communicated through OT ports including 44818, 2222, 102, and 502. Threat actors manipulated PLC project files and altered HMI and SCADA system data, resulting in operational outages and financial loss. The advisory noted similarities to earlier CyberAv3ngers campaigns but stopped short of formal attribution. Organizations with internet-exposed OT/ICS devices should treat remediation as a critical-priority action item.

Pro-Iranian Groups

Nasir Security Group, a suspected pro-Iranian threat group claimed to have breached the Dubai International Airport on its extortion blog website, Nasir Security Blog. According to the threat group, they have obtained the capability of accessing classified information from the Dubai International Airport within the past months. According to the sample passport photos released, they include citizens of the United Arab Emirates, Indonesia, and the US. Insikt Group cannot verify whether these passport photos are real and related to travelers passing through the Dubai International Airport. This same group targeted Middle East energy infrastructure through supply-chain compromise combined with influence operations, per Resecurity. This reflects an increasingly integrated approach in which network intrusion and narrative manipulation are executed as complementary operations.

Hacktivist Activity

Handala Hack Team infrastructure was seized by the FBI on March 19. Primary websites handala-hack[.]to and handala-redwanted[.]to are now displaying seizure banners. Two Iranian officials linked to the group were killed in military strikes: Mohammad Mehdi Farhadi Ramin (DOJ-charged in 2020 for cyber theft and defacement) and Seyed Yahya Hosseiny Panjaki, assessed as the government curator of Handala, Homeland Justice, and related hacking groups. Handala's primary social media profiles have also been suspended. Handala has acknowledged the seizures and declared continued operations, with plans for a new domain. Insikt Group assesses the group will likely continue operating in a distributed structure; coordination may be temporarily degraded but should not be assumed disrupted.

Prior to the seizure, Handala's most significant action was a destructive attack against a major US-based medical device manufacturer — a meaningful shift from their historical focus on Israeli targets. That attack used compromised credentials and abuse of legitimate business software rather than a custom wiper or novel payload. The implication is direct: prioritize identification and remediation of compromised credentials, as the core TTP is credential-based access, not novel exploitation. Researchers have previously connected Handala to Iranian threat clusters Void Manticore and potentially Banished Kitten, suggesting a possible link to Iranian state-sponsored activity. Insikt Group cannot corroborate that attribution at this time, though it is likely the group serves as a cutout or deniable proxy for Iranian offensive cyber operations.

The Conquerors Electronic Army operates in a similar hybrid space — blending hacktivism, intrusions, and influence operations — with typical activity including web defacements, DDoS targeting government and critical infrastructure, hack-and-leak operations, and doxing.

Ransomware & Extortionist Activity

Pay2Key ransomware targeted a US healthcare organization using compromised administrative credentials and living-off-the-land techniques, per Halcyon. Insikt Group assessed this as state-aligned disruption rather than a financially motivated attack — implying deliberate rather than opportunistic targeting. This follows Handala's earlier destructive attack against a US medical device manufacturer, reinforcing a pattern of Iran-aligned actors pivoting toward US healthcare.

Groups to Track

State-sponsored: Insikt Group is actively monitoring Green Bravo (APT42), GreenGolf, Cotton Sandstorm, and Cyber Avengers. These groups are capable of advanced network and vulnerability scanning, opportunistic exploitation of known vulnerabilities, deployment of disruptive and destructive malware, and satellite or television broadcast hijacks — the latter particularly likely given their psychological impact.

Hacktivist fronts: The Handala Hack Team and the Conquerors Electronic Army operate in a hybrid space blending hacktivism, cyber intrusions, and influence operations. These groups are likely to be the first to resume traditional operational tempo as the blackout lifts.

Also watch: Peach Sandstorm, APT34, MuddyWater, and Moses Staff each have established patterns for initial access and lateral movement. Watch for new hacktivist fronts emerging — this is typically a signal of where Iran is directing its efforts, as seen with Homeland Justice in Albania and Moses Staff targeting Israel.

Influence Operations

Outside Iran
China is watching — and learning. A Nanjing National Defense Mobilization Office assessment published in late March treated the US-Israel-Iran war as a live case study in cyber-enabled warfare and cognitive operations, arguing China should pre-build a wartime-capable information mobilization system. The document cited specific examples from this conflict — including Handala activity, broadcast hijacking, deepfakes, and AI-enabled psychological warfare — as evidence that future conflicts are decided as much in cyber and cognitive domains as on the battlefield. Insikt Group assessed the article likely reflects some thinking within China's national defense mobilization system, though not necessarily formal PLA doctrine. The significance is less about any single document than the pattern it represents: this conflict is actively shaping foreign military thinking on the integration of cyber and cognitive warfare, with implications that extend well beyond the Middle East.
China's reported ceasefire role amplifies its "stabilizing power" narrative. If confirmed, Beijing's role in shaping Iran's acceptance of a ceasefire will very likely be leveraged to reinforce Chinese state messaging contrasting China's diplomatic influence with US military adventurism - building on patterns Insikt Group has already observed in Chinese national defense mobilization assessments of this conflict.

Inside Iran - Background and Context

Iran has shifted away from early reactionary messaging - including tactical battlefield updates - and moved toward overarching threat rhetoric, escalation narratives, and proxy alignment, particularly with Hezbollah, the Houthis, and the Islamic Resistance in Iraq. US and Israeli messaging has remained focused on projecting overwhelming military force and coalition resolve.

Phase assessment: Influence operations are currently between Phase 1 and Phase 2. Strategic narrative shaping is active at every level of the conflict. Covert networks are pivoting toward the conflict, but the anticipated surge has not yet fully materialized — likely due to degraded capabilities from ongoing kinetic strikes.

Three Phases of Iran's IO Approach - Early Conflict Patterns

Phase 1 — Strategic Narrative Shaping (Sustained). Iran has continued shaping narratives down to the tactical battlefield level, capitalizing on the fog of war to inflate perceived military capabilities and complicate damage assessment. Key patterns include unverified claims of civilian casualties, exaggerated reports of US military losses, and viral AI-generated imagery. NewsGuard has identified 53 false claims since the start of Operation Epic Fury, with some posts reaching millions of views. One AI-generated image related to USS Abraham Lincoln claims reportedly reached over 5 million views before being debunked.

Phase 2 — Covert Network Surge (Active). Known influence operation networks have fully pivoted to the conflict. Coordinated inauthentic behavior is ongoing across social media — sock puppet accounts impersonating journalists and activists amplifying false narratives and attempting to delegitimize US-Israeli strikes. Storm-2035's confirmed content pivot and ION-79's active posting are examples of this phase now fully in motion.

Phase 3 — Psychological Deterrence (Active). This hybrid campaign is now underway, targeting international audiences to shape deterrence perceptions while reinforcing a narrative of regime survivability domestically. Parliament Speaker Ghalibaf's direct public taunting of US consumers on energy prices following the Islamabad talks' collapse is a clear example of this phase in operation.

Operations Targeting Iranian Domestic Audiences

Insikt Group has also observed influence activity directed at the Iranian population itself: a seizure of Islamic Republic of Iran Broadcasting's live broadcast — notably, the IRIB facility was itself the target of a kinetic strike — with messaging focused on defections and targeting supporters of Mojtaba Khamenei. Precision message delivery within Iran via a popular mobile application has also been observed, with messaging along the lines of "help has arrived" and calls to resist the regime.

Active Threat Networks

Storm-2035 (ION-24) remains one of the most prolific Iranian IO networks, previously active in 2024 targeting US elections. As of late March, a fresh deliberate content pivot was confirmed — the network is now focused specifically on exaggerating Iranian military capabilities and complicating battlefield damage assessment. Claims observed include unverified reports of shooting down a US MQ-9 Reaper drone and inflated US casualty figures from strikes on US bases.

ION-79, affiliated with the IRGC Basij and previously tracked producing counter-protest narratives during Iran's nationwide protests, has inauthentic accounts actively producing content tied to the current conflict.

Operation Overload. Monitor for Russian influence operation activity impersonating legitimate entities in France and Germany under cover of the Middle East conflict. Other nation-state actors are actively exploiting this conflict to advance separate geopolitical interests.

ION-82 physical threat recruitment via Telegram bots continues openly offering financial compensation for physical threat activities targeting US and Israeli interests across channels in the US, Australia, New Zealand, and other countries. Intent levels following Khamenei's death are assessed as likely unprecedented.

Expert Assessment: What Happens Next

Based on analysis from Dr. Christopher Ahlberg’s conversation with former MI6 Director Sir Alex Younger on 9 March. Listen to the full webinar recording here.

Three scenarios are in play — not mutually exclusive, and each with distinct implications for organizations managing risk.

Scenario 1 — Bomb, Declare Victory, and Leave

The US achieves air supremacy, conducts a sustained campaign of precision strikes against remaining target sets, forces the Strait of Hormuz open using naval power, and exits. CENTCOM has confirmed the Iranian Navy is now "combat ineffective," and the US has struck over 5,000 targets inside Iran — including 60 ships — while actively targeting Iran's defense industrial base. The suppressive effect on Iranian will and capacity should not be underestimated, particularly once B-52s can operate over Iran with impunity. Trump has reportedly given Israel roughly a week to bring down the regime. This scenario has a faster resolution timeline but risks leaving unresolved instability.

Resilience question: What is the operational and financial impact of a 30- to 60-day Strait closure across our critical dependencies?

Scenario 2 — A “Venezuela-Style” Deal

This is assessed as the scenario Trump is most actively angling for. Iran's new leadership — cornered economically, facing military degradation, and aware that 80% of government revenue derives from hydrocarbons now at risk — has strong incentives to negotiate. Pezeshkian's public apology, the IRGC's repudiation of it, and Trump's calls for unconditional surrender may be the opening moves of a negotiation rather than signs of irreconcilable positions. Any deal would almost certainly require zero enrichment and the transfer of Iran's 400-plus kilograms of highly enriched uranium.

Resilience question: If a deal emerges within weeks, how does your organization's risk posture need to shift — and are your stakeholders prepared for rapid de-escalation as well as escalation?

Scenario 3 — Revolution or Fragmentation

US intelligence and Israeli officials assessed as of March 12 that the regime is not at risk of imminent collapse and maintains domestic control. That said, early friction signals are emerging: IRGC units are reportedly denying aid to regular army units, group desertions are being reported at the conscript level, and four Iranian diplomats have applied for asylum in Western countries since early 2026. Israel has begun targeting street-level security checkpoints — a deliberate effort to degrade suppression infrastructure rather than just military capacity. Revolutions always appear unthinkable before they happen and inevitable afterward. This remains the highest-uncertainty, highest-consequence scenario.

Resilience question: Are we prepared for high-impact, low-probability incidents such as sudden infrastructure disruption, terrorist violence, or regional fragmentation affecting operations across Iraq, the Gulf, and beyond?