The United States and Israel’s military strikes against Iran on February 28, 2026, named Operation Epic Fury, raise the odds of retaliatory activity in cyberspace, whether through direct state action by Iran, or through deniable fronts and proxies. However, to date, there has been no confirmed specific counter-cyberattack by Iran or affiliated groups that directly ties back to the operation. Some security community commentary and media warn that Iran-aligned actors could carry out cyber operations including ransomware, against U.S. or allied targets in retaliation.
For cyber insurers, this is a moment to move beyond routine portfolio risk monitoring and towards adopting a proactive posture across underwriting and exposure management operations to account for heightened risk from specific Iranian cyber threat actors.
Insurance carriers should anchor expectations in Iran’s observed cyber playbook. U.S. government guidance has repeatedly warned that Iranian government-affiliated cyber threat actors target poorly secured networks and internet-connected devices, and that heightened vigilance is warranted for U.S. critical infrastructure and entities of interest. This could include organizations in the Defense Industrial Base, government, banking and financial services, healthcare, telecommunications, and energy and utilities.1
There are two principal risk channels associated with Iranian cyber threat actors, and they can often overlap in practice.
1. State-Linked Access and Espionage Activity
Iranian state-aligned operators routinely conduct access-oriented campaigns focused on phishing, credential harvesting, password spraying, and exploitation of known vulnerabilities in internet-facing systems. The objective is typically to establish persistent access inside victim environments, particularly within critical and strategically relevant sectors. While some operations are purely espionage-driven, the consistent theme is long-term access development and maintenance.
2. Criminal Monetization Leveraging the State’s Access
The same footholds and vulnerabilities exploited by Iran’s state-aligned operators are frequently used to enable criminal ransomware and extortion activity. In certain cases, financially-motivated operations appear in proximity to state-directed campaigns.2 This convergence can serve two purposes:
However, it is important to distinguish between activity that may align with state interests and activity that is merely conducted by Iranian actors without formal sanction. The FBI has observed Iranian threat actors expressing concern on dark web forums about Iranian government monitoring of cryptocurrency movements, suggesting that some ransomware operations (although linked to state operators) may not be directly authorized by Tehran.3
The FBI’s assessment of the Iranian government-aligned threat actor known as Fox Kitten illustrates this blurred boundary. According to the Bureau, a significant percentage of the group’s U.S.-focused activity involves obtaining and maintaining technical access to victim networks to enable future ransomware attacks. Moreover, the FBI states that these actors do not merely sell or provide access; they work closely with ransomware affiliates to encrypt victim networks and coordinate extortion strategies.4
Taken together, the risk is not simply espionage or ransomware in isolation, but a hybrid model in which access operations, criminal monetization, and strategic objectives can intersect. For (re)insurers, the implication is that espionage and extortion are not cleanly separable risk categories when it comes to Iranian cyber threat actors. The same credential theft or vulnerability can support intelligence objectives one day and monetization or destruction the next, especially during periods of armed conflict.
With the increased AI capabilities available today, state-aligned threat actors, including those linked to Iran, are reported to be using commercial AI models such as Google’s Gemini to support various parts of their cyber operations. According to Google’s Threat Intelligence Group, adversaries tied to Iran have leveraged these tools for target profiling, social engineering lure creation, translation, and other operational tasks alongside peers from China, Russia, and North Korea, reflecting how accessible AI functionality can be integrated into existing workflows rather than introducing fundamentally new techniques.5 In today’s environment, strong identity controls, disciplined patch management, and robust security hygiene remain critical defensive priorities to combat AI-driven threats.
Portfolio Threat Actor Intelligence (PTI) harnesses AI to map the behavior of cyber threat actors and the technologies they most frequently target. It is included as part of CyberCube’s Concierge Threat Intelligence service — a first-of-its-kind offering designed specifically for the unique needs of cyber (re)insurers, built by experts in cyber threat intelligence, risk, and (re)insurance.
Cyber risk exposure managers at insurance carriers can leverage CyberCube’s PTI as part of cyber event response to identify portfolio entities that face elevated targeting risk from specific threat actors during active campaigns.
In parallel, CyberCube clients use PTI for ongoing exposure management, monitoring persistent threat actors, and their most likely targets over time to inform longer-term underwriting decisions and to continually refine portfolio risk strategy in line with threats.
CyberCube’s analysis reveals both a current cluster of elevated risk in the U.S. market and a strategic opportunity for cyber insurers to act preemptively by managing exposure and incentivizing better security before Iran’s cyber forces strike.
For this research, threat groups known as APT33, MuddyWater, and Fox Kitten were analyzed because they are three of the most active and well-documented Iranian state-aligned groups targeting U.S. enterprises and critical infrastructure.
CyberCube’s PTI solution has identified 12% of large-sized firms in the U.S. across select critical industries as being at a higher risk level. The elevated risk for these companies is driven by reliance on technologies frequently compromised by APT33, MuddyWater, and Fox Kitten, and the presence of security lapses that these groups are known to exploit. For portfolio managers, our findings reinforce the need to move beyond broad sector assumptions and focus on precisely mapping technological and security posture overlaps across seemingly unrelated sectors and insureds.
All entities identified by CyberCube as high risk should be on heightened alert. Among them are 28 U.S. health organizations, and 13 U.S. energy and utilities companies.
Using CyberCube’s PTI solution, we analyzed a portfolio of approximately 1,000 large-sized U.S. companies, segmenting them into risk tiers based on their exposure to APT 33, MuddyWater, and Fox Kitten. We focused on enterprise technology stacks and observed security weaknesses that those groups have shown a preference to target.
The analysis found that 12% of U.S.-based companies with revenues over $1 billion across seven critical industries — Banking, Financials, Energy & Utilities, Oil & Gas, Healthcare, Telecommunications, and the Public sector — face the highest likelihood of being targeted by Iranian cyber threat actors.
Exhibit 1 – U.S. Large Enterprise Risk Distribution to Iran Cyber Attacks
The analysis in Exhibit 1 is designed to help cyber insurance portfolio risk managers prioritize insureds for exposure management activities that address active threat campaigns. While it does not suggest that most firms are safe from targeting, it underscores the importance of prioritization as all large U.S. enterprises in critical sectors should be on heightened alert, and resources must be focused where the risk is greatest.
Source: CyberCube Portfolio Threat Actor Intelligence, analysis conducted on CyberCube’s Global Industry Exposure Database (IED), USA, ≥$1 billion annual revenue, Banking, Financials, Energy & Utilities, Oil & Gas, Healthcare, Telecommunications, Public, analysis conducted March 2026, n = 975
High Risk companies (119, or 12%) are those using three or more technologies historically targeted by Iranian cyber threat actors APT 33, MuddyWater, and Fox Kitten combined with security lapses these groups are known to exploit. Notably, High Risk companies also tolerate security conditions that may allow these threat actors to complete critical steps across the entire attack lifecycle and ultimately achieve their objectives. Medium Risk companies (678, or 70%) use at least one of these group’s preferred technologies and exhibit security weaknesses that could enable only partial progression through the attack lifecycle. Low Risk companies (178 or 18%) use zero observable targeted technologies. While Low Risk companies are not immune, they are less in need of immediate attention by exposure managers and underwriters based on observations of technology and security.
Exhibit 2: U.S. Industry Share of High-Risk Companies for Iran Cyber Attacks (March 2026)
Box size corresponds to proportion of companies in each industry within the portfolio of 119 that CyberCube identified as the highest risk of being targeted by Iranian threat actors APT 33, MuddyWater, and Fox Kitten.
Source: CyberCube Portfolio Threat Actor Intelligence, analysis conducted on CyberCube’s Global Industry Exposure Database (IED), USA, ≥$1 billion annual revenue, Banking, Financials, Energy & Utilities, Oil & Gas, Healthcare, Telecommunications, Public, analysis conducted March 2026, n = 119 high risk entities identified by CyberCube
Examining companies at the highest risk for Iranian cyberattacks shows there are high concentrations of companies in the financials and healthcare sectors (see Exhibit 2).
Both financial and healthcare sectors underpin essential services where outages or breaches cause significant operational friction and public concern. That makes them attractive for actors seeking impactful disruption without overt military engagement, which is a pattern consistent with Iranian cyber strategy in past geopolitical escalations.6
Large scale destructive operations by Iranian threat actors remain a tail event, but they cannot be ignored in scenario planning. An advanced and persistent threat actor, linked to the Iranian government, in theory, could sit behind the kinds of systemic cyber catastrophe scenarios modeled by CyberCube.
Historically, Iran-linked activity has included targeting U.S. water and wastewater facilities via internet accessible industrial devices, often exploiting default or weak passwords.7 Iran-linked operators have also been charged in connection with coordinated Distributed Denial-of-Service (DDoS) campaigns against major U.S. financial institutions, disrupting online banking access for customers8, as well as an intrusion involving a New York dam9.
Despite high-profile incidents and periodic spikes in activity targeting critical infrastructure, these campaigns have not resulted in the economic loss implied by market wide cyber catastrophe thresholds.
The call to action for cyber insurance carriers is straightforward: leverage threat-intelligence-informed analytics to understand the risk from Iran’s cyber threat actors. Cyber insurers should:
With the right solutions and proactive threat intelligence, cyber insurers can take decisive steps to strengthen portfolio resilience, protect clients, and reduce the risk of loss.
If you’d like to learn more, CyberCube is continuing to monitor developments in the ongoing conflict with Iran via our Cyber Aggregation Event Response Service (CAERS), which helps (re)insurers and brokers rapidly understand, contextualize, and quantify unfolding cyber events.