The Iran War: What You Need to Know

<-- RECORDED FUTURE BLOG The Iran War: What You Need to Know PUBLISHED ON 13 MAR 2026 Insikt Group® Last updated: 13 March 2026 at 2100 GMT. Geopolitical and kinetic developments only — cyber and influence operations updates are covered in their respective sections below. Two weeks into the most significant escalation in Middle East conflict in a generation, the situation remains fluid — but a clearer picture is emerging. Supreme Leader Mojtaba Khamenei has spoken. Iran's military has been significantly degraded but retains the capacity to threaten commercial shipping and US forces. The Strait of Hormuz disruption has triggered what the IEA now calls the largest supply disruption in history. And threat actors well beyond Iran's borders have moved quickly — state-sponsored groups and hacktivists alike are weaponizing the conflict as a phishing lure, while Iran's own targeting has expanded to US commercial targets outside the Middle East. This report is continuously updated as the situation evolves across the geopolitical, cyber and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation. What Changed This Week Leadership & Succession Khamenei's first statement was read on state TV — no personal appearance, likely for security and targeting reasons. Tone was combative: he validated the Strait closure, threatened to open new fronts, and called on regional states to expel US forces. Iran's diplomatic posture has crystallized: reparations, recognition of "legitimate rights," and international guarantees are the stated conditions for ending the conflict — echoed by both Khamenei and President Pezeshkian, who cited engagement with Russia and Pakistan for diplomatic backing. Regime leaders made public appearances at Quds Day rallies on March 13, framing turnout as a demonstration of legitimacy and popular resilience. Strait & Commercial Risk The IEA confirmed this is now "the largest supply disruption in history" — Gulf output cut by at least 10 million barrels per day, with an expected monthly decline exceeding 7%. Iran struck vessels anchored at the Basra Oil Terminal on March 12, halting Iraqi oil operations entirely. Total vessels targeted has reached at least 14. Iran confirmed to have begun laying mines in the Strait; CENTCOM destroyed 16 minelayers. As of March 13, no evidence of new mines being placed. Disruption has spread beyond energy: helium (critical for semiconductor manufacturing and medical imaging) and fertilizer supply chains are now materially impacted, with urea prices up approximately 30% over the past month. Military & Proxy Activity CENTCOM assessed the Iranian Navy as "combat ineffective" — but Iran retains capability to threaten commercial shipping and US forces in the Strait. The US has struck over 5,000 targets inside Iran, including 60 ships, and is now targeting Iran's defense industrial base. Hezbollah launched its largest barrage since the conflict began. A French soldier was killed near Erbil in a Shahed drone attack; NATO intercepted a ballistic missile near Incirlik Air Base in Turkey. Russia is reportedly providing Iran with advanced drone tactics drawn from its experience with Iranian-made drones in Ukraine — a new level of support beyond targeting intelligence. Regime Stability US intelligence and Israeli officials assessed as of March 12 that the regime is not at risk of imminent collapse and maintains domestic control. Early friction signals nonetheless: IRGC units reportedly denying medical aid and supplies to regular army (Artesh) units; group desertions reported, highest among conscripts; two more diplomatic defections bring the 2026 total to four. Israel has begun targeting street-level security checkpoints and is reportedly using Iranian citizens to assist with targeting — a deliberate effort to degrade the regime's suppression infrastructure. Latest Areas to Watch Three things to watch right now: Mojtaba Khamenei's physical appearance. His first statement was read aloud on state TV — he did not appear in person, almost certainly to avoid providing a digital or physical signature that could enable targeting. Any public appearance will be a significant signal of his consolidation of authority and perceived security. The internet blackout lifting and the cyber re-operationalization window. When connectivity is restored, expect scanning, brute forcing, password spraying, and probing against previously untargeted networks as early signals of Iranian cyber forces returning to operational tempo. This window is approaching. Three scenarios remain in play — and are not mutually exclusive. A swift US military exit, a negotiated deal, or internal revolution and fragmentation each carry distinct risk profiles for organizations managing exposure across the region. Leadership & Succession Mojtaba Khamenei, son of the late Ali Khamenei, has been elected as Supreme Leader. His election preserves hardliner continuity and underscores the IRGC's political power — they shaped the outcome in favor of their preferred candidate despite reported objections from some clerics. Mojtaba appears to have been wounded in US-Israeli strikes that killed his father, mother, wife, and one son. What this means strategically: Mojtaba is neither a credible Islamic scholar nor an experienced administrator — the two traditional prerequisites for the position. He lacks the authority his father spent two decades consolidating. For now, Iran is effectively being run by committee. Key power brokers include IRGC chief Vahidi, parliamentary speaker Ghalibaf, and overall security head Larijani. These individuals are realists, even if labeled hardliners, and have a broader range of options than Khamenei Senior ever permitted. His first public statement reinforced a defiant posture, but his failure to appear in person very likely reflects an effort to protect him from US and Israeli targeting. The regime's power brokers — Larijani, Ghalibaf, and Pezeshkian — have all made public appearances, including at Quds Day rallies on March 13, framing turnout as evidence of legitimacy and strength. The IRGC has explicitly threatened to deal with any street unrest "a blow even harsher than that of January 8." There is visible tension between political leadership and the IRGC. President Pezeshkian's public apology over strikes on Iran's neighbors drew immediate backlash from hardliners and military leaders — a reflection of the weakness of the elected government relative to the security apparatus. His stated diplomatic conditions (reparations, international guarantees) now align with Khamenei's statement, suggesting a coordinated political-diplomatic posture even as civil-military tensions persist. Iran faces two paths: pursue a deal with the US that normalizes economic engagement and offers a path to regime survival — or endure the bombing, crack down domestically, export enough oil to China and India to sustain the patronage system, and wait for the geopolitical environment to shift. Cyber Threat Landscape Insikt Group continues to observe a near-term reduction in Iran's more advanced cyber activity since March 1. The internet blackout across much of Iran has impeded operational tempo and coordination among state-sponsored groups. Treat this period as a window in which Iran-aligned operators are regrouping, prioritizing recovery and defense, and setting conditions for future operations — not as a sign of diminished threat. It is worth separating espionage-grade operations from the broader pro-Iran ecosystem. Some groups have gone quiet; others remain active. Critically, not all groups need to operate from within Iran's borders — and the state-sponsored campaign activity documented below confirms that. State-Sponsored Espionage: A Surge in Conflict-Themed Campaigns Since March 1, ProofPoint has documented six coordinated phishing and espionage campaigns exploiting the conflict as a lure — originating from actors aligned with China, Belarus, Pakistan, Hamas, and Iran. Targets include Middle Eastern governments, European diplomatic organizations, and a US think tank. The breadth of nation-state actors exploiting this conflict is itself a significant signal. Common patterns across all campaigns: conflict-themed lures, compromised government email accounts used for legitimacy, credential harvesting as a primary objective, and geofencing to selectively target victims. Specific groups observed include: UNK_InnerAmbush (China-aligned), TA402/Gaza Hacker Team, UNK_RobotDreams (Pakistan-aligned), UNK_NightOwl, TA473/TAG-70 (Belarus-aligned), and TA453/APT35 (Iran-aligned). Security and IT teams should treat any conflict-themed email referencing Iran, the Strait of Hormuz, or the strikes as a high-suspicion lure regardless of apparent sender. Hacktivist Escalation On March 11, the Handala Hack Team — an Iranian hacktivist front previously linked to destructive wiper attacks against Israeli targets — claimed responsibility for a significant destructive attack against a major US-based medical device manufacturer. The claimed impact included large-scale data exfiltration and the wiping of hundreds of thousands of systems, servers, and managed devices. Disruptions were reported at facilities in Ireland and across corporate systems globally. This marks a meaningful shift in Iran's retaliation posture in the cyber domain. Prior Handala activity was concentrated on Israeli targets; the move to a large US commercial organization — particularly one in the healthcare sector — signals that Iran's targeting aperture has widened materially. Organizations should not assume that only defense, government, or energy sector targets are at risk. Groups to Track State-sponsored: Insikt Group is actively monitoring Green Bravo (APT42), Green Golf, Cotton Sandstorm, and Cyber Avengers. These groups are capable of advanced network and vulnerability scanning, opportunistic exploitation of known vulnerabilities, deployment of disruptive and destructive malware, and satellite or television broadcast hijacks — the latter particularly likely given their psychological impact. Hacktivist fronts: The Handala Hack Team and the Conquerors Electronic Army operate in a hybrid space blending hacktivism, cyber intrusions, and influence operations. Typical activity includes web defacements, DDoS targeting government and critical infrastructure, hack-and-leak operations, and doxing of officials and political figures. These groups are likely to be the first to resume traditional operational tempo as the blackout lifts. Also watch: Peach Sandstorm, APT34, MuddyWater, and Moses Staff each have established patterns for initial access and lateral movement. Watch for new hacktivist fronts emerging — this is typically a signal of where Iran is directing its efforts, as seen with Homeland Justice in Albania and Moses Staff targeting Israel. What to Watch When the digital blackout lifts, look for scanning, brute forcing, password spraying, and probing against your networks as early signals of Iranian cyber forces re-operationalizing. A temporal overlap between the blackout lifting and increased probing against previously untargeted networks would be a significant indicator. DDoS campaigns may also be an early signal. Ensure all public-facing technologies are patched — you can't control geopolitics, but you can control your exposure. Additionally, watch for infrastructure repurposing: groups known for traditional espionage may suddenly shift to IO-driven domains, as seen after June 2025 when espionage infrastructure pivoted to hybrid theft-and-influence operations. Expert Assessment: What Happens Next Based on analysis from Dr. Christopher Ahlberg’s conversation with former MI6 Director Sir Alex Younger. Three scenarios are in play — not mutually exclusive, and each with distinct implications for organizations managing risk. Scenario 1 — Bomb, Declare Victory, and Leave Scenario 2 — A “Venezuela-Style” Deal Scenario 3 — Revolution or Fragmentation Influence Operations Iran has shifted away from early reactionary messaging — including tactical battlefield updates — and moved toward overarching threat rhetoric, escalation narratives, and proxy alignment, particularly with Hezbollah, the Houthis, and the Islamic Resistance in Iraq. US and Israeli messaging has remained focused on projecting overwhelming military force and coalition resolve. Phase assessment: Influence operations are currently between Phase 1 and Phase 2. Strategic narrative shaping is active at every level of the conflict. Covert networks are pivoting toward the conflict, but the anticipated surge has not yet materialized — likely due to degraded capabilities from ongoing kinetic strikes. Three Phases of Iran's IO Approach Phase 1 — Strategic Narrative Shaping (Active Now). Iran is attempting to shape narratives down to the tactical battlefield level. Key early examples include Iran state media publishing unverified claims about civilian casualties from airstrikes on a school in southern Iran; false narratives claiming up to 50 US casualties, quickly refuted by US CENTCOM; and viral claims about ballistic missiles hitting the USS Abraham Lincoln strike group, also debunked. Iran is capitalizing on the fog of war to inflate perceived military capabilities and complicate damage assessment. Phase 2 — Covert Network Surge (Initiating Now). Known influence operation networks are pivoting focus to the conflict. Expect coordinated inauthentic behavior on social media — sock puppet accounts impersonating journalists and activists — amplifying false narratives and attempting to delegitimize US-Israeli strikes. One AI-generated image related to the Lincoln claims reportedly reached over 5 million views within hours before being debunked. Phase 3 — Psychological Deterrence (Weeks to Months). This will be a hybrid campaign targeting both international audiences to control deterrence perceptions, and Iran's domestic population to reinforce a narrative of regime survivability. Operations Targeting Iranian Domestic Audiences Insikt Group has also observed influence activity directed at the Iranian population itself: a seizure of Islamic Republic of Iran Broadcasting's live broadcast — notably, the IRIB facility was itself the target of a kinetic strike — with messaging focused on defections and targeting supporters of Mojtaba Khamenei. Precision message delivery within Iran via a popular mobile application has also been observed, with messaging along the lines of "help has arrived" and calls to resist the regime. Active Threat Networks Insikt Group is currently tracking at least three networks as fully engaged on this conflict. Storm-2035 (ION-24) — one of the more prolific Iranian IO networks, previously active in 2024 targeting US elections and most recently focused on Venezuela during the US operation to capture Maduro. Within the last 48 hours, a deliberate content shift on their inauthentic accounts was observed directly tied to this conflict. The network appears focused on exaggerating Iranian military capabilities and complicating battlefield damage assessment, including unverified claims of shooting down a US MQ-9 Reaper drone and claims that Iranian attacks on US bases resulted in 200 military casualties. Handala Hack Team — an Iran-affiliated hacktivist front. Activity is still early and under investigation; they have claimed to have compromised an Israeli oil and gas company, though indicators of compromise are not yet robust. Using hacktivist fronts to claim a successful attack where none occurred is a persistent psychological tactic employed by Iranian cyber-enabled influence operations. ION-79 — affiliated with the IRGC Basij, previously tracked producing counter-protest narratives during Iran's nationwide protests. Inauthentic accounts are now actively producing content tied to the current conflict. Additional networks are being tracked, and more are expected to pivot and fully engage as the conflict develops. What to Watch Monitor your organization's brand closely — other nation-state actors are actively exploiting the conflict. Insikt Group recently published an analysis on Operation Overload, a Russian influence operation impersonating legitimate entities in France and Germany to advance geopolitical interests under cover of Middle East conflict. Brand abuse and impersonation by threat actors have increased significantly over the past year. Also watch for physically focused influence operations: Insikt Group has tracked networks over the past two years that actively attempt to recruit individuals to commit physical acts of violence, including offering financial incentives. Intent levels following Khamenei's death are likely unprecedented. Commercial Risks According to vessel activity analysis by Marine Traffic, Strait of Hormuz transits have declined by 90% since the conflict began. The IEA confirmed on March 12 that global oil markets are enduring the largest supply disruption in history — Gulf output has been cut by at least 10 million barrels per day, with an expected monthly decline exceeding 7%. Saudi Arabia, the UAE, Kuwait, Iraq, and Bahrain have together cut output by nearly 7 million barrels a day. Iran struck two vessels at the Basra Oil Terminal on March 12 using an underwater drone — halting Iraqi oil operations entirely. Total vessels targeted in the Strait have reached at least 14. According to CNN, Iran has laid a few dozen mines. U.S. CENTCOM reported it had destroyed 16 minelayers. As of March 13, no evidence of new mines being placed. On March 4, Qatar declared force majeure on gas exports. According to Reuters, it will take at least one month to resume normal production. Qatar Energy has ceased gas production for at least two weeks and stopped gas liquefaction as of March 5. Beyond energy, the disruption has spread to adjacent supply chains. Helium — critical for semiconductor manufacturing and medical imaging — is facing significant supply pressure. Fertilizer prices have surged, with urea up approximately 30% over the past month, with downstream implications for crop yields and food prices. Iran's geographic proximity to GCC countries and key shipping lanes gives it significant economic leverage, even as its military capabilities are degraded. Eighty percent of Iranian government revenues derive from oil and gas — meaning the Strait closure is as damaging to Iran as it is to global markets. This mutual pain creates both incentive for a deal and risk of miscalculation. Resilience question: If volatility becomes the baseline, how must your organization adjust its risk posture to operate sustainably under persistent disruption? Physical Threat Risk: North America, Western Europe, and Australia The scope of US-Israeli operations will very likely prompt a significant increase in Tehran's efforts to asymmetrically target Western countries through violent non-state actors, and heighten the risk of homegrown and domestic violent extremist activity. Based on prior targeting by Iran-nexus groups, the most likely targets are high-profile US, Israeli, and Western foreign policy and military officials; Iranian dissidents residing abroad; targets associated with Israeli or Jewish communities; and private sector organizations affiliated with the US or Israeli military — particularly defense contractors, insurance companies, banks and financial institutions, and critical infrastructure service providers. The kinetic conflict has already reached Europe: an intercepted drone over Cyprus, a NATO intercept of a missile in Turkish airspace near Incirlik Air Base, Iranian arrests in the UK, and explosions at the US Embassy in Norway and a synagogue in Belgium. A French soldier was killed near Erbil on March 13 in a Shahed drone attack. A pro-Iranian militia has since threatened all French interests in Iraq and the region. Insikt Group is monitoring a coordinated physical threat recruitment campaign that we track as ION-82. Since February 26, accounts posting in English and Arabic have seeded Telegram channels — including job-seeker groups and university student communities — across at least a dozen countries, including the US, GCC states, Australia, Canada, India, and several EU countries. The posts openly offer financial compensation in exchange for conducting physical threat activities targeting US and Israeli interests on behalf of Iranian intelligence services. Originally focused on recruiting Israel-based individuals from October 2025 onward, the operation expanded its geographic scope in direct correlation with the outbreak of the current conflict. Watch for physically focused influence operations. Insikt Group has tracked networks over the past two years that actively attempt to recruit individuals to commit physical acts of violence, including offering financial incentives. Intent levels following Khamenei's death are likely unprecedented. How Recorded Future Can Help Following standard operation procedure for high-priority global events, the Insikt Group published same-day flash analysis on both the kinetic strikes and the emerging cyber threat landscape. Upon log-in, customers were also pointed to resources within the platform via an updated Middle East Resource Center, which included pre-built queries and alerts to complement finished intelligence from the Insikt Group. These queries ranged from suggested threat actors to track, from the Handala Hack Team to RipperSec, to generative AI prompts for continually generating situation reports. Recorded Future customers have immediate access to the resources your team needs right now: Resource Center Middle East Regional Conflict Intelligence Kit Islamic Republic of Iran Intelligence Kit Customer’s Threat Maps will automatically update based on the latest cyber attacks and targets to include any relevant threat actors to track, including hacktivist groups. Threat Map with Hacktivist Threat Actors Recorded Future customers can easily configure queries as a real-time alert to receive immediate notification as the situation develops — including new hacktivist claims, threat actor activity, and Insikt Group assessment updates. To provide extra support to our customers in the region, Recorded Future’s support team automatically enabled Geopolitical Intelligence access on 28 February. Other customers interested in a free Geopolitical Intelligence trial should contact their account team to gain access to the full suite of Insikt Group geopolitical notes, advanced queries, and associated alerts. Stay Informed The situation in Iran is moving fast. Recorded Future's Insikt Group is publishing continuous updates as the conflict evolves. To learn how Recorded Future can give your team the intelligence to stay ahead of this and future geopolitical crises, contact us to speak with one of our threat intelligence experts. Related 16 MAR 2026 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 Recorded Future's 2025 Identity Threat Landscape Report analyzes hundreds of millions of compromised credentials to reveal how infostealer malware is evolving, which systems attackers are targeting, and what security teams must do to get ahead of credential-based breaches. 13 MAR 2026 The Iran War: What You Need to Know Insikt Group tracks the cyber, physical, and geopolitical components of the US-Israeli strikes on Iran — with continuously updated threat analysis and scenarios. 12 MAR 2026 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026.