The cyber dimension of the current conflict is entering a more dangerous phase. While a ceasefire has been announced, activity in cyberspace shows no signs of de-escalation. Instead, the focus has shifted toward cyber-physical operations and the direct targeting of critical infrastructure.

For organisations, this represents a shift from disruption-led activity to operations capable of causing tangible, real-world impact.

‍

From Disruption to Physical Impact

Recent activity confirms a move beyond website defacements and DDoS campaigns into the manipulation of industrial systems.

Threat actors are now actively targeting Operational Technology (OT), including programmable logic controllers (PLCs) and SCADA environments. Reported activity includes interference with project files and manipulation of human-machine interface data, particularly involving Rockwell Automation/Allen-Bradley systems.

Sectors affected include:

• Water and wastewater systems
• Energy infrastructure
• Government facilities

This marks a clear escalation. The objective is no longer visibility or nuisance disruption, but operational and financial damage.

‍

Infrastructure Exposure on Both Sides

At the same time, vulnerabilities are being exposed across all parties involved.

A reported breach of Iran’s national oil distribution infrastructure has resulted in the alleged exposure of 15GB of sensitive data, including customer and operational details. This type of dataset provides detailed insight into how critical systems function at scale.

Such exposure is significant. It enables adversaries to map infrastructure dependencies and identify high-impact targets for future cyber-physical operations.

The risk is not limited to a single region. Intelligence of this nature is frequently reused across campaigns, increasing the likelihood of broader spillover targeting.

‍

A More Dangerous Targeting Model

This activity reflects a broader trend: critical infrastructure is becoming a primary target rather than collateral damage.

Unlike earlier phases of conflict where cyber operations were largely symbolic or disruptive, current activity suggests:

• Intent to degrade physical operations
• Increased interest in industrial control environments
• Use of operational data to support follow-on attacks

For organisations operating in energy, utilities, or government-linked environments, the threat is no longer theoretical.

‍

Handala: From Disruption to Psychological Operations

Alongside infrastructure targeting, the Handala group has significantly expanded its operational approach.

Recent claims include:

• Municipal system compromise in the United States
• Exposure of personal data linked to Israeli military personnel
• Publication of private communications from security figures
• Large-scale data wiping campaigns affecting multiple organisations

This reflects a shift toward coordinated psychological and information operations.

The group is combining:

• Technical compromise
• Data exposure
• Targeted intimidation

Notably, activity suggests the use of legitimate enterprise tools such as Microsoft Intune and mesh networking platforms like NetBird, allowing them to operate within trusted environments and reduce detection.

‍

Immediate Risk: OT Exposure and Access Pathways

While high-visibility claims continue, the most immediate risk for many organisations is exposure within their own environments.

Key concerns include:

• Internet-facing OT systems
• Weak segmentation between IT and OT networks
• Insufficient monitoring of industrial protocols
• Insecure remote access pathways

Threat actors are actively scanning for and exploiting these weaknesses.

‍

What This Means

The current environment is defined by intent, access, and opportunity.

• Intent is evident in the targeting of OT and critical systems
• Access is being enabled through data breaches and exposed infrastructure
• Opportunity is created by persistent gaps in OT security

For security teams, this is a shift in priority. Monitoring alone is not sufficient.

The focus must move toward:

• Securing OT environments
• Restricting external exposure
• Strengthening access controls
• Improving visibility across industrial networks

The risk is no longer confined to digital disruption. It now includes the potential for real-world operational impact across critical systems.