The Cyber War Started Before the Air War: They Were Already Inside
- Kirk M. Anderson, MBA, CISSP, CISM, PMP
- 12 hours ago
- 6 min read
They did not wait for the strikes.
While the world watched February 28, 2026 arrive with military action and diplomatic fallout, Iranian state-linked threat actors had already done something more consequential than launch a cyberattack in retaliation. They had established quiet, patient access inside the networks of a U.S. bank, a U.S. airport, nonprofit organizations in the United States and Canada, and a defense-adjacent software firm. They were positioned and waiting before the public even understood a conflict was escalating.
That is the fact every executive team needs to sit with this week.
This is not a story about what happened after the strikes. It is a story about what was already in place before them. And that single distinction changes the nature of cyber risk from a downstream consequence of geopolitical instability into something more operationally threatening: a pre-positioned exposure that may already exist before leadership realizes the environment has changed.
What the Evidence Actually Shows
Some of the cyber activity that followed the strikes was noise. Public narratives in moments like this almost always move faster than evidence, and the surge of hacktivist claims across forums and messaging platforms included plenty of recycled, exaggerated, and unverified content. That is worth acknowledging.
But the confirmed intrusions are another matter.
Researchers documented a campaign linked to MuddyWater, also known as Seedworm, an Iranian state-affiliated group, inside multiple organizations across North America and allied environments. Two custom backdoors were identified: Dindoor and Fakeset. Both were built for patience. Dindoor concealed itself by leveraging Deno, a legitimate developer runtime for JavaScript and TypeScript, to execute commands in ways that blend with normal development activity. Fakeset, a Python-based backdoor, was delivered through and communicated via Backblaze, a legitimate commercial cloud storage service, disguising malicious traffic as routine business operations.
That is not casual disruption. That is deliberate positioning.
Alongside the state-linked intrusions, more than 60 hacktivist groups reportedly mobilized, with confirmed activity including denial-of-service attacks and website defacements. Some groups made dramatic breach and leak claims. Many remain unverified.
For executives, these represent two distinct but overlapping problems. The first is stealthy and potentially destructive. The second is loud, public, and designed to create reputational pressure whether or not the underlying technical claims are real.
Both require a leadership response.
Why Waiting Is Itself a Decision
The cybersecurity world generates noise every day. New malware names, Telegram claims, dramatic screenshots, speculative threat reports. Organizations have learned, reasonably, to filter most of it out.
This moment is different because of timing and posture.
The intrusions associated with this campaign appear to predate the publicly visible escalation. The cyber element was not only retaliation. It appears to have been preparation. Adversaries were establishing access inside banks, airports, nonprofit supply chains, and defense-adjacent vendors before the geopolitical moment captured anyone's attention.
That reframes the executive decision entirely.
When an adversary may have already established access before your organization recognized the threat environment had changed, waiting to "see how things develop" is not a neutral posture. It is a decision to accept an unknown exposure window. For leadership, the difference between monitoring a news story and managing an operational risk has rarely been more concrete.
What This Access Could Actually Cost the Business
Most cyber coverage focuses on the mechanics of intrusion. For executives, the relevant question is never the malware family name. It is what that access enables.
When the target is financial, dwell time becomes leverage.
One confirmed target was a U.S. bank. Access inside a financial institution is not simply an intelligence risk. It can support fraud, transaction manipulation, disruption of high-value services, and the slow erosion of internal control integrity. Even when attackers do not immediately monetize their access, the longer they remain inside an environment, the more they understand about workflows, approvals, dependencies, account structures, and timing. The attacker's leverage compounds with every day the access goes undetected.
For organizations in financial services, payments, insurance, or any environment with sensitive transaction flows, a quiet backdoor is not an IT problem with IT consequences. It is a direct business risk with financial, legal, and regulatory dimensions.
When the target is operational, the threat is not data loss. It is destruction.
The confirmed targeting of a U.S. airport and a defense-adjacent software vendor points toward something beyond information theft. These environments sit close to operational continuity, logistics, transportation, and supply chain reliability. Iranian threat activity has a documented history of deploying wiper malware, which does not negotiate and does not restore. It destroys. The business continuity question for any organization connected to critical infrastructure or tightly integrated software vendors is not whether the security stack looks good on paper. It is whether a destructive event in one part of the environment could halt a core business function entirely.
When the actor is a hacktivist, the reputational damage does not wait for the facts.
A website defacement or unverified leak claim may not represent deep technical compromise, but that does not make it low impact. Public perception forms before forensic investigation completes. A defaced public-facing site generates headlines before scoping is finished. A politically motivated breach narrative can attach to a brand regardless of whether the underlying technical damage is limited.
The organizations best prepared for this are not the ones with the most aggressive security tooling. They are the ones where communications readiness is treated as part of cyber readiness, with pre-approved holding statements, a defined escalation path, and a communications decision-maker who can move quickly while the technical picture is still forming.
The Questions That Belong at the Leadership Level
When technical teams respond to elevated threat environments, they generally know what to do first. The gap that expands business risk is almost always the leadership layer: unclear decision rights, no shared picture of urgency, and no framework for distinguishing real signal from noisy claims. These are the questions that should be on every executive table this week.
Has threat hunting been initiated, not just monitoring?
A clean dashboard is not a clean environment. The confirmed activity in this campaign suggests some intrusions began weeks before the public escalation. Organizations should not assume they are unaffected because nothing has triggered an alert. They should assume they do not yet know. Leadership should be asking specifically whether hunting has begun for the behaviors associated with this campaign, including anomalous developer runtime activity, unusual Python execution patterns, suspicious outbound transfers, and legitimate cloud services being used to mask malicious communications.
Which vendors hold persistent access, and when were those relationships last reviewed?
The breach involving a defense-adjacent software firm reinforces one of the most persistent and under-managed risks in enterprise security: attackers often enter through trusted partners. Executives should know which vendors, managed service providers, and contractors hold privileged or persistent access into internal systems, and whether that access is actively monitored. In a geopolitical threat environment, vendor trust cannot be treated as a static condition.
Are critical systems unnecessarily exposed to the internet?
Poorly segmented remote access, public-facing operational technology interfaces, and industrial control systems reachable from external networks remain among the most avoidable sources of cyber risk. Many organizations have inherited internet exposure that no one revisited because it was convenient. In periods of elevated nation-state activity, those exposures become higher-priority targets. The question leadership should be asking is whether exposure that exists for operational convenience is worth the risk it now represents.
Is the organization prepared for a communications incident before the technical picture is complete?
In politically charged cyber events, the communications pressure arrives before the forensic story does. Organizations that prepare for the technical incident far more thoroughly than the public one will feel that imbalance acutely. The communications response needs its own readiness: who can approve a statement, who speaks, and what the organization is willing to say when it does not yet know the full scope.
The Cost Asymmetry Leaders Need to Understand
The immediate cost of accelerating response in an environment like this is operationally manageable. It includes additional analyst time, targeted external threat-hunting support, faster patching and exposure review, focused third-party access validation, and a communications tabletop or response refresh. None of those efforts are trivial, but for most mid-sized and large organizations, they are absorbable.
The cost of inaction is a different calculation.
A backdoor that remains in place for weeks can produce fraud loss, prolonged downtime, emergency incident response costs, outside legal counsel, regulatory disclosure obligations, contract scrutiny, customer churn, and executive distraction at exactly the wrong moment. For organizations in regulated industries, adjacent to critical infrastructure, or holding defense-related contracts, the downstream consequences can extend into compliance posture, contractual standing, and trust erosion that has no clean resolution timeline.
The asymmetry is the point. Checking now is almost always less expensive than discovering later.The practical defensive window for this campaign likely stretches back to early February, not simply to the February 28 strikes. Organizations should not respond as though this is a post-strike problem. They should respond as though the environment may have been active for weeks, because the evidence suggests it was.
Closing Thought
The defining question this surge puts on the table is not whether another wave of cyber activity will follow the next geopolitical flashpoint. It is whether your organization would know if the access was already there before the world started paying attention.
That is the question boards need to hear in business language. That is the question leadership needs to be equipped to ask. And it is the question that separates organizations that handle moments like this from those that discover, far too late, that they were already inside the problem.
Comments