Iran’s cyber retaliation threat looms over U.S. companies: “It’s in the hands of a 19-year-old hacker in a Telegram room”

As missiles and airstrikes dominate headlines, cybersecurity experts are warning that the next wave of escalation may unfold not in the skies — but online.

Following weekend strikes on Tehran, Iranian-linked cyber groups ramped up activity in what analysts describe as one of the most aggressive digital campaigns yet. For U.S. companies, the concern isn’t just state-sponsored hacking. It’s the rise of loosely coordinated proxy actors operating with little oversight.

“It’s in the hands of a 19-year-old hacker in a Telegram room with really no oversight or direction,” said Kathryn Raines, a former NSA expert who now leads threat intelligence at cyber intelligence firm Flashpoint.

A hacked prayer app signals a shift

On Saturday morning, millions of Iranian users of the BadeSaba Calendar prayer app reportedly received unexpected push notifications after the app was compromised.

Instead of daily prayer reminders, users saw messages declaring “Help has arrived!” and urging the formation of a “People’s Army.” A day later, additional messages allegedly included surrender instructions for members of Iran’s Islamic Revolutionary Guard and directions for protest gatherings.

Flashpoint described the episode as a template for psychological cyber operations — using trusted digital tools to spread disinformation at moments of peak chaos.

Regime-aligned cyber actors responded quickly. According to Flashpoint, the incident was followed by the most aggressive phase yet of Iran’s so-called “Great Epic” campaign — a loose umbrella of cyber operatives coordinating under the banner “Cyber Islamic Resistance.”

These groups have previously claimed responsibility for attacks on gas stations in Jordan and for targeting U.S. and Israeli military contractors. Much of their coordination allegedly takes place in Telegram and Reddit channels, where participants post screenshots of attacks as proof — though verification can take weeks or months.

A leadership vacuum — and more unpredictability

With Iranian leadership structures reportedly weakened by recent strikes, centralized command over cyber operations may also be disrupted.

“The Iranian leadership vacuum is likely going to lead to more unpredictable, decentralized proxy attacks,” Raines said.

In practical terms, that means smaller groups or individuals may begin selecting targets independently. A mid-sized logistics company, a regional utility provider, or even a healthcare network could be chosen opportunistically — not as part of a grand strategy, but to make a statement.

That unpredictability makes risk modeling far more difficult for corporate security teams accustomed to tracking formal state actors with defined “red lines.”

Why cyber becomes more attractive

Brian Carbaugh, co-founder of AI security firm Andesite and former director within the CIA’s Special Activities Center, said cyber operations offer advantages that make them appealing in moments like this.

They are relatively low-cost, difficult to attribute conclusively, and capable of producing outsized psychological and operational disruption.

As conventional military options narrow or become riskier, cyber tools can fill the gap.

“The Islamic Republic has always had great pride in cyber capabilities within the security services,” Carbaugh said. That focus, he noted, is unlikely to diminish even if senior leadership is disrupted.

The rise of psychological operations

Experts say companies may be underprepared for a different kind of cyberattack — not one designed to steal data or encrypt servers, but to undermine trust.

Raines described the BadeSaba incident as an example of what she called “nihilistic psychological operations” — attacks aimed at destabilizing confidence and clarity rather than infrastructure.

In a corporate context, that could mean:

• Deepfake audio messages impersonating executives
• Fake emergency evacuation notices
• Spoofed internal communications during a regional outage
• Disinformation campaigns targeting employees in high-risk areas

If local news and internet access are disrupted, employees may have little ability to verify what’s real.

“Companies aren’t really prepared for what employees’ reality will be in the hours that follow,” Raines said.

What boards should be asking

For boards and executive teams convening in the coming days, experts say the focus should shift from simple “block rates” — how many attacks are stopped — to resilience and recovery time.

How long can core operations remain offline before revenue and reputation suffer?

What is the company’s maximum tolerable downtime?

How quickly can systems be restored after a destructive attack?

Carbaugh said that if he were advising a board this week, he would first ask whether the company faces elevated risk due to events in Iran. If leadership answers “no,” he would probe further.

Executives should understand:

• What specific mitigation steps are in place
• How threat intelligence is being gathered and shared
• Whether AI tools are being used to detect anomalous behavior
• How partners and suppliers are assessing their own exposure

“This conflict could take many twists and turns,” Carbaugh warned. “I don’t think this is going to be one we’re going to tidily wrap up and move on from in a few days.”

A prolonged period of digital risk

Cyber escalation does not require formal declarations. It can unfold quietly — through opportunistic attacks, proxy actors, and viral misinformation campaigns.

The coming days may not just test missile defense systems, but also corporate incident response playbooks.

For U.S. companies, the threat environment is shifting from structured state retaliation to something more decentralized and volatile — where escalation may hinge on a handful of actors coordinating in encrypted chat rooms.

This article is made and published by Asger Risom, who may have used AI in the preparation