Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

Cyber Conflict Knows No Ceasefire: Why Supply Chains Are the Front Line Against Iranian Threats

9:47 AM   |   29 June 2025

Cyber Conflict Knows No Ceasefire: Why Supply Chains Are the Front Line Against Iranian Threats

Cyber Conflict Knows No Ceasefire: Why Supply Chains Are the Front Line Against Iranian Threats

Former NATO Hacker Warns of Persistent Digital Hostilities and Supply Chain Vulnerabilities

In the complex landscape of international relations, physical ceasefires are often negotiated to halt overt military aggression. However, according to Candan Bolukbas, a former NATO hacker and current chief technology officer and founder of cyber-risk intelligence firm Black Kite, the rules of engagement are fundamentally different in the digital realm. Bolukbas contends that in the world of cyber warfare, the concept of a ceasefire simply doesn't exist.

Speaking to The Register, Bolukbas articulated a stark reality: "In the cyber world, there's no such thing as a ceasefire." This perspective is particularly relevant in the context of recent tensions and a physical truce between nations like Iran and Israel, suggesting that while missiles may cease to fly, the digital skirmishes continue unabated.

Bolukbas's insights stem from a distinguished career that included serving as part of NATO's counter cyberterrorism task force. In this role, he was involved in simulating offensive cyber attacks against government agencies in member and partner countries to bolster their network defenses. His work provided him with a deep understanding of state-sponsored cyber capabilities and the vulnerabilities inherent in modern interconnected systems.

One particularly illustrative experience involved red-teaming a critical power grid in Kiev, Ukraine. Despite many of the facility's systems being airgapped – physically isolated from external networks – Bolukbas found a pathway in. He recounted how targeting the critical infrastructure directly was challenging, but pivoting to its dependencies proved effective. "It wasn't easy to target, so I said, 'OK, let me find the suppliers for this organization'," Bolukbas explained. He identified 20 potential suppliers, selected one that appeared most vulnerable, and used that third-party connection to gain access to the grid control panel. This access put him "literally one command away from taking down the grid."

This experience underscores a critical point: the security of a large, well-defended organization is often only as strong as the security of its weakest supplier. This vulnerability is not theoretical. Just a year after Bolukbas's simulation, in 2015, Russia's Sandworm group successfully shut off part of Ukraine's electricity grid, impacting tens of thousands of residents. This real-world incident mirrored the potential outcome Bolukbas had demonstrated through his red-teaming exercise.

The Supply Chain: A Prime Target in Persistent Cyber Conflict

Fast forward a decade, and Bolukbas remains concerned about the potential for similar attacks, particularly from Iran, in retaliation for physical strikes. He believes that Iran's cyber operations are likely to focus on the supply chain, viewing it as a significant weak spot for adversaries like Israel and the United States.

"My belief is that they're going to go after the supply chain, because that's our weak spot," Bolukbas stated. He elaborated that while breaching highly secure networks like those of the Pentagon might be exceedingly difficult for Iran acting alone, targeting the suppliers of the Israeli and US Departments of Defense presents a more feasible path to impact critical operations.

The ongoing conflict in Ukraine provides ample evidence of this strategy. Russian cyber campaigns have targeted Western logistics firms and technology companies, including email providers, to gather intelligence on Ukrainian targets and military movements. They have also compromised internet-connected cameras at border crossings to monitor aid shipments and attacked providers of industrial control system (ICS) components used in railway management, as detailed in a joint government advisory.

Beyond critical infrastructure and defense, the interconnectedness of modern life means even seemingly innocuous devices can become tools for cyber warfare. Bolukbas pointed out that smart TVs and other home IoT devices are often easily compromised and can be used to build massive botnets for distributed denial of service (DDoS) attacks. Furthermore, networks of compromised devices, like those described in campaigns involving connected boxes used to route traffic, can be leveraged to launch cyberattacks against high-value targets, masking the origin of the attack. Recent reports, such as those concerning the Volt Typhoon experience, highlight how state-sponsored actors can maintain persistent access and position themselves within networks, often through compromised infrastructure.

Iran's Cyber Capabilities and Limitations

Bolukbas assessed Iran's cyber capabilities relative to global powers. He believes it's "very unlikely that they can launch a sophisticated attack against the NSA, Pentagon, or those kinds of bigger organizations." These targets are generally considered outside of Iran's independent reach, unless they receive direct, high-level backing from major cyber powers like Russia or China.

However, Bolukbas considers such direct collaboration on breaching critical American networks highly improbable. Providing Iranian operatives with access gained through sophisticated means, or expending valuable zero-day exploits on their behalf, would not align with Russia's or China's strategic interests. These nations would likely prefer to preserve such access and cyber weapons for their own geopolitical or military objectives at a time of their choosing. Consequently, Bolukbas concludes, "Iran is alone in this game, but they can go after the low-hanging fruit." This 'low-hanging fruit' primarily includes less-hardened targets within the supply chain and through widespread, less sophisticated attacks like phishing and disinformation.

The US Cyber Posture: Defense Forward and Persistent Engagement

The concept of persistent cyber conflict is not unique to Iran. Bolukbas noted that the United States also operates under a similar understanding. "While we haven't seen any ceasefire happening" in terms of Iranian cyber campaigns, particularly concerning phishing attempts targeting individuals with access to sensitive information, "we also do this," he said, referring to the United States' own cyber operations.

A prime historical example is Stuxnet, the sophisticated malware used to disrupt Iran's nuclear program by targeting its centrifuges. Bolukbas highlighted that Stuxnet was a joint American-Israeli operation that occurred during a period when the US was not formally at war with Iran. This demonstrates that significant cyber operations can and do happen outside the traditional framework of declared physical conflict or ceasefires.

The United States possesses formidable cyber capabilities. Bolukbas asserted, "The US has the biggest cyber army, strategic or talent-wise." He added that "The NSA is known for having the biggest zero-day arsenal on the planet." This offensive capability is coupled with a strategic doctrine known as defense forward. This doctrine dictates that if the US identifies a threat in cyberspace that could disrupt its interests, it reserves the right to attack it first. This proactive stance falls under the mission of US Cyber Command.

While Bolukbas doesn't anticipate the US deploying its most significant cyber weapons against Iran in the current climate, he believes that cyber espionage, influence operations, hack-and-leak operations, and probing for vulnerabilities in Iran's military and cyber infrastructure are likely ongoing activities. From his perspective, the cyber dimension of the conflict between these nations predates any recent physical exchanges, having begun "a long time ago."

Protecting Against Persistent Cyber Threats

Given the reality of continuous cyber conflict, Bolukbas offered practical advice for network defenders, both in organizations and for individuals.

First and foremost, he stressed vigilance against phishing attacks. "Be careful with phishing attacks," he warned. These social engineering tactics are a common tool for Iranian actors because, lacking a vast arsenal of zero-day exploits, they rely heavily on manipulating individuals to gain access. Users must exercise extreme caution regarding what they click on, especially in emails, messages, or suspicious websites. The increasing sophistication of phishing, potentially aided by tools like generative AI, makes this advice more critical than ever.

Second, Bolukbas advised skepticism regarding information encountered online. Iran, along with other state actors like Russia and China, are increasingly adept at using technologies, including generative AI, to create fake news and manipulate social media. These disinformation campaigns aim to influence public opinion, sow discord, or achieve strategic objectives. Verifying information from multiple credible sources is essential in navigating the polluted information environment.

Finally, Bolukbas emphasized the critical importance of timely patching. "Patch your systems, including IoT for end users and residential people," he urged. For organizations, patching external-facing systems quickly is paramount. He highlighted the race between vulnerability disclosure and exploit development: "time is ticking from the day that the vulnerability is disclosed. Iranian groups are trying to develop an exploit. If they develop the exploit before the patch, they're not going to hesitate to use that." Delaying patches, even by a week or two, can open significant windows of opportunity for attackers.

The Enduring Nature of Cyber Conflict

The insights from Candan Bolukbas paint a clear picture: the digital battleground is one of constant activity, irrespective of the state of physical hostilities. While major powers possess advanced capabilities and doctrines like 'defense forward' to proactively address threats, nations like Iran are likely to leverage more accessible methods, with supply chain attacks, phishing, and disinformation posing significant risks.

The interconnectedness of modern infrastructure means that vulnerabilities in seemingly peripheral entities – the suppliers, the partners, even consumer IoT devices – can provide pathways into high-value targets. The historical example of Stuxnet serves as a reminder that cyber operations can be a tool of statecraft used outside the traditional confines of war.

For individuals and organizations alike, the message is clear: cybersecurity is not a task with a start and end point, tied to physical conflicts or ceasefires. It is a continuous process requiring vigilance, skepticism towards digital communications and information, and a commitment to maintaining up-to-date defenses through prompt patching. In the cyber world, the fight for security is perpetual.