U.S.-based tech companies with operations in the Middle East could come under attacks as Iran continues to target U.S. allies and businesses in the region as the war with the United States and Israel continues to rage.

At the same time, the related battle in cyberspace continues to expand, with pro-Iranian groups expanding their targets, with Flashpoint intelligence analysts writing that “cyber operations have shifted toward high-stakes extortion and the public dissemination of sensitive military coordinates, signaling a coordinated effort to enable future kinetic strikes.”

Iranian systems also have become a target, and bad actors are creating thousands of war-themed domains to run phishing campaigns, financial fraud attacks, and other scams related to the conflict.

In statements to the Tasnim news agency and on its Telegram channel, Iran’s Islamic Revolutionary Guard Corps (IRGC) this week accused the U.S. tech companies – which include Microsoft, Nvidia, Google, Apple, and Oracle – of aiding U.S. and Israeli forces in their bombing attacks and said they are now “legitimate targets.” That attacks on the organizations will start today, according to Iran officials.

The IRGC said the companies share the blame for air strikes that have killed Iranians, including much of the regime’s leadership, adding that “since the main element in designing and tracking terror targets are American ICT and AI companies, in response to these terrorist operations, from now on, the main institutions effective in terrorist operations will be our legitimate targets.”

A Warning to Employees

Iran also warned employees of the companies to leave their offices and to get at least a kilometer away from the buildings.

Other U.S. tech companies on the target list are Cisco Systems, Intel, HP, Meta, IBM, Dell, and Palantir. In addition, JP Morgan, Tesla, GE, and Boeing also were named, as were two organizations based in the United Arab Emirates (UAE), G42, an AI company in Abu Dhabi, and Spire Solutions, a cybersecurity firm in Dubai.

An Intel spokesperson in a statement told CNBC that “the safety and wellbeing of our team is our number one priority. We are taking steps to safeguard and support our workers and facilities in the Middle East and are actively monitoring the situation.”

Previous Attack on AWS Data Centers

This wouldn’t be the first time during the war that Iran targeted U.S. tech companies. Just days after the United States and Israel started their bombing campaign, Iranian drones attacked three Amazon Web Services (AWS) data centers in the UAE, damaging the facilities and causing service outages.

Iran earlier in March released a list of potential targets that included a range of tech companies, including Google, Microsoft, Palantir, IBM, Nvidia, and Oracle, and offices and infrastructure for cloud-based services in Israel.

The targeting of the tech companies puts a spotlight on their growing presence in the region, primarily driven by the demand for land and energy to build and run AI data centers.

Cyberattacks Continue

Pro-Iranian cyber groups also are ramping up their attacks. According to the most recent report from Flashpoint researchers, Handala – once seen as a hacktivist group but which has since been linked to Iran’s Ministry of Intelligence and Security (MOIS) – not only took credit for the breach of FBI Director Kash Patel’s personal email and the data-wiper attack on U.S. medical tech company Stryker, but also is claiming that it wiped 4 TB of data of the Good Food Store in Missoula, Montana, that caused the company to shut down operations.

Handala also is saying that it doxxed Lockheed Martin engineers in Israel, giving them two days to leave the country or be threatened with death, the researchers wrote in the emailed report.

Another group, APT Iran, said it exfiltrated 375 TB of data from Lockheed Martin, including Pentagon contracts and blueprints for F-35 stealth fighter jets. Meanwhile, Fatimion Cyber Team said it breach the official website of the Ugandan Electoral Commission and is aiming to delete dozens of Facebook and Instagram accounts, according to Flashpoint.

Iran Becomes the Target

That said, Iran is not only an aggressor in cyberspace, but also a target. Aikido Security researchers wrote that TeamPCP, the threat group behind the supply chain attacks on Trivy, LiteLLM, and others, is using its CanisterWorm backdoor malware against Iranian systems.

“The script uses the exact same ICP canister … we documented in the CanisterWorm campaign,”  Aikido researcher Charlie Eriksen wrote. “Same C2, same backdoor code, same /tmp/pglog drop path. The Kubernetes-native lateral movement via DaemonSets is consistent with TeamPCP’s known playbook, but this variant adds something we haven’t seen from them before: a geopolitically targeted destructive payload aimed specifically at Iranian systems.”

Similar Progression, with Key Difference

The operation against Iranian targets unfolds in a similar manner as past TeamPCP attacks, Eriksen wrote. However, the payload runs two checks to determine where it’s operating. If it’s outside of Iran, the malware takes its usual steps, installing CanisterWorm on every Kubernetes node. However, if it finds that its target is in Iran, it wipes every node in the cluster.

TeamPCP has since added a third iteration of the threat, one that comes with the same canister backdoor and Iran wiper but that doesn’t need Kubernetes to spread. It can spread on its own.

“The previous versions relied on DaemonSets to move across a cluster,” he wrote. “This variant drops that entirely and replaces it with two lateral movement methods: SSH key theft and exposed Docker API exploitation. It also scans the local /24 subnet for new targets.”

Meanwhile, Palo Alto Networks’ Unit 42 threat intelligence group said it’s identified at least 7,381 phishing URLs related to the war with Iran that span 1,881 unique hostnames. They’re being used to run fake storefronts, donation scams, and phishing portals, researchers wrote in a report.