When geopolitical bombs drop, cyber fallout often follows. Forrester has captured such threats in its report The Top Cybersecurity Threats In 2025, stating that geopolitical volatility, deepfakes, and AI-driven disinformation would collide to reshape the threat landscape. Security teams will face increased risk and be hit with a new wave of threats, noise, and vendor opportunism. These situations demand clarity rather than alarmism. Responses must be specific and business-aligned, as how you frame the situation to stakeholders is just as important as how you defend against it. Security leaders can use this blog and our research on geopolitical risk and nation-state threats to focus on the things that matter and cut through the noise.

Deepfakes Are The New Front Line Of Social Engineering

Iranian actors such as APT42 (Charming Kitten) and TA453 (tracked by Proofpoint) have long excelled at impersonation-based phishing campaigns to trick high-value targets. What’s changed in 2025 is the use of synthetic media (deepfakes) by these threat actors to deepen deception, which far outpaces current detection capabilities. While state-sponsored groups remain the most capable and dangerous, organizations must also monitor Iran-aligned hacktivist collectives, which may amplify disinformation, conduct low-level disruptions, or attempt reputational attacks in support of Iranian interests.

In response to this, organizations must develop playbooks for detecting and validating synthetic content (vendors such as Attestiv, BioID, Deepfake Detector, Reality Defender, and Sensity AI provide deepfake detection algorithms) and simulating impersonation attacks using AI-generated voice and video (such as Gooey.AI, Deepfakesweb.com, and Deepgram.com). Executive communications protocols should be hardened, public statements watermarked, and internal validation procedures reinforced. Orgs can expand their intelligence collection to include fringe platforms such as Telegram and Farsi-language forums, where these narratives often emerge first.

Elevated Risk For ICS- And IoT-Heavy Environments

Iranian-affiliated threat actors have targeted OT environments before and are very likely to do it again. On June 16, 2025, as shown in a blog post by Recorded Future News, the US State Department and officials are offering up to $10 million for details on threat actor groups linked to CyberAv3ngers. This group has previously targeted US-based water and energy systems via vulnerable programmable logic controllers, making every industrial control systems (ICS)-heavy organization exposed to this risk.

Notably, the healthcare sector is now also on the radar. A June 24, 2025, warning from the US Department of Health and Human Services confirms that Iranian cyber actors are increasingly targeting healthcare providers, particularly those with legacy medical devices, weak segmentation, and exposed building management systems. Security and risk professionals must prioritize a Zero Trust approach in preventing and detecting lateral movement from IT to OT, network segmentation efforts, handling unmanaged assets/workstations, protocol misuse, and threat detection across OT environments.

Retaliatory Threats Could Put Government Agencies In The Crosshairs

Threat actor groups such as APT34 and APT42 have consistently targeted US government entities through phishing and credential-harvesting campaigns, including attempts to compromise presidential campaigns and federal personnel accounts. Meanwhile, Iranian hacktivists from groups such as RipperSec and Mr Hamza have performed website defacements and distributed denial of service attacks to disrupt services and erode trust. These hybrid operations often combine espionage with disruption and should be considered credible threats across federal, state, and local agencies.

The pattern suggests that these threats are less about data theft and more about undermining public confidence and trust in government services. As a result, government entities must establish rapid communication channels with partners such as the FBI, Department of Homeland Security, and Cybersecurity and Infrastructure Security Agency.

For threat intelligence, security pros should prioritize computer emergency response teams and sector-specific information sharing and analysis centers, if they have not done so already. This enables effective real-time intelligence sharing and coordinated response — an effort just as critical as technical defense is the ability to communicate clearly, respond swiftly, and preserve public trust, essential in countering both disruption and disinformation.

The Market Hype You Should Ignore

In times of crisis and uncertainty, vendors and service providers may naturally seek to align themselves with the prevailing narrative. Security experts must take this with a grain of salt and distinguish genuine contributions from those shaped more by market dynamics than by substance. Prioritize conversations that are tailored to specific detection rules, tailored threat modeling, etc. Security professionals must filter the noise through operational relevance and requests for evidence and factor in real/measurable changes into their decision-making.

Recalibrate PIRs To Reflect Today’s Threat Landscape

One of the most overlooked casualties of such geopolitical escalations is the irrelevance of static threat intelligence priorities. Many threat intel programs are still operating on priority intelligence requirements (PIRs) written for ransomware groups, general cybercrime, or low-level espionage. So if your PIRs focus on “Is there malware in our environment?” or “Are we being targeted by known ransomware affiliates?” then you’re missing the deeper threats (from cyber to business risks or personnel) emerging due to the current threat landscape. For example, a more relevant PIR would look like this:

  • Are Iranian state-affiliated threat actors (such as APT33, APT34, APT42, MuddyWater, or CyberAv3ngers) actively targeting our organization, sector, or geographic footprint using one or more operations that combine intrusion, espionage, ICS/OT disruption, and social engineering tactics (e.g., spear phishing, synthetic media, or disinformation)?
  • Are ICS/SCADA assets in our supply chain being probed, mapped, or manipulated?
  • Are our customers, regulators, or board members being exposed/targeted for disinformation tied to current geopolitical narratives?

The above details are connective tissues between technical defense and operational resilience. Forrester clients who have questions about this topic can book an inquiry or guidance session.