- Key insight: U.S. banks face a heightened operational risk from external hacktivist groups seeking retaliation for the Sepah Bank strike.
- What's at stake: Banks face a dual threat of operational disruptions in the Middle East and retaliatory cyberattacks on their vital tech infrastructure.
- Forward look: Financial institutions are urged to prepare communications plans and implement "out-of-band" verification to mitigate public panic and potential breaches.
Overview bullets generated by AI with editorial review
Iran's military command publicly named U.S.- and Israeli-linked banks as military targets Wednesday, shifting what has been a generalized cyber alert for American financial institutions into an explicit, state-level declaration of intent.
The threat came from Ebrahim Zolfaghari, a spokesperson for Iran's Khatam al-Anbiya Central Headquarters, an Islamic Revolutionary Guard Corps' military command.
Hours earlier, a missile had struck the digital security center of Sepah Bank, one of Iran's largest state-owned banks, destroying the building on Haghani Street in Tehran while the bank was processing salary payments for military personnel, according to Iran International, a Saudi-affiliated media organization.
The Sepah Bank strike hit the bank's digital security center — the infrastructure that protects the bank's systems. Several bank employees died in the attack, state television reported.
Online banking at both Sepah Bank and Melli Bank Iran remained down for a second consecutive day, with customers limited to card-based services, according to Iran International.
For U.S. banks, the declaration represents a meaningful step beyond the heightened-alert environment that has prevailed since U.S. and Israeli forces launched Operation Epic Fury on Feb. 28. Previously, the threat was probabilistic. Now, it is official.
"With this illegitimate and uncommon action, the enemy is forcing our hand to target economic centres and banks linked to the U.S. and Zionist regime in the region," Zolfaghari said, according to a Wednesday Reuters report.
He added that "Americans should await our countermeasure and our painful response," and warned people in the Middle East to stay at least one kilometer away from banks.
Iranian state media called the strike "illegitimate and unusual," saying it opened the way for Iran to respond in kind against U.S.- and Israeli-linked financial infrastructure, according to Al Jazeera.
Internet slowed in Iran
Iran's domestic internet connectivity collapsed to 1-4% of normal levels beginning on Feb. 28, according to Unit 42, the threat intelligence arm of Palo Alto Networks, citing data from internet monitor NetBlocks.
That blackout, Unit 42 assessed, "will likely hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks in the near-term."
State-sponsored cyber units may be operating in isolation, "which could result in deviations from previously established patterns," the firm said in a March 2 threat brief.
The near-term threat, in other words, is more likely to come from the outside than the inside.
Unit 42 counted approximately 60 individual hacktivist groups active as of March 2, including Iranian state-aligned and pro-Iranian groups as well as pro-Russian groups and opportunistic threat actors. Many of these groups operate outside Iran and beyond the reach of the country's internet blackout.
These groups have already claimed attacks on regional financial infrastructure: The hacktivist group DieNet claimed responsibility for targeting the websites of Riyadh Bank and the Bank of Jordan, while the Cyber Islamic Resistance claimed to have compromised Israeli payment infrastructure, according to the Unit 42 brief.
Unit 42 assessed that these external groups' attacks are likely to be "of low to medium significance" — but cautioned that the situation remains fluid and that state-sponsored Iranian actors, which Unit 42 tracks under the name Serpens, "could increase or escalate activity in the coming weeks."
What banks are saying and doing
The Securities Industry and Financial Markets Association, or SIFMA, struck a watchful tone.
"The industry remains vigilant and ready to respond to cyber threats at all times, and especially when global cybersecurity risks are heightened," said Todd Klessman, SIFMA's managing director for financial services cyber and technology, according to Reuters.
"We continue to monitor the current situation with a focus on operational resilience, which is foundational to the integrity and stability of the U.S. capital markets," Klessman added.
FS-ISAC, the financial sector's information-sharing consortium, said it is actively coordinating intelligence distribution.
"In light of the ongoing military action in the Middle East, we are coordinating with relevant parties to ensure our ecosystem has continuous access to the latest intelligence and guidance to protect the global financial system," a spokesperson told Reuters.
Credit rating agency Morningstar DBRS said last week that the most significant risks to global banks are likely to be indirect — oil price spikes, borrower stress — but cautioned that "Iran could increase its cyberattacks against Western entities, including banks."
What security officials recommend
Unit 42 issued a set of tactical recommendations for organizations facing elevated risk:
- Store at least one copy of critical data offline, disconnected from the network, to guard against encryption or deletion attacks;
- Implement "out-of-band" verification for any requests received through external channels, using a separate trusted internal channel to confirm;
- Patch all internet-facing infrastructure;
- Train staff on phishing and social engineering; and
- Consider geographic blocking of internet traffic from high-risk regions where the bank has no legitimate business.
The firm also urged organizations to prepare their communications plans now, before an incident occurs. Hacktivist groups "often exaggerate their reach," Unit 42 noted, and quickly scoping and verifying a potential breach "can prevent public panic."
The warning is pointed: In an environment where Iranian-aligned groups are broadcasting claims of responsibility across public Telegram channels, a bank's ability to rapidly assess and communicate what actually happened — versus what a threat actor claims happened — may matter as much as its ability to prevent the attack in the first place.
