Skip to content
.ca
sign in
4 minhigh

Fortify Your Network Security from Emerging Geopolitical Cyberthreats

Following the outbreak of a geopolitical conflict in the Middle East in early 2026, Akamai observed a 245% surge in malicious cyber activity targeting global enterprises. The threat landscape is characterized by massive increases in automated reconnaissance, credential harvesting, and data-wiping attacks by state-sponsored and hacktivist groups like Handala, primarily targeting the financial, ecommerce, and healthcare sectors.

Sens:ImmediateConf:highAnalyzed:2026-03-14reports

Authors: Piero Vera

ActorsHandalaIran intelligence agenciesNation-state actors
Data WipingHandalaGeo-blockingGeopolitical ThreatsDDoS Reconnaissance

Source:Akamai

Key Takeaways

  • Akamai observed a 245% increase in cybercrime targeting North America, Europe, and APAC following the start of a Middle East conflict in early 2026.
  • The Iran-linked hacktivist group Handala claimed responsibility for a massive data-wiping attack against medical technology company Stryker.
  • Banking, financial services, ecommerce, and video games account for 80% of the targeted destinations for malicious traffic.
  • Threat actors are heavily utilizing proxy services in countries like Russia and China to launch billions of designed-for-abuse connection attempts.
  • Significant increases were observed in automated reconnaissance (+65%), botnet-driven discovery (+70%), and infrastructure scanning (+52%).

Affected Systems

  • Banking and financial services infrastructure
  • Ecommerce platforms
  • Video game networks
  • Critical public infrastructure
  • Medical technology systems

Attack Chain

Threat actors leverage proxy services in regions like Russia and China to mask their origins. They conduct large-scale automated reconnaissance, infrastructure scanning, and botnet-driven discovery to identify exposed services and vulnerabilities. Following reconnaissance, actors execute credential harvesting and pre-DDoS probing, culminating in disruptive actions such as volumetric DDoS attacks or targeted data-wiping operations against critical infrastructure.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Akamai Prolexic

The article provides specific Akamai Prolexic Network Cloud Firewall geo-blocking rules (e.g., deny ip GEO:: RU any, deny ip GEO:: IR any) to mitigate the observed malicious traffic.

Detection Engineering Assessment

EDR Visibility: Low — The threats discussed are primarily volumetric network attacks, reconnaissance, and scanning, which are detected at the network edge rather than the endpoint. Network Visibility: High — The activity consists of massive spikes in connection attempts, automated scanning, and pre-DDoS probing, which are highly visible in network traffic logs and edge firewall telemetry. Detection Difficulty: Easy — Volumetric scanning and massive traffic spikes from unexpected geolocations are relatively easy to detect using standard network monitoring and geo-IP filtering.

Required Log Sources

  • Edge Firewall Logs
  • WAF Logs
  • NetFlow/IPFIX
  • Web Server Access Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Threat actors are conducting large-scale infrastructure scanning from unexpected geolocations (e.g., Russia, Iran) targeting edge services.Edge Firewall Logs, WAF LogsReconnaissanceLow (if the organization has no legitimate business in those regions)
Adversaries are performing pre-DDoS reconnaissance by sending bursts of traffic to critical APIs and web applications.WAF Logs, Load Balancer LogsReconnaissanceMedium (could be confused with legitimate traffic spikes or benign web crawlers)

Control Gaps

  • Lack of edge-level geo-blocking
  • Insufficient rate limiting on critical APIs

Key Behavioral Indicators

  • Sudden spikes in connection attempts from specific ASNs or countries
  • High volume of 403/404 errors indicating infrastructure scanning
  • Repeated failed login attempts indicating credential harvesting

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Implement geo-blocking rules at the network edge to deny traffic from regions where the organization does not conduct business (e.g., Russia, Iran).
  • Review and enforce rate limiting and IP reputation controls for websites and critical applications.

Infrastructure Hardening

  • Deploy always-on DDoS security controls to mitigate volumetric attacks.
  • Implement microsegmentation to prevent lateral movement if the perimeter is breached.
  • Review critical subnets and ensure mitigation controls are active.

User Protection

  • Monitor for credential harvesting attempts and enforce multi-factor authentication (MFA) across all external-facing services.

Security Awareness

  • Exercise incident response runbooks, validating emergency plans, contacts, and lockdown policies for critical assets.

MITRE ATT&CK Mapping

  • T1595 - Active Scanning
  • T1595.002 - Vulnerability Scanning
  • T1589 - Gather Victim Identity Information
  • T1485 - Data Destruction
  • T1498 - Network Denial of Service
  • T1090 - Proxy

Related