Alex: It's Monday, March 2nd, 2026. This is Security Decoded. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. We are at war. The United States and Israel launched major combat operations against Iran over the weekend, and the cyber dimension of this conflict is already live. If you're a CISO and you haven't elevated your defensive posture as of this morning, you are behind. This is the episode you need to listen to right now.

Alex: Jordan's not being dramatic. This is the most consequential shift in the cyber threat landscape since Russia invaded Ukraine. Today we're going wall to wall on this. We'll cover the kinetic operations and what they mean for your networks, the specific cyber weapons already in play, government advisories you can take to your board this morning, a CISA leadership change that has terrible timing, and then we'll touch on a Russian zero-day, a North Korean air-gap campaign, and a breach that traces back to Oracle EBS. Let's get into it.

Jordan: So here's what happened. President Trump announced major combat operations against Iran in coordination with Israel. The stated objective is Tehran's nuclear program. Iran has responded with missile attacks. This is not a limited strike. This is an escalating military conflict with a nation-state that has one of the most capable offensive cyber programs on the planet.

Alex: And Jordan, I want to frame this for our audience immediately. If you are in critical infrastructure, financial services, energy, water, healthcare, you are on the target list. Iran has demonstrated repeatedly, going back to the Shamoon attacks on Saudi Aramco, through the 2019 and 2020 campaigns against U.S. banks and water utilities, that cyber is their asymmetric weapon of choice when they can't match conventional military power.

Jordan: That's exactly right. And unlike Russia, which often uses cyber for espionage and strategic positioning, Iran's playbook when backed into a corner is destructive. They go for impact. They want to cause pain that's visible and that they can point to as retaliation. The intelligence community has been warning about this scenario for years, and now it's here.

Alex: Let's talk about what's already happening in cyberspace because this isn't theoretical. SecurityWeek is reporting that both sides are actively trading cyberattacks. We're seeing wiper malware, DDoS campaigns, and disruptions to critical infrastructure on both sides. The U.S. and Israel may have launched what some threat intelligence firms are calling the largest cyberattack in history against Tehran's infrastructure.

Jordan: And by Sunday, the first signs of the Iranian counter-offensive were already visible. Threat intelligence firms are tracking initial Iranian cyber operations targeting Western and allied nation infrastructure. This is moving fast. The Iranian cyber apparatus, we're talking about groups like APT33, APT34, MuddyWater, and their proxies, these aren't script kiddies. These are sophisticated operators with established access to Western networks. Some of that access may have been pre-positioned months or even years ago, waiting for exactly this kind of trigger.

Alex: So let's talk about what CISOs should be doing right now, this morning, before lunch. First, activate your incident response plans. Not review them. Activate them. Get your IR teams on heightened alert. Second, contact your sector ISAC. If you're in financial services, energy, healthcare, your ISAC should be pushing threat intelligence right now. Get on those calls. Third, review your threat intelligence feeds for Iranian TTPs. MITRE ATT&CK has extensive documentation on Iranian groups. Focus your detection engineering on those techniques today.

Jordan: I'd add a few operational items. Review your internet-facing attack surface with fresh eyes. Iranian groups love exploiting VPNs, web applications, and exposed management interfaces. Check your DNS configurations. They've used DNS hijacking extensively in past campaigns. And have a conversation with your OT teams if you have operational technology environments. Wiper malware doesn't discriminate between IT and OT once it's inside.

Alex: And this brings us to the UK's response, which I think is significant for a governance reason. The UK's National Cyber Security Centre issued a formal advisory to British organizations about heightened Iranian cyber threats tied directly to this conflict. CISOs, this is the kind of government-backed mandate you can take to your board and your CFO this morning. When a national cyber security agency issues a formal alert, that's your justification for emergency spending, extended shifts, bringing in additional IR support, whatever you need.

Jordan: This is not a drill memo. This is a wartime footing memo.

Alex: Exactly. And the NCSC advisory is actionable. It urges organizations to review and strengthen defenses immediately. If your board asks why you're requesting emergency budget, you point to a Five Eyes nation issuing a formal cyber threat warning. That conversation should be very short.

Jordan: Now here's where the timing gets uncomfortable. CISA, our own federal cybersecurity coordination agency, just went through a leadership change. Nick Andersen has been appointed acting director. The previous acting director, Madhu Gottumukkala, was reassigned within DHS. This is the third leadership transition at CISA in recent memory.

Alex: And Jordan, I have to be blunt about this. A leadership transition at CISA during the opening days of a military conflict with a top-tier cyber adversary is deeply concerning. CISA's Joint Cyber Defense Collaborative, their threat feeds, their advisories, these are critical coordination mechanisms for the private sector. Any disruption in operational tempo, even minor, comes at the worst possible time.

Jordan: CISOs should be monitoring CISA's output closely over the next few days. If you notice a drop in advisory frequency or specificity, lean harder on your commercial threat intelligence providers and your ISAC relationships. Don't assume the federal coordination layer will function at full capacity during a leadership transition in a crisis.

Alex: Good. Let's shift gears briefly, because even in a crisis, there are other threats that haven't stopped operating. Jordan, APT28.

Jordan: Yeah, so while the world is focused on Iran, Russia hasn't taken a day off. Akamai researchers have tied APT28, that's Russia's GRU military intelligence, to the exploitation of CVE-2026-21513, a high-severity vulnerability in Microsoft's MSHTML framework. CVSS 8.8. This was exploited as a zero-day before Microsoft's February Patch Tuesday. The patch is now available.

Alex: The action item here is simple. If you haven't applied the February patches, do it today. This isn't hypothetical exploitation. A nation-state actor was using this in the wild before the patch existed. And in the current environment, with Russia potentially seeing opportunity in the chaos of a new conflict, you cannot afford to leave Russian zero-days unpatched.

Jordan: Agreed. And while we're on nation-state activity, there's a North Korean campaign worth flagging. A DPRK APT has deployed new tooling specifically designed to target air-gapped systems. They're using Windows shortcut files as the initial vector, along with a new implant, loader, propagation tool, and two backdoors.

Alex: This matters for anyone who relies on air-gapped environments as a security control, defense contractors, research facilities, certain financial systems. The assumption that network isolation equals safety has been eroding for years, and this campaign is another proof point. If you have air-gapped systems, you need to be auditing what's crossing those gaps via removable media and ensuring your endpoint detection covers those environments.

Jordan: The sophistication here is notable. This isn't opportunistic. This is purpose-built tooling for bridging air gaps, which tells you the target set is high-value and the investment in development was significant.

Alex: Last story before our outlook. Madison Square Garden confirmed a data breach that was linked to the 2025 Oracle E-Business Suite hacking campaign. MSG is one of many victims in what was a broad exploitation wave targeting Oracle EBS.

Jordan: The real story here isn't MSG specifically. It's that this Oracle EBS campaign is still producing disclosed victims months later. If you're running Oracle EBS, you need to verify you weren't compromised in that wave. Don't assume that because you patched you're clean. These attackers may have established persistence before patches were applied.

Alex: And the months-long gap between the attack and the public confirmation is a governance issue. Boards are increasingly asking about breach disclosure timelines. If you're a CISO, make sure your disclosure process is documented, tested, and aligned with your legal team's guidance, especially now that regulators are paying close attention to notification timing.

Jordan: Alright, let's talk about the week ahead.

Alex: The theme this week is obvious. We are entering a period of sustained, elevated cyber risk driven by a major military conflict. This is not a one-week event. Iranian cyber retaliation will likely escalate over the coming weeks, not diminish. CISOs need to think about sustainment. You can't run your team at sprint pace for months. Think about shift rotations, mental health, and bringing in augmentation now, before fatigue sets in.

Jordan: I'd also watch for opportunistic actors. When the big nation-states are dominating headlines, criminal groups often take advantage of the noise. Ransomware operators know that security teams are distracted. Don't take your eye off the fundamentals while you're focused on the geopolitical threat.

Alex: And one more thing. This is a moment to strengthen your relationship with your board. They're reading the same headlines. They're worried. Come to them with a clear posture assessment, a concrete action plan, and specific asks. This is when CISOs earn trust that lasts for years.

Jordan: The fog of war applies to cyber just as much as kinetic operations. Expect misinformation, expect confusion, and validate before you act on unconfirmed intelligence. Stay sharp out there.

Alex: That's our show for Monday, March 2nd. This is Security Decoded. I'm Alex Chen.

Jordan: I'm Jordan Reeves. Stay safe this week. We'll be back tomorrow.