How Nordic Organizations Must Adjust Their Cybersecurity to a Changing Operating Environment

While there are some signs of de-escalation in the Middle East, the broader geopolitical landscape remains complex and unpredictable. Decisions made in one part of the world continue to have ripple effects across markets, supply chains, and security environments.

In recent weeks, kinetic attacks have dominated headlines, offering visible and immediate evidence of the intensity of conflicts. But how does this translate into the cyber domain, where attacks are less visible, and attribution is harder?

Threat actors generally do not pause alongside diplomatic progress. While parts of the geopolitical landscape may show certain signs of easing, the cybersecurity environment remains unaffected. State-sponsored groups, hacktivists, and opportunistic cybercriminals continue to operate at the same pace, exploiting uncertainty and global attention.

All organizations can become targets, either directly or indirectly, in the tense geopolitical landscape. Maybe through a supply chain attack or via an attack on your company’s manufacturing facilities overseas.

Large-scale ransomware attacks has been declining for enterprises, and attackers are shifting their targeting to mid-size and small entities that may not yet have had the chance to build their cyber defenses to the same level as the enterprise segment.

The changing landscape means we cannot only use the ransomware scenario as the sole dimensioning threat scenario when we design, implement, and run our cybersecurity programs. New things must be added to keep pace with the evolution and broadening of the threat landscape.

As an example, we can bring forward the U.S. operation during President Trump’s first tenure, which resulted in the killing of Qasem Soleimani, the Head of the Iranian Quds Force, which is the elite unit within the Iranian Revolutionary Guard Corps (IRGC). Two months¹ after that attack, the Iranians launched a major cyber campaign against U.S. targets. Many U.S. organizations were impacted because they had not prepared for this scenario involving asymmetric retaliation from the Iranians.

Today, we are in a similar, if not more escalated, situation. To what extent the Iranians will be able to mount a similar campaign is difficult to assess, as the entire apparatus is under significant pressure.

On April 7, CISA, together with the FBI, NSA, and other U.S. agencies, issued a joint advisory on the active exploitation of internet-facing operational technology (OT) devices. The advisory confirms that multiple U.S. critical infrastructure sectors have already experienced operational disruptions. This activity aligns with a long-standing Iranian approach of using cyber attacks during periods of geopolitical tension.

We assess that U.S., Israeli, and Gulf states organizations will be the primary targets. That said, many Nordic organizations have operations in these countries, and the attacker may not differentiate. Our Truesec Threat Intel team is monitoring the situation closely, and we have already delivered tailored analysis to Nordic customers with global operations.

So, what should a cybersecurity team protecting a Nordic organization do? We believe that some adjustments are needed. As an example, we recommend organizations increase their incident response readiness. Exercise, review plans, and make sure you have an IR retainer in place. Furthermore, we recommend increasing threat hunting, performing health checks of your environment, continuing to invest in your exposure management efforts, and finally considering moving OT monitoring up on the priority list.

All these initiatives will increase your readiness to respond and, most importantly, mitigate the risk of cyberattacks against your organization, which could result in significant business disruption and associated outage costs.

In other words, as the world is accelerating, so must the defenders. We are here to assist you in preventing breaches and minimizing impact.

/Rolf Rosenvinge, Chief Strategy Officer, Truesec Group

[1] According to Recorded Future Insikt Group, Iran Crisis Briefing 9th of March 2026

Join Our Webinar Session

Gain insights on how global uncertainty is reshaping cyber risk, and learn what security teams and leaders must do to stay ahead of an increasingly complex threat landscape.

April 28, 09:00-09:30 (CEST) │ Online

Sign up today.