The recent joint military action by the US and Israel against Iran has triggered a significant cyber response from various groups. Security researchers report an increase in distributed denial of service (DDoS) attacks, assaults on critical infrastructure, and network compromises. These attacks are designed to inflict considerable physical, reputational, and financial damage.
On Saturday, the US and Israel launched extensive military operations within Iran, resulting in the death of Supreme Leader Ayatollah Ali Khamenei and numerous other officials. In retaliation, Iran has engaged in both military actions and cyber warfare, an area in which it has a distinct advantage over its adversaries compared to traditional battlefields.
The US has stated it anticipates a significant cyber response from a diverse group of pro-Iranian cyber actors, who are already involved in cyber espionage and sabotage. These actions are expected to unfold immediately following the initial military strikes and continue for the foreseeable future. The attacks are likely to originate from groups associated with Iranian state entities, such as the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as from hacktivist organizations sympathetic to Iran's cause.
A coalition of pro-Iranian and pro-Russian cyber actors has launched the "#OpIsrael" campaign, targeting critical infrastructure and attempting data exfiltration. Additionally, various hacktivist groups have taken action against specific targets in protest of the military operations and as a response to the military losses suffered by Iran, according to research from organizations like Check Point Research and Flashpoint.
Reports indicate that the IRGC has launched cyberattacks targeting the energy sector, including strikes on Saudi Arabia's Aramco facility and an Amazon Web Services data center in the United Arab Emirates. These countries host US military installations, raising the stakes for potential escalation.
Iran appears to aim for maximum global economic disruption and infrastructure damage through cyber operations, responding to military setbacks with a shift towards severe economic warfare. This strategy increases the risk to global energy supplies, as noted by Flashpoint.
Check Point Research highlights that the current cyber ecosystem supports diverse objectives: espionage for intelligence gathering, disruptive activities including DDoS attacks and data destruction, and information operations that amplify destructive activities or data leaks online. The organization expects that targeting will intensify across the US and allied nations.
Specific Cyberattacks from Various Groups
Researchers from Check Point, Flashpoint, and Unit 42 have compiled a list of specific attacks and activities linked to Iranian or pro-Iranian groups that have occurred since the military actions began. Among these is the group known as Cotton Sandstorm, also called Emennet Pasargad, which has resumed operations after a lengthy silence. This Iranian cyber actor, associated with the IRGC, is now targeting Bahrain, where US military bases are located.
Another group, the FAD Team, has executed a global SQL injection campaign, leaking personally identifiable information from various targets, including a virtual US Air Force entity and educational institutions in France, India, and Vietnam. They also claimed control over network monitoring systems for firewall devices in Mecca and Medina, along with launching DDoS attacks against key infrastructure in Bahrain and Qatar.
Moreover, Unit 42 reports on the Handala Hack group, affiliated with Iran's MOIS, which has combined data exfiltration with cyber operations against Israeli political and defense entities. They have claimed responsibility for compromising an Israeli energy exploration firm and targeting healthcare institutions in Israel to exert domestic pressure.
The Cyber Islamic Resistance, an umbrella group coordinating various hacktivist teams, has launched synchronized DDoS attacks, data-wiping operations, and website defacements against Israeli and Western targets. They have claimed responsibility for breaching an Israeli drone defense system and payment infrastructure in Israel.
Iran's Allies Join the Cyber Fray
In addition to groups directly linked to Iran, several organizations outside the country with pro-Iranian sentiments are conducting coordinated cyberattacks. For example, the pro-Palestinian group Dark Storm Team has claimed responsibility for DDoS attacks against several Israeli websites, including a bank.
In support of Iran, pro-Russian hacktivist groups have also claimed various attacks. One group, Cardinal, stated it targeted Israeli Defense Forces systems by infiltrating their networks and publicly releasing the leaked information. The group NoName057(16) has also targeted multiple Israeli entities, disrupting operations across municipal, political, telecommunications, and defense sectors.
Moreover, a collaboration between NoName057(16) and the Cyber Islamic Resistance has resulted in coordinated DDoS attacks against Israeli defense contractors and municipal governments.
Buckle Up, Cyber Defenders
The ongoing situation signifies that organizations, critical infrastructure operators, and individuals can expect to feel the impacts of this conflict, both in cyber and physical domains. Experts warn that the coming weeks and months could be turbulent, urging readiness for potential disruptions.
Organizations should implement maximum security protocols and prepare for hybrid attacks that may bridge physical and cyber threats. Special attention should be given to secure third-party partners or customers in the Middle East with connections to US-based companies, as highlighted by Cisco Talos researchers.
The researchers emphasize that enterprises must stay informed about potential impacts on partners and third-party suppliers in the region. Additional inspections and controls may be necessary to mitigate broader organizational risks.
Overall, maintaining sound security hygiene is crucial. Organizations should ensure multifactor authentication is enabled, exercise caution with circulating links and documents, and establish robust monitoring systems to address any collateral impacts as they arise.
