Iran launches sweeping cyber retaliation after US-Israeli strikes

Tuesday 03 - 07:20

By: Dakir Madiha

Iran launches sweeping cyber retaliation after US-Israeli strikes

Iranian-aligned hackers have opened a major cyber front against Gulf states and Israel following joint US-Israeli strikes on Iranian military and nuclear facilities. The campaign has hit government networks and critical infrastructure across the Middle East, underscoring how cyber operations now sit at the center of the confrontation between Tehran and its rivals. Between 28 February and 1 March, threat intelligence firm CloudSEK tracked more than 150 claimed hacktivist operations, largely distributed denial-of-service attacks, website defacements and data breaches against targets in Israel, the Gulf and countries seen as backing US or Israeli policy. The escalation is directly linked to Operation Roaring Lion and Operation Epic Fury, the codenames used by Israel and the United States for the coordinated strikes launched on 28 February against Iranian leadership compounds, Islamic Revolutionary Guard Corps facilities and nuclear-related infrastructure.

One of the earliest concrete signs of Iran’s cyber response emerged when the pro-Iran, pro-Palestinian ransomware group Handala claimed it had compromised Israel Opportunity Energy, a major oil and gas exploration company, and warned of the start of “massive cyber attacks” and the “destruction of cyber infrastructures.” Cybersecurity researchers say the loosely affiliated collective Handla Hack, linked in open-source reporting to Iran’s Ministry of Intelligence and Security, has also claimed attacks in Jordan and threatened further operations against regional targets. Another cluster of actors styling itself the Islamic Cyber Resistance Axis has taken credit for intrusions against Israeli defense contractor Rafael’s air-defense infrastructure and a drone detection platform known as VigilAir, while issuing online calls to recruit technical specialists for what it describes as a large-scale cyber battle against Israel and the United States.

CloudSEK’s assessment finds that these incidents are being driven by multiple hacktivist brands operating along shared pro-Iran and pro-Palestinian narratives, with targets spanning government portals, financial institutions, aviation firms, telecommunications operators and other critical infrastructure providers. While many of the attacks have relied on noisy, disruptive tactics such as DDoS floods and defacements, security analysts warn that some groups are also attempting deeper intrusions and data theft, particularly in the energy and defense sectors. The spread of activity across different campaigns and regions suggests a model in which Iranian intelligence and security organs seed tools, narratives and targeting guidance, while deniable “hacktivist fronts” execute the operations in public view.

Western threat intelligence specialists caution that the cyber fallout will reach well beyond the immediate conflict zone. John Hultquist, who leads threat intelligence at Google’s parent company Alphabet, told Infosecurity Magazine he expects to see nominal “hacktivist” brands acting as covers for the Islamic Revolutionary Guard Corps, as well as ransomware incidents that function more as strategic disruption than ordinary cybercrime. He said likely targets include the United States, Gulf Cooperation Council members and any state or institution that has recently “drawn Iran’s ire,” pointing to a significantly expanded global attack surface. Parallel reporting from cybersecurity firm Anomali indicates that Iran has mobilized APT42 and APT33, long-standing advanced persistent threat units linked respectively to the IRGC and the Ministry of Intelligence, with destructive wiper malware assessed as the most probable tool for follow-on operations. SentinelOne and other vendors have warned clients that Iranian-linked actors are poised to probe and potentially strike Israeli and American defense, government and intelligence networks as the crisis continues.

The cyber campaign is unfolding alongside Iran’s kinetic retaliation, which has included missile and drone launches against US-linked military installations in Gulf Cooperation Council states, notably bases in the United Arab Emirates, Bahrain, Qatar and Kuwait. At the same time, Iran has suffered a severe disruption to its own digital infrastructure, with network observatories such as NetBlocks and Cloudflare recording a collapse in national connectivity to only a small fraction of usual traffic in the 48 hours after the first strikes. Yet despite that blackout, analysts say Iranian state-backed operators and their proxy networks abroad have maintained enough access to sustain offensive campaigns outside the country, particularly against regional adversaries and Western partners. CloudSEK concludes that the current phase of the confrontation illustrates how cyber operations have become a core instrument of geopolitical escalation, allowing states under military pressure to project power and impose costs far beyond conventional battlefields.