As the spreading war in the Middle East spills into a fifth day, the threat intelligence community has observed signs of an uptick in cyber attack volumes, with pro-Iran hacktivists successfully breaching multiple targets including Saudi energy and hospitality sector infrastructure, while GPS spoofing attacks – in which satellite data is manipulated to send victims off course – have hit over 1,000 ships in the Persian Gulf region.
New data shared by Flashpoint revealed insight into the activities of numerous pro-Iran groups in the past few days. Among some of the operations known to be active right now are Handala Team, a pro-Palestine hacktivist operation with links to the Iranian intelligence services, that has claimed a breach at Saudi Aramco, alleging that its hackers destroyed the victim’s infrastructure and caused it to cease oil extraction – claims that have not yet been verified due to insufficient evidence.
A second group going by the moniker FAD Team (aka Fatimiyoun/Fatimion) – which identifies with the Islamic Resistance in Iraq has claimed responsibility for an as-yet unconfirmed breach at WeLearn – an Israeli scaleup – and Maad Hospitality Towers – a planned 50,000 plus bed hotel in Makkah, Saudi Arabia, designed to accommodate travelers making the Hajj pilgrimage.
Meanwhile, a group known as PalachPro – claiming to be Russia-based – has signaled its readiness to collaborate with Iranian hackers, amplifying its messages alongside the Russian hacktivist NoName057(16) network.
Other notable claims in recent days – via Palo Alto Networks’ Unit 42 – come from hacktivist groups such as APT Iran, which said it sabotaged critical national infrastructure in Jordan, the Cyber Islamic Resistance umbrella group, incorporating threat actors such as RipperSec and Cyb3rDragonzz, which says it targeted Israeli organisations with synchronised distributed denial of service (DDoS) attacks and data wiping malwares. Other active groups flagged by Unit 42 include Dark Storm Team, Evil Markhors, Sylhet Gang, 313 Team and DieNet – all of these say they have targeted organisations in Bahrain, Israel, Kuwait, Saudi Arabia, and the United Arab Emirates (UAE).
And in a sign that analogue and kinetic methods still have their uses in modern hybrid warfare, Amazon Web Services (AWS) datacentre facilities in the region experienced downtime pulled offline after apparent drone strikes at facilities in Bahrain and the UAE, while Flashpoint also reported the discovery of a new Farsi-language shortwave numbers station on 7910kHz, likely transmitting coded instructions to Iranian sleeper cells.
A Cold War relic, numbers stations were used by both the Eastern and Western blocs to communicate with undercover operatives – one famous British example known colloquially as the Lincolnshire Poacher broadcast from Bletchley Park.
Kathryn Raines, cyber threat intelligence team lead for the National Security Solutions team at Flashpoint, said the groups making the most noise right now – whether they be truly autonomous hacktivists or those like Handala with possible state links – were designed for immediate psychological impact on Iran’s enemies.
“Looking at their tactics – which have thus far consisted of DDoS, defacements, claiming to deploy wiper malware, or leaking pre-stolen data – they require lower operational security and less stable infrastructure. It is likely in their mandate from the regime to create immediate chaos and project strength, which makes them the ideal first responders in the cyber domain,” Raines told Computer Weekly.
What has become of Iran’s state APTs?
The biggest impacts of hacktivist-led cyber attacks are indeed website defacements and, to some extent, DDoS attacks, both of which are disruptive but rarely many of the currently active groups will be operating on an opportunistic basis and many may not even be based in Iran itself.
Raines said that in contrast to hacktivists, top-tier espionage APTs relied on stealth, persistence, and highly-secure command and control (C2) infrastructure.
“The current kinetic environment and the regime’s domestic internet throttling severely disrupt their ability to operate safely, and rather than risking exposure of say, high-value accesses or zero-day exploits, during a period of extreme network [and] internet instability, these elite cyber units are forced into a defensive posture – likely much more focused internally on network hardening, assessing damage, and regime continuity,” she explained.
Alex Orleans, head of threat intelligence at Sublime Security, said that for Iranian APTs operating with a nexus to the state, the priority right now was more likely survival than attack.
However, the extent of leadership decapitation has been so great, noted Orleans, that the Iranian chain of command is known to be telling parts of its security establishment to operate on their own initiative.
“If true, that would be especially relevant to cyber because it is a non-critical function for national defense and virtually all of Iran’s cyber operations fall under MOIS or IRGC; and both of those organisations have suffered heavy losses,” Orleans said.
Gene Moody, field chief technology officer (CTO) at Action1, said that while activity so far has indeed been opportunistic, state-aligned groups do move quickly when tensions rise
“In practice, that means scanning the internet at scale for exposed services and weaponising recently disclosed vulnerabilities within days, sometimes hours. They often rely on known flaws in VPNs, edge devices, firewalls, email gateways, and remote access platforms rather than novel zero-days,” said Moody.
“For security teams, the operational impact is increased background noise, more aggressive scanning, and a higher probability of exploitation attempts against perimeter systems. Expect phishing tied to geopolitical themes, credential harvesting, and possible disruptive actions such as data theft, ransomware, or destructive wiper activity if escalation occurs.”
Indeed, experts at Nozomi Networks say they see some early signs of activity from APTs such as MuddyWater, OilRig and APT33, which seem to have the manufacturing and transport sectors in their crosshairs.
“The current [MITRE ATT&CK] detection pattern strongly suggests that adversaries are still in the exploratory and positioning phase of their operations. The dominance of default credential abuse and valid account usage, combined with brute force and scanning, indicates that attackers are leveraging trusted access to quietly map environments to identify high-value assets and establish persistence,” wrote the Nozomi team.
“This is characteristic of early-stage intrusion activity, where the objective is to understand network architecture, privilege relationships and operational dependencies before escalating to disruptive or destructive tactics.”
In short order, the researchers said, these playbooks will expand to privilege escalation, lateral movement in operational technology environments, and possibly the deployment of data wipers. APT33 is particularly adept in this regard, reportedly having had pre-positioned access inside US energy networks. The UK is no bystander either, said Nozomi, and CNI operators should take note.
Orleans at Sublime Security agreed that although Iranian APTs will be “laying low” for the foreseeable, that will probably change.
“[It is] likely … that in a few days, some of these actors will peek out and see what preexisting accesses they were able to maintain to targets they had compromised before this began,” he said. “Then they will likely spam some janky attempts at disruption effects.”
Flashpoint’s Raines also foresaw a resurgence of APT activity once the fog of war lifts a little, Tehran feels a little more secure, and civilian internet traffic returns to mask their movements.
“When these groups return to the offensive, we suspect they’ll likely transition from the current noisy phase to highly targeted, quiet espionage and destructive attacks, potentially weaponising the accesses and targets currently being gathered by the hacktivist tier,” she said.
Use this time well
In the meantime, Sublime’s Orleans said that defenders could use the coming hours and days to their advantage.
“Focus less on worrying about a new Iranian campaign to phish you this week and more on using this opportunity to threat hunt in your environment for possible signs of compromise by Iranian actors that predate this conflict – likely in the last 90-120 days,” he said. “Do what’s necessary to contain and evict any hostile presence on those networks.”
Action1’s Moody said that prep work should focus on speed and hygiene. “Patch all externally exposed systems immediately after disclosure, even if that means temporarily bypassing normal patch cycles. Under these conditions, delay equals exposure. Prioritise internet facing assets, identity infrastructure, and remote access systems. Validate backups, test restoration, and confirm MFA enforcement across privileged accounts. Increase logging retention, tune detection for mass scanning and brute force activity, and rehearse incident response playbooks. In short, reduce attack surface quickly and assume known vulnerabilities will be targeted first.
“Be prepared as this will be a true cyber offensive versus targeted operations for financial gain or political messaging, there will be damage here,” he said.