Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict

This brief catalogues confirmed and credibly reported cyber operations from the last 24 hours directly linked to the US-Israel-Iran military conflict. The conflict entered its 45th day on April 13, 2026. 

The two-week ceasefire announced on April 7 entered its sixth day on April 13. The ceasefire framework is under direct threat following the collapse of Islamabad peace talks and the commencement of a US naval blockade of Iranian ports. VP Vance confirmed on April 12 that 21 hours of negotiations with Iran produced no agreement. Iran refused to commit to ending its nuclear enrichment program. Within hours of the collapse, Trump announced an immediate naval blockade of all maritime traffic entering or exiting Iranian ports via the Strait of Hormuz. US Central Command confirmed the blockade would begin at 10:00 AM ET on April 13 and would be enforced against vessels of all nations entering or departing Iranian ports and coastal areas. CENTCOM clarified that freedom of navigation for vessels transiting the Strait to non-Iranian ports would not be impeded. The IRGC responded that any military vessel approaching the Strait would be considered in violation of the ceasefire and would face severe consequences.

Handala claimed on April 12 what it called one of its most powerful cyberattacks against UAE critical infrastructure. The group stated it destroyed 6 petabytes of data and exfiltrated 149 terabytes of classified documents from the Dubai Courts Authority, the Dubai Land Authority, and the Dubai Roads and Transport Authority. Handala described the operation as a punitive strike against UAE leadership for its political alignment. The claims have not been independently verified. If confirmed, this would represent a significant escalation in Handala’s Gulf-targeting operations and the largest single data destruction event claimed by the group.

Signature Healthcare Brockton Hospital entered Day 8 of downtime procedures on April 13. The Anubis ransomware group claimed responsibility on April 9, stating it exfiltrated 2 terabytes of patient data without encrypting systems. Anubis was briefly removed from the group’s leak site on April 10, suggesting potential negotiations, before being relisted. A spokesperson for Anubis contacted SuspectFile to pressure Signature Healthcare into payment. New prescription orders still cannot be filled. The hospital continues working with the FBI and third-party cybersecurity specialists.

The Iran internet blackout entered Day 45 on April 13. An Iranian official stated on April 12 that there is no timeline for restoring internet access. Connectivity remains at approximately 1% of pre-war levels. The shutdown has now surpassed 1,000 consecutive hours, making it the longest nationwide internet disruption ever recorded anywhere.

We will continue to update this timeline with the most recent information as the situation develops.

For customers seeking further details, please reach out to your Customer Success Manager, and for non-customers please reach out here.

US-Israel-Iran Conflict Timeline & Cyber Context

The cyber operations documented in this brief are responses to three major kinetic escalations:

Confirmed & Credibly Reported Cyber Attacks

We are updating this section to include only the newest incidents. For customers seeking further details of past incidents, please reach out to your Customer Success Manager, and for non-customers please reach out here.

Handala Claims Destructive Cyberattack Against UAE Critical Infrastructure; 6PB Destroyed, 149TB Exfiltrated (April 12, 2026)

• Threat actor: Handala Hack / Iran MOIS / Void Manticore
• Target: Dubai Courts Authority; Dubai Land Authority; Dubai Roads and Transport Authority (United Arab Emirates)
• Attack type: Data destruction (wiper); data exfiltration; hack-and-leak

Handala announced on April 12 that it carried out what it called one of its most powerful cyber operations against UAE critical infrastructure. The group claimed to have permanently destroyed 6 petabytes of data across the three targeted institutions and exfiltrated 149 terabytes of classified and sensitive documents. The targeted institutions represent core legal, real estate, and transportation infrastructure in Dubai.

Handala framed the operation as a punitive strike against UAE leadership, accusing the government of betrayal for its political alignment during the conflict. The group stated the attack was intended as a warning to all regional governments that cooperate with the US and Israel. The claims have not been independently verified by the UAE Cyber Security Council or third-party researchers. If confirmed, the scale of destruction would exceed all previous Handala operations, including the Stryker attack that wiped approximately 80,000 devices across 79 countries in March.

The timing of the attack is significant. It came hours before the announcement of the US naval blockade and coincides with the collapse of Islamabad peace talks. The UAE reported in early April that daily cyberattacks on its digital infrastructure had tripled to 600,000 since the start of the conflict. The UAE Cyber Security Council head Mohammed Al Kuwaiti previously confirmed that attacks had shifted from short-lived disruptions to complex intrusions targeting banking, aviation, and law enforcement systems.

Sources: Press TV (Apr 12, 2026); Tasnim News (Apr 12); X/Handala (Apr 12); Khaleej Times (Apr 1); UAE Cyber Security Council (Apr 1)

US Naval Blockade of Iranian Ports Commences; IRGC Warns of Ceasefire Violation (Apr 12-13, 2026)

• Threat actor: N/A (geopolitical/kinetic escalation with direct cyber threat implications)
• Target: Ceasefire framework stability; global energy markets; Strait of Hormuz passage; cyber threat escalation across all sectors
• Attack type: Kinetic-cyber hybrid escalation risk; naval blockade; economic warfare

VP Vance confirmed on April 12 that 21 hours of Pakistani-brokered negotiations in Islamabad ended without agreement. Vance stated Iran refused to commit to ending its nuclear enrichment program. Within hours, Trump posted on Truth Social that the US Navy would begin blockading all ships entering or leaving the Strait of Hormuz. CENTCOM subsequently announced the blockade would begin at 10:00 AM ET on April 13 and would be enforced against vessels of all nations entering or departing Iranian ports and coastal areas, including on the Gulf and Gulf of Oman sides. CENTCOM clarified that the blockade would not impede freedom of navigation for vessels transiting the Strait to non-Iranian ports.

The IRGC responded that any military vessel approaching the Strait would be considered in violation of the ceasefire and would face severe consequences. Iran has maintained effective control of the Strait since the start of the conflict, restricting passage and reportedly establishing a toll system for transiting vessels. According to one report, Iran lost track of some mines it planted in the Strait, complicating efforts to fully reopen the waterway. US Navy destroyers entered the Strait for the first time since the war began as part of mine clearance operations.

Fortune reported that analysts warned Russia and China could come to Iran’s aid with cyberattacks in response to the blockade. The blockade represents the most significant kinetic escalation since the April 7 ceasefire. Iranian cyber actors have consistently demonstrated that kinetic escalation triggers cyber retaliation within 24-72 hours. All sectors should prepare for an immediate increase in cyber threat activity.

Sources: ABC News (Apr 13, 2026); Time (Apr 12); Al Jazeera (Apr 13); CNN (Apr 12); CNBC (Apr 13); Fortune (Apr 12); Wikipedia/Hormuz crisis (Apr 13)

Signature Healthcare Brockton Hospital Cyberattack Enters Day 8; Anubis Claims 2TB Data Theft (April 13, 2026)

• Threat actor: Anubis ransomware group (Ransomware-as-a-Service)
• Target: Signature Healthcare Brockton Hospital (Massachusetts); 216-bed community hospital; 15 care locations; 70,000 patients annually
• Attack type: Ransomware; data exfiltration (claimed 2TB); system disruption; EHR offline

Signature Healthcare Brockton Hospital entered its eighth day of downtime procedures on April 13 following the cyberattack detected on April 6. The Anubis ransomware group claimed responsibility on April 9, stating it exfiltrated 2 terabytes of critical and sensitive patient information. Anubis stated it did not encrypt hospital systems. The group was briefly removed from the Anubis leak site on April 10 before being relisted. A spokesperson for Anubis contacted SuspectFile to pressure Signature Healthcare into payment, attempting to portray the group as professional operators who deliberately avoided encrypting critical systems.

As of April 11, many hospital services had resumed but new prescription orders still cannot be filled. The hospital continues operating on paper-based workflows. The FBI confirmed it is aware of the incident. Federal and state officials are working alongside the hospital. Anubis has an optional wipe mode feature that permanently erases file contents if ransom is not paid, according to Trend Micro analysis from June 2025. Ransomware.live counted 70 Anubis victims since the group first surfaced in February 2025.

While Anubis is not directly attributed to Iranian state operations, the attack continues a pattern of healthcare targeting observed throughout the conflict. The Stryker wiper attack (March 11, fully recovered by April 10), the Pay2Key campaign against US healthcare, and the sustained pressure on healthcare infrastructure align with the broader threat environment. Health-ISAC has assessed that the healthcare sector is experiencing sustained, high-level malicious activity from both nation-state and financially motivated actors.

Sources: DataBreaches.net (Apr 11, 2026); GovInfoSecurity (Apr 10); HIPAA Journal (Apr 10); Brockton Today (Apr 10); Boston Globe (Apr 7); NBC Boston (Apr 8)

Iran Internet Blackout Enters Day 45; No Restoration Timeline; Exceeds 1,000 Hours (April 13, 2026)

• Threat actor: Iranian government / state telecommunications apparatus
• Target: Iranian civilian population (90+ million)
• Attack type: State-imposed internet shutdown; information control; civilian impact

The Iran internet blackout entered Day 45 on April 13 with connectivity at approximately 1% of pre-war levels. An Iranian official stated on April 12 that there is no timeline for restoring internet access. NetBlocks confirmed on April 12 that the shutdown has exceeded 1,000 consecutive hours, making it the longest nationwide internet disruption ever recorded in any country. The Iranian Minister of Communications, Sattar Hashemi, previously acknowledged the shutdown costs the economy approximately $35.7 million per day.

Possession of Starlink terminals in Iran now carries potential execution under legislation passed this year. Military-grade mobile jammers are being used to block satellite internet signals throughout the country. Only pre-approved users on state whitelists and those who have purchased temporary proxy connections can access the global internet. Government spokeswoman Fatemeh Mohajerani stated last month that access has been provided only to those who can carry the voice of the government further.

The blackout continues to limit state-sponsored cyber operations from within Iran while having no constraining effect on geographically dispersed proxy operators. Handala, CyberAv3ngers, and MuddyWater all maintain operational infrastructure outside Iran. The Mahsa Alert crowdsourced missile warning app continues to serve as a critical workaround for civilian access to air raid alerts.

Sources: Tom’s Hardware (Apr 12, 2026); Wikipedia/Iran blackout (Apr 12); War on the Rocks (Apr 10); Al Jazeera (Apr 5); Chatham House (Jan 26)

Ceasefire Expires April 22 With No Deal; Blockade Raises Maximum Escalation Risk (April 13, 2026)

• Threat actor: All Iranian-linked threat actors; pro-Iranian hacktivist ecosystem
• Target: All previously targeted sectors: US critical infrastructure, energy, healthcare, Gulf states, Israeli defense, NATO allies
• Attack type: Anticipated escalation across all attack vectors: DDoS, wiper, ransomware, OT/ICS targeting, hack-and-leak, credential harvesting

The ceasefire expires on April 22 with no deal in place and no extension agreed. The combination of collapsed negotiations, the naval blockade commencing April 13, and the IRGC’s explicit warning creates the most dangerous escalation environment since the conflict began on February 28. Neither side has indicated what happens after expiration.

Handala’s claimed UAE attack on April 12 demonstrates that Iranian-linked actors are actively escalating offensive operations during the ceasefire regardless of the truce. Handala previously stated it would pause US-targeting operations during the ceasefire but would resume when circumstances warranted. The blockade and collapsed talks constitute exactly those circumstances. CyberAv3ngers maintain pre-positioned access to US critical infrastructure PLCs per CISA advisory AA26-097A. MuddyWater’s Operation Olalampo infrastructure remains active. The pro-Iranian hacktivist ecosystem of 50+ groups continues to conduct operations against Israeli, Gulf, and NATO targets without pause.

Fortune reported that analysts have warned Russia and China may assist Iran with cyberattacks in response to the blockade, which would add additional nation-state threat actors to the operational environment. Organizations across all targeted sectors should assume that the cyber threat level will rise sharply in the coming 24-72 hours. All defensive recommendations from prior revisions remain in effect. Prepare for potential ceasefire breakdown and the associated full resumption of cyber hostilities.

Sources: Al Jazeera (Apr 13, 2026); CNN (Apr 12); ABC News (Apr 13); Time (Apr 12); Fortune (Apr 12); CISA AA26-097A (Apr 7)

Key Threat Actor Summaries

Relevant Government Advisories

New advisories issued since previous report (April 12):

For historical advisories, please reach out to your Customer Success Manager if you are a customer, and reach out here if you are not a customer.

Assessment & Outlook

The conflict has entered its 45th day. As of April 13, the following assessment reflects developments from the previous 24 hours.

Near-Term Threat (1-4 weeks): CRITICAL & DETERIORATING

The collapse of Islamabad peace talks and the commencement of the US naval blockade represent the most significant escalation since the ceasefire began on April 7. The blockade directly targets Iran’s remaining oil export capability and constitutes an act of economic warfare that Iranian leadership will interpret as a hostile escalation regardless of ceasefire status. The IRGC’s explicit warning that military vessels will face severe consequences raises the probability of a direct naval confrontation, which would almost certainly trigger immediate and large-scale cyber retaliation.

Handala’s claimed attack on three Dubai government institutions on April 12 demonstrates that Iranian-linked actors are actively escalating offensive operations during the ceasefire. The scale of the claimed destruction (6PB destroyed, 149TB exfiltrated) exceeds all previous Handala operations if verified. The timing, hours before the blockade announcement, suggests either coincidence or pre-positioning of the operation in anticipation of an escalation trigger. The UAE had already reported a tripling of daily cyberattacks to 600,000 since the conflict began.

The Signature Healthcare attack, now at Day 8 with the Anubis ransomware group publicly claiming responsibility and pressuring the hospital through media outreach, continues a pattern of healthcare targeting that has defined the conflict’s cyber dimension. Anubis’s wipe mode capability adds a destructive dimension to what is ostensibly a financially motivated operation. The blurring of ransomware and destructive operations is a defining characteristic of the Iran-linked cyber threat environment in 2026.

The ceasefire expires April 22 with no deal, no extension, and active escalation underway. The combination of blockade, collapsed talks, active Handala operations, pre-positioned CyberAv3ngers access to US critical infrastructure, and the IRGC’s confrontational posture creates the most dangerous threat environment of the conflict.

Priority Targets (Updated April 13)

• Maritime, energy, and financial sectors (CRITICAL, MAXIMUM): The naval blockade commencing April 13 will trigger global energy price volatility and supply chain disruption. Financial markets face significant instability. Analysts warn Russia and China may provide cyber support to Iran. Prepare for full ceasefire breakdown by April 22.
• US critical infrastructure with internet-facing PLCs and OT devices (CRITICAL, MAXIMUM): CISA advisory AA26-097A remains in effect. Pre-positioned access confirmed. Over 3,000 Rockwell devices remain exposed. The naval blockade significantly increases the probability that pre-positioned access will be activated. Remove all PLCs from direct internet exposure immediately.
• US energy grid operators and utilities (CRITICAL, MAXIMUM): The naval blockade will further disrupt global energy markets. Energy sector targeting is expected to intensify as Iran seeks retaliatory leverage. All grid operators should assume they are active targets and elevate to maximum defensive posture.
• Gulf state digital infrastructure (CRITICAL, MAXIMUM): Handala’s claimed April 12 attack on three Dubai institutions represents a direct escalation against Gulf states hosting US military assets. UAE reported 600,000 daily attacks. The blockade will amplify retaliatory pressure on UAE, Qatar, and Bahrain. Gulf organizations should maintain maximum defensive posture and validate data backup integrity.
• US healthcare organizations (CRITICAL, ESCALATED): Signature Healthcare at Day 8 with Anubis claiming 2TB data theft. Stryker fully recovered after 30-day remediation. Anubis’s wipe mode adds destructive risk to ransomware operations. Healthcare organizations should audit EHR systems, validate backup procedures, implement downtime protocols, and audit MDM administrator credentials.
• Israeli defense and intelligence establishments (CRITICAL, MAXIMUM): Handala continues active operations against Israel without pause. The Halevi phone breach exposed classified personnel, facilities, and diplomatic channels. Israeli organizations should assume persistent Handala access and conduct comprehensive device audits.

At Flare, we will continue to monitor this conflict and update this article as we learn more information.