Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict

The US-Israel-Iran conflict has generated one of the most intensive periods of state-linked cyber warfare since the Russia-Ukraine war, with operations conducted by both sides across multiple domains including critical infrastructure, financial systems, communications networks, and social media platforms.

The cyber dimension of this conflict encompasses three distinct phases: 

• June 2025: Israel-Iran 12-day war and concurrent US strikes on Iranian nuclear facilities
• January–February 2026: pre-conflict escalation period
• February 28th, 2026: joint US-Israeli Operation Epic Fury/Roar of the Lion and its immediate aftermath

Each phase saw a marked increase in the volume and sophistication of cyber operations.

Below, we catalogue confirmed and credibly reported cyber operations directly linked to the escalating US-Israel-Iran military conflict from June 2025 through March 2026. We will continue to update this timeline as the situation develops.

US-Israel-Iran Conflict Timeline & Cyber Context

The cyber operations documented in this brief are responses to three major kinetic escalations:

Confirmed & Credibly Reported Cyber Attacks

Phase 1: June 2025 Israel-Iran War & US Nuclear Strikes

Truth Social DDoS Attack (June 21–22, 2025)

• Threat actor: Team 313 (Iran-aligned hacktivist group)
• Target: Truth Social (President Trump’s social media platform)
• Attack type: Distributed Denial-of-Service (DDoS)

Team 313 claimed responsibility for a DDoS attack that took Truth Social offline within minutes of President Trump posting about the strikes on Iranian nuclear sites. The Center for Internet Security (CIS) confirmed the attack originated from infrastructure previously attributed to Iranian state-aligned actors, with traffic floods exceeding 400 Gbps. The platform displayed error messages for several hours before service was restored.

Sources: The Hill, CIS confirmation; The Hacker News; Wired; eSecurity Planet; Cyble

Predatory Sparrow Bank & Crypto Exchange Attacks (June 17–18, 2025)

• Threat actor: Gonjeshke Darande / Predatory Sparrow (pro-Israel)
• Targets: Bank Sepah (Iranian state-owned bank); Nobitex (Iran’s largest cryptocurrency exchange)
• Attack types: Financial system intrusion; unauthorized fund transfers

Predatory Sparrow, a pro-Israel cyber group with a documented history of targeting Iranian infrastructure, claimed responsibility for attacking Bank Sepah on June 17 and Nobitex on June 18, 2025. The Nobitex breach resulted in approximately $90 million being transferred out of wallets, as confirmed by blockchain analytics firm Elliptic. This represented one of the most financially damaging individual cyber operations of the conflict.

Sources: ReliaQuest; Elliptic (blockchain analytics); The Hill; Palo Alto Unit 42

Iranian APT Surge Against US Industrial Targets (May–June 2025)

• Threat actor: MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, Homeland Justice
• Targets: US Transportation and Manufacturing sectors; at least 15 US organizations
• Attack types: Espionage; credential harvesting; OT/ICS targeting; ransomware partnerships

 Nozomi Networks tracked 28 cyberattacks tied to Iranian threat groups in May–June 2025, a 133% increase over the prior two-month period. MuddyWater was the most active, targeting at least five US companies, followed by APT33 with three confirmed incidents. CyberAv3ngers was observed reusing IP infrastructure from prior attacks involving OT-specific malware. Fox Kitten shifted toward ransomware operations with financial incentives for attacks aligned with Iranian strategic interests.

Sources: Nozomi Networks; The Record (Recorded Future); Anvilogic; Morphisec

Hacktivist DDoS Campaign Against US Defense & Financial Sectors (Late June 2025)

• Threat actor: Mr Hamza, Team 313, Cyber Jihad Movement, Keymous+, Mysterious Team, Handala
• Target: US Air Force domains, aerospace/defense contractors, banks, financial services, aviation, energy sectors

Cyble researchers documented attack claims by Iran-aligned hacktivist groups against 15 US organizations and 19 websites in the immediate aftermath of US strikes. DDoS was the most common method, followed by data and credential leaks, website defacements, and unauthorized access. The Cyber Jihad Movement announced expanded operations against US entities under the hashtag #OpUSA. Handala was identified as one of the most effective attackers, with 15 claims of ransomware/extortion incidents including data samples offered as evidence.

Sources: Cyble; CISA/FBI/NSA/DC3 Joint Advisory (June 30, 2025); ExtraHop; Palo Alto Unit 42

Iranian Phishing Campaign Against Israeli Google Accounts (Post-June 2025)

• Threat actor: Iranian intelligence operatives (IRGC-affiliated)
• Target: Israeli citizens’ private Google, Telegram, and WhatsApp accounts

Israel’s Shin Bet and National Cyber Directorate issued a joint statement confirming a significant increase in Iranian intelligence attempts to hack private accounts of Israeli citizens since the June 2025 war. Hundreds of such attacks were intercepted in recent months. The campaigns employed personalized spear-phishing tailored to targets’ professional interests, impersonation of known contacts, and solicitation of passwords and verification codes disguised as security checks. The collected intelligence was assessed as supporting potential terrorist, espionage, and influence operations.

Sources: Times of Israel; Israel Shin Bet / National Cyber Directorate joint statement

Strait of Hormuz Electronic Interference (June 2025)

• Threat Actor: Attributed to Iranian state actors (unconfirmed attribution)

Electronic interference with commercial ship navigation systems was reported in the Strait of Hormuz and Persian Gulf during the June 2025 conflict. This was part of a broader pattern of cyber-enabled disruption alongside kinetic operations.

Sources: Cyble

Phase 2: January–February 2026 Pre-Conflict Escalation

Cyberattacks on Iranian Ports (January 20th, 2026)

• Threat actor: Attributed to Israeli/Western state actors
• Target: Bandar Abbas and Chabahar port systems

Port management systems at Bandar Abbas and Chabahar were disrupted on January 20th, halting container management operations and delaying oil exports. Estimated economic losses were reported in the tens of millions of dollars per day. This mirrors the documented 2020 Israeli cyberattack on the Shahid Rajaee port at Bandar Abbas, which caused days of disruption.

Sources: Khaleej Times (citing Rayad Group / private intelligence monitors)

Iranian Power Substation Attacks (January 22nd, 2026)

• Target: Power substations in Tehran, Isfahan, and Shiraz 

Cyberattacks on Iranian power substations caused rolling blackouts across multiple major cities, forcing industrial and medical facilities onto emergency power systems. The attacks were part of an escalating cyber campaign in the weeks preceding the February 28th strikes.

Sources: Khaleej Times (citing Rayad Group / private intelligence monitors)

Shamoon 4.0 Attack on Saudi Energy Infrastructure (January 24th, 2026)

• Threat actor: Iran-linked (consistent with historical Shamoon attribution to IRGC/APT33)
• Target: Saudi energy infrastructure (including Aramco-linked systems)

A new variant designated Shamoon 4.0 struck Saudi energy infrastructure, initially compromising approximately 15,000 workstations. Rapid isolation protocols and backup systems limited permanent data loss, and Saudi Aramco reported production near pre-attack levels. This represents the fourth known major deployment of the Shamoon malware family, following attacks in 2012, 2016–17, and 2018.

Sources: Khaleej Times (citing cybersecurity expert Rayad Kamal Ayub, Rayad Group)

Iranian Satellite Broadcast Hack (January 2026)

Government satellite broadcasts in Iran were compromised, with content calling for the overthrow of the regime reportedly aired to millions of households. This operation was later described as the beginning of the cyber campaign that escalated into the February 28 attack.

Sources: Jerusalem Post; Fox News (citing Western intelligence sources)

Phase 3: February 28, 2026 Operation Epic Fury/Roar of the Lion

Massive Cyberattack Accompanying Kinetic Strikes (February 28th, 2026)

• Threat actor: Israel (with probable US coordination)
• Targets: Iranian nationwide internet infrastructure; IRGC communications; state media (IRNA, Tasnim); government digital services

Described as the largest cyberattack in the history of the conflict, the operation combined electronic warfare disrupting navigation and communications systems, DDoS attacks, and deep intrusions into Iranian data systems. NetBlocks confirmed Iranian internet connectivity plunged to just 4% of normal traffic, representing a near-total nationwide shutdown. IRNA was taken offline for an extended period, and Tasnim (IRGC-linked) experienced severe disruptions with subversive messages reportedly displayed. Government digital services and local apps failed across Tehran, Isfahan, Shiraz, and other major cities. Western intelligence sources stated the damage to IRGC communications infrastructure was specifically intended to prevent coordination of missile and drone counterattacks.

Sources: Jerusalem Post; NetBlocks; Fox News; Defense One; Atlantic Council

BadeSaba Calendar App Compromise (February 28th, 2026)

• Threat actor: Pro-opposition / likely state-backed (Israeli or Western)
• Target: BadeSaba Prayer Calendar App (5 million+ downloads in Iran)

As strikes began on February 28th, the widely used BadeSaba prayer calendar app was compromised. The app pushed notifications to millions of Iranian users with messages including surrender instructions for IRGC members and locations for protesters to gather. Flashpoint assessed that what followed on the subsequent day was the most aggressive use of Iran’s Cyber Islamic Resistance campaign to date, indicating the psychological operations dimension of the cyber conflict.

Sources: Fortune (citing Flashpoint intelligence assessment); CNBC (Mar 2–3, citing Flashpoint’s Raines)

Iran’s “Cyber Islamic Resistance” & “Fatimiyoun Electronic Team” Offensives (March 1–2, 2026)

• Threat actor: Cyber Islamic Resistance coalition; Fatimiyoun Electronic Team
• Targets: US and Israeli military logistics providers; Western financial and energy firms
• Attack types: DDoS; data-wiping attacks; attempted wiper malware deployment

Flashpoint reported on March 1st that the Cyber Islamic Resistance coalition, a loosely coordinated group of Iranian-aligned cyber operatives, began launching denial-of-service and data-wiping attacks against US and Israeli military logistics providers. Separately, the Fatimiyoun Electronic Team was observed attempting to deploy wiper malware against Western financial and energy firms. This represents the first confirmed post-February 28 retaliatory cyber offensive specifically targeting Western commercial entities.

Sources: Flashpoint (via GovInfoSecurity / BankInfoSecurity / DataBreachToday, March 1st, 2026)

Handala Group Targets Israeli ICS & Jordanian Fuel Infrastructure (February 28–March 1, 2026)

• Threat actor: Handala Group (MOIS-linked hacktivist persona)
• Targets: Israeli industrial control systems (manufacturing, energy distribution); Jordanian fuel station infrastructure; Clalit healthcare network (data theft claimed)

Flashpoint reported that the Iran-linked Handala Group was already targeting Israeli industrial control systems within hours of the Feb 28 strikes, claiming disruption of manufacturing and energy distribution. The group also claimed responsibility for a cyberattack on Jordanian fuel station infrastructure and earlier in the week claimed to have stolen data from Israel’s Clalit healthcare network. Sophos confirmed that Handala claimed attacks in Jordan on February 28 and threatened additional regional targets, though noted the group routinely overstates its capabilities.

Sources: Flashpoint (via GovInfoSecurity, Mar 1, 2026); Sophos Cyber Advisory (March 1st, 2026); VECERT

CrowdStrike Confirms Iranian Reconnaissance & DDoS Activity (March 1–2, 2026)

• Threat actor: Iranian-aligned threat actors and hacktivist groups (unspecified)
• Attack types: Reconnaissance; DDoS initiation

CrowdStrike’s head of counter adversary operations, Adam Meyers, confirmed to CNBC on March 2 that the firm was already observing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating denial-of-service attacks. Meyers stated these behaviors often precede more aggressive operations, indicating a probable escalation pattern. CrowdStrike clarified it had not yet observed large-scale state-sponsored campaigns, but warned that critical infrastructure and financial firms should remain vigilant for follow-on activity that moves beyond nuisance-level disruption.

Sources: CNBC (March 2nd, 2026); Nextgov/FCW (Mar 2, 2026, citing CrowdStrike statement)

Iran Internet Blackout Enters Third Day (March 2nd, 2026)

As of March 2, NetBlocks confirmed that Iran’s internet connectivity remained at approximately 1% of normal traffic levels for over 48 hours, representing a near-total nationwide communications blackout. While the regime has a documented history of imposing shutdowns, CNBC reported that US-Israeli actors also targeted multiple government-aligned Iranian news websites with hacks and cyberattacks. Internet analyst Doug Madory noted that limited remaining connectivity appeared to result from a government whitelisting system creating exceptions for regime-loyal entities. The sustained blackout represents the most significant digital disruption of a nation-state in the context of armed conflict to date.

Sources: NetBlocks; CNBC (Mar 2, 2026); The National; Reuters

AWS Data Centers Struck in UAE and Bahrain (March 1–2, 2026)

• Targets: AWS cloud infrastructure (UAE ME-CENTRAL-1; Bahrain facility)
• Attack type: Kinetic strike / collateral impact on cloud infrastructure

Amazon Web Services reported that one of its Availability Zones in the UAE (ME-CENTRAL-1, mec1-az2) was struck by unidentified objects at approximately 4:30 PM Dubai time on Sunday, March 1, creating sparks and fire. The fire department cut power to the facility while crews extinguished the blaze. EC2 instances, database instances, and EBS volumes in the affected zone became unreachable. As of March 2, the zone remained without power and AWS was investigating additional connectivity and power issues in both the UAE and a separate Bahrain facility. This represents a significant collateral impact on global cloud infrastructure from the kinetic conflict.

Sources: Reuters; AWS status page; The Register; Bloomberg (via Yahoo Finance); Jerusalem Post; Times of Israel; Middle East Eye

DHS Issues Lone-Wolf and Cyberattack Warning (March 1–2, 2026)

The US Department of Homeland Security issued a law enforcement bulletin warning of possible lone-wolf attacks and cyberattacks on US soil amid the ongoing strikes. The bulletin, obtained by ABC News, stated that Iran and its proxies pose a persistent threat of targeted attacks in the homeland and will almost certainly escalate retaliatory actions if operations continue. SentinelOne assessed that Iranian state-aligned cyber activity is likely to intensify in the near term, citing a long track record of leveraging destructive wiper malware, infrastructure disruption, and influence operations. Anomali warned that pre-positioned implants, foreign-based operators, and proxy groups operate independently of Iranian domestic infrastructure, meaning the internet blackout would not prevent retaliation.

Sources: ABC News (DHS bulletin); SentinelOne; Anomali (via Defense One, Mar 1, 2026); HSToday

March 4th, 2026 — New Incidents Below

“Electronic Operations Room” Established and Malicious RedAlert APK Campaign (March 2nd, 2026)

• Threat actor: Iranian state-aligned hacktivist coalition; unattributed phishing operators
• Targets: Israeli civilians (via fake Home Front Command RedAlert app); coordination umbrella for multiple hacktivist groups
• Attack types: Mobile malware (surveillance/exfiltration APK); coordinated hacktivist command structure

Palo Alto Networks Unit 42 published a dedicated threat brief on March 2nd identifying an active phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert application. The weaponized Android package (APK) delivers mobile surveillance and data-exfiltrating malware to Israeli users. Separately, Unit 42 reported that a new coordinating body called the “Electronic Operations Room” was established on February 28th, 2026, to synchronize operations across multiple Iranian-aligned hacktivist personas and collectives. Unit 42 assessed that approximately 60 individual hacktivist groups are now active in the conflict, including pro-Russian groups that have aligned with Iranian-backed operations as of March 2.

Sources: Palo Alto Unit 42 Threat Brief (March 2, 2026); Euronews (March 2, 2026)

DieNet DDoS Campaign Across Gulf States (March 1–2, 2026)

• Threat actor: DieNet (pro-Iran/pro-Palestinian hacktivist group)
• Targets: Airports in Bahrain, UAE, and Sharjah, Saudi Arabia; Riyadh Bank; Bank of Jordan; Kuwait Airport; government portals across Bahrain, Qatar, UAE, Kuwait, Saudi Arabia, and the US
• Attack type: Distributed Denial-of-Service (DDoS) using DDoS-as-a-service infrastructure

DieNet, a pro-Iran hacktivist group that emerged on Telegram in March 2025, conducted a large-scale DDoS campaign across multiple Gulf states in what it described as retaliation for perceived aggression against Iran. Unit 42 documented DieNet’s claims of attacks against airports in Bahrain and the UAE, the Riyadh Bank website, and the Bank of Jordan. CloudSEK’s situation report confirmed DieNet led campaigns against government portals, telecom providers, airports, and financial institutions across at least six countries. NETSCOUT had previously profiled DieNet as utilizing shared DDoS-as-a-service infrastructure capable of sustaining daily attacks. CyberKnow noted DieNet became the first hacktivist group in this conflict to expand targeting beyond the Gulf and US, suggesting attacks on Cyprus due to the UK military base at RAF Akrotiri.

Sources: Palo Alto Unit 42 (March 2, 2026); CloudSEK Situation Report (March 1–2, 2026); NETSCOUT; CyberKnow; Industrial Cyber (March 2, 2026)

#OpIsrael Coordinated Campaign: NoName057(16) & Cyber Islamic Resistance (March 2, 2026)

• Threat actor: NoName057(16) (pro-Russian); Cyber Islamic Resistance coalition
• Targets: Israeli defense entities (including Elbit Systems); Israeli municipal government entities; Israeli health insurance provider
• Attack types: DDoS; data exposure; claimed intrusions; CCTV exfiltration

On March 2nd, Flashpoint observed reporting on a coordinated campaign branded #OpIsrael, involving both pro-Iranian and pro-Russian-aligned actors. NoName057(16) and the Cyber Islamic Resistance coalition claimed large-scale DDoS activity targeting Israeli defense and municipal entities, including defense electronics manufacturer Elbit Systems. The Cyber Islamic Resistance separately claimed breach of an Israeli health insurance provider and released internal CCTV footage as evidence of access. This represents a notable convergence of pro-Russian and pro-Iranian hacktivist ecosystems operating under a shared campaign banner.

Sources: Flashpoint (Mar 2, 2026, via Security Boulevard); Palo Alto Unit 42 (March 2, 2026)

Claimed ICS/SCADA Intrusion into Jordanian Grain Silo Company (March 2nd, 2026)

• Threat actor: Pro-Iranian hacktivist groups (specific group unconfirmed)
• Target: Jordan Silos and Supply General Company (critical food security infrastructure)
• Attack types: ICS/SCADA intrusion; alleged manipulation of temperature controls and weighing systems

 Flashpoint reported that pro-Iranian hacktivist groups claimed to have successfully breached a major Jordanian grain silo company’s industrial control systems, including alleged manipulation of temperature controls and weighing systems. The groups reportedly detailed a phishing-based initial access vector. Nextgov/FCW and Defense One, citing Flashpoint intelligence shared directly with them, noted the claims remain unverified but represent a significant escalation toward high-impact targets with civilian and economic consequences. The Cyber Islamic Resistance Axis separately claimed responsibility for targeting 130 remote-control systems at Israeli industrial-control firm Control Applications Ltd.

Sources: Flashpoint (via Nextgov/FCW, Defense One, March 2nd, 2026); Security Boulevard (March 2nd, 2026); CyberNewscentre (March 2nd, 2026)

Handala Escalates to Physical Threats Against Diaspora Critics (March 2, 2026)

• Threat actor: Handala Hack (MOIS-linked hacktivist persona)
• Target: Iranian-American and Iranian-Canadian social media influencers
• Attack types: Doxxing; death threats; claimed leak of home addresses to physical operatives

Unit 42 reported that the Handala Hack persona escalated from cyber operations to direct physical threats, targeting at least two Iranian diaspora influencers (one based in the US, one in Canada) with death threats via email. The group also claimed to have leaked their home addresses to physical operatives in their respective locations. This represents a significant escalation from hacktivist disruption to threatened physical violence against perceived critics of the Iranian regime, blending cyber operations with intimidation tactics.

Sources: Palo Alto Unit 42 Threat Brief (March 2nd, 2026)

Google Threat Intelligence Confirms Resumed Iranian Cyberespionage (March 2nd, 2026)

• Threat actor: Iranian state-backed APT groups (unspecified)
• Target: US, Israel, and Gulf Cooperation Council (GCC) countries
• Attack types: Cyberespionage; disruptive attacks; hacktivist front coordination

Google Threat Intelligence Group chief analyst John Hultquist confirmed on March 2nd that Iranian cyberespionage operations had resumed after a brief lull during the initial military strikes, and that hacktivist fronts with ties to the IRGC were making claims and threats about disruptive attacks in the region. Hultquist stated he expects Iran to target the US, Israel, and GCC countries with disruptive cyberattacks focusing on targets of opportunity and critical infrastructure. He noted that while Iran frequently exaggerates the effects of its operations to boost psychological impact, they can have serious consequences for individual enterprises. Hultquist assessed that operations would likely resemble Iran’s cyber activity during the Israel-Hamas war, with data-wiping malware following initial reconnaissance.

Sources: The Register (March 2nd, 2026); Nextgov/FCW (March 2nd, 2026); Euronews (March 2nd, 2026, citing Google Threat Intelligence Group)

Iran Internet Blackout Enters Fourth Day; DHS Secretary Confirms Coordination (March 3rd, 2026)

As of March 3rd, NetBlocks confirmed that Iran’s nationwide internet blackout had entered its fourth day, with over 72 hours of near-total shutdown affecting a population of over 90 million. Connectivity remained at approximately 1% of ordinary levels. NetBlocks warned that the silencing of authentic Iranian voices was fueling a surge in misinformation as pro-regime accounts filled the information void. Separately, DHS Secretary Kristi Noem stated she was in direct coordination with federal intelligence and law enforcement partners to monitor and counter potential threats to the homeland. Noem was expected to testify before the Senate Judiciary Committee on March 3rd, where she was anticipated to face questions about CISA staffing levels. Recorded Future assessed it had not yet observed direct targeting of US government agencies or private sector critical infrastructure attributable to Iranian threat actors, but noted Iranian cyber operators were likely in a defensive posture with widespread blackouts amplifying the lack of visibility.

Sources: NetBlocks (March 3, 2026); CNBC (March 3, 2026); Nextgov/FCW (March 2–3, 2026, citing DHS Secretary Noem statement); News.Az (March 3, 2026); Recorded Future (via Nextgov/FCW)

Jordan Confirms Thwarted Iranian Cyberattack on National Wheat Silos (March 3rd, 2026)

• Threat actor: Iranian state-attributed (confirmed by Jordanian National Cybersecurity Center)
• Target: Jordanian Public Corporation for Silos and Supply — national wheat storage systems
• Attack types: Advanced malware targeting ICS/SCADA temperature control and weighing systems

Jordan’s National Cybersecurity Center officially confirmed on March 3rd that it had thwarted a cyberattack targeting the electronic control systems of the country’s national wheat silos. Center Director Mohammed Al-Samadi stated that technical investigations traced the attack to Iran. The attackers attempted to manipulate temperature control systems in the silos, which could have caused significant damage to the kingdom’s strategic wheat reserves. The Roya News report confirmed the attack was immediately neutralized with no impact on silo operations or the safety of stored grain. This represents the first government-confirmed attribution of an ICS-targeting cyberattack to Iran in the current conflict phase, corroborating earlier Flashpoint reporting of unverified claims against Jordanian grain infrastructure on March 2nd. The Record (Recorded Future) separately confirmed the Jordanian government’s announcement.

Sources: Roya News (March 3rd, 2026); The Record (March 3rd, 2026); Voice of Emirates (March 3rd, 2026); UkrAgroConsult (March 3rd, 2026)

US Cyber Command Role in Operation Epic Fury Officially Confirmed (March 3rd, 2026)

• Threat actor: US Cyber Command/US Space Command (offensive operations)
• Target: Iranian communications infrastructure, sensor networks, command and control systems
• Attack types: Coordinated cyber and space operations; communications disruption; sensor network degradation

Joint Chiefs of Staff Chairman Gen. Dan Caine publicly confirmed at a Pentagon press conference on March 3rd that US Cyber Command and US Space Command were among the “first movers” that began layering non-kinetic effects to support Operation Epic Fury. Caine stated that coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively. The Record (Recorded Future) had previously reported that Cyber Command disrupted Iranian missile defense systems during the June 2025 nuclear strikes. This official confirmation represents the most detailed public acknowledgment of offensive cyber operations in an active US military campaign since the June 2025 strikes.

Sources: The Record (March 3, 2026); Pentagon press conference (March 3, 2026); Recorded Future News

Pro-Russian Hacktivist Groups Formally Join Iranian Cyber Offensive (March 2–3, 2026)

• Threat actor: Cardinal; NoName057(16); Russian Legion (all pro-Russian hacktivist groups)
• Targets: Israel Defense Forces (IDF) networks; Israeli municipal, telecom, and defense entities; Israel’s Iron Dome missile defense system (claimed)
• Attack types: Claimed network intrusion; DDoS; data exfiltration; claimed ICS access

Unit 42 reported on March 3rd that multiple pro-Russian hacktivist groups have formally aligned with Iranian-backed operations. Cardinal, assessed as state-aligned but likely independently funded, claimed to have infiltrated IDF networks, referencing a purportedly confidential document related to “Magen Tsafoni” (Northern Shield) containing operational movement details and contact information. NoName057(16) claimed DDoS operations against Israeli municipal, political, telecom, and defense-related entities. Most dramatically, the Russian Legion collective claimed to have accessed Israel’s Iron Dome missile defense system, alleging real-time monitoring, radar control, and system paralysis. SOCRadar’s March 3rd update confirmed that pro-Russian hackers had formally joined the cyber conflict, recording over 600 distinct cyberattack claims across more than 100 Telegram channels within 15 days. These claims remain unverified. SecurityWeek and Check Point noted that many hacktivist breach claims have been confirmed as fake or recycled by Hudson Rock.

Sources: Palo Alto Unit 42 (March 2–3, 2026); SOCRadar (March 3, 2026); SecurityWeek (March 3, 2026); Check Point Research; Hudson Rock

MuddyWater APT Launches Operation Olalampo; Sicarii RaaS Escalates (March 3rd, 2026)

• Threat actor: MuddyWater APT (IRGC/MOIS-linked); Sicarii ransomware group
• Targets: Organizations across Middle East, Turkey, and Africa (META region); US entity
• Attack types: Novel Rust-based backdoor malware (CHAR, GhostBackDoor); Telegram-based C2; destructive ransomware with irrecoverable encryption

Halcyon’s Ransomware Research Center reported on March 3rd that it had identified MuddyWater APT conducting a structured cyber offensive operation designated Operation Olalampo, targeting the META region. Group-IB’s analysis revealed the operation, first observed January 26th, 2026, deployed four previously unknown malware variants including CHAR (a Rust-based backdoor) and GhostBackDoor, with Telegram used as command-and-control infrastructure. The operation’s TTPs overlap with the separately tracked RedKitten campaign (APT42-linked), indicating coordinated infrastructure across Iranian-aligned actors. Separately, Halcyon flagged that the Sicarii ransomware group, which surfaced in December 2025, has a critical encryption flaw that permanently destroys data with no recovery path even if ransom is paid. Sicarii has recently signaled intent to dramatically expand targeting volume. Observed victims are mostly within the META region with one US-based entity.

Sources: Halcyon Ransomware Research Center (Mar 3, 2026); Group-IB (Operation Olalampo analysis); SecurityOnline

Multiple Firms Confirm: State-Sponsored Attacks Remain Low Despite Hacktivist Surge (March 3rd, 2026)

Multiple major cybersecurity firms independently issued assessments on March 3rd converging on a significant finding: despite the massive volume of hacktivist claims, no significant state-sponsored cyber escalation has been observed. 

Cisco Talos stated it had not seen any significant cyber impacts associated with state-sponsored or state-affiliated groups, with activity limited to web defacements and small-scale DDoS. Check Point reported that some government actors, including Cotton Sandstorm (Emennet Pasargad) and Void Manticore (Handala), have reactivated old hacktivist personas to claim operations. Cloudflare CEO Matthew Prince stated that Iranian cyber operations have dropped dramatically. Hudson Rock confirmed that many data breaches claimed by hackers in recent days are fake, with groups recycling previously leaked data. Sophos assessed a surge in hacktivist activity but not an escalation in risk, noting that emerging groups including Cyber Toufan, Cyber Support Front, and Iranian Avenger are primarily engaging in unsophisticated tactics and broad embellished claims. This consensus suggests that the near-total internet blackout and leadership decapitation are constraining state-directed operations in the near term, though all firms warned this could change rapidly.

Sources: SecurityWeek (March 3rd, 2026); Cisco Talos (March 3rd, 2026); Sophos (March 2–3, 2026); Dark Reading (March 3rd, 2026); Check Point Research; Cloudflare; Hudson Rock

BaqiyatLock RaaS Offers Free Access; INC Ransomware Lists Israeli Firm (March 2–3, 2026)

• Threat actor: BaqiyatLock (RaaS group); Tarnished Scorpius / INC Ransomware
• Targets: Israeli commercial entities; Israeli industrial machinery company
• Attack types: Ransomware-as-a-service recruitment; ransomware deployment; ideological defacement

Sophos CTU researchers observed on their Telegram channel that the BaqiyatLock ransomware-as-a-service group publicly offered free affiliate memberships to any hacktivists who would target Israeli interests. This represents a convergence of criminal ransomware infrastructure with ideologically motivated hacktivism, lowering the barrier for destructive attacks. Separately, Unit 42 reported that the INC Ransomware group (tracked as Tarnished Scorpius) listed an Israeli industrial machinery company on its leak site and replaced the company logo with a swastika, blending ransomware extortion with antisemitic propaganda. The use of ransomware infrastructure for ideologically motivated destruction rather than financial gain is consistent with historical Iranian cyber tactics, including the 2022 Albanian government attack.

Sources: Sophos CTU (March 2–3, 2026); Palo Alto Unit 42 (March 3, 2026); Dark Reading (March 3, 2026)

UK NCSC and CISA Leadership Updates; Heightened Risk Window Warning (March 3–4, 2026)

Issuing Bodies: UK National Cyber Security Centre (NCSC); CISA; HSToday; CNBC

Key Development: International advisory issued; CISA leadership stabilized under Nick Andersen; 0–30 day heightened risk window assessed

The UK’s National Cyber Security Centre issued an advisory on March 2–3 urging British organizations to review their cyber security posture in response to the Middle East conflict. The NCSC assessed that while there is likely no significant change in the direct cyber threat from Iran to the UK at present, organizations should take precautionary steps. In the US, CISA’s leadership transition stabilized with Nick Andersen, previously executive assistant director for cybersecurity, formally serving as Acting Director following Gottumukkala’s reassignment. Nextgov/FCW reported on March 3–4 that Sean Plankey, the Trump administration’s nominee for permanent CISA director, is expected to depart his Coast Guard role imminently. FDD’s Mark Montgomery warned that CISA needs Senate-confirmed leadership immediately given the ongoing conflict. CNBC quoted Tenzai CEO Pavel Gurvich warning that the danger of Iranian cyberattacks is meaningfully higher now, stating Iran may have stored capabilities waiting for a high-risk moment to launch. HSToday published a detailed assessment by James Turgal identifying the next 0–30 days as a heightened risk window, with an expected uptick in disruptive and symbolic cyber operations tied to Iranian state actors.

Sources: UK NCSC (March 2–3, 2026); Nextgov/FCW (March 3–4, 2026); CNBC (March 3, 2026); HSToday (March 3, 2026); Federal News Network (February 28–March 3, 2026); Cybersecurity Dive; Foundation for Defense of Democracies

Key Threat Actor Summaries

Relevant US Government Advisories

Multiple US government agencies have issued formal advisories directly related to Iranian cyber threats in the context of this conflict:

Assessment & Outlook: US-Israel-Iran Conflict

The February 28th, 2026 strikes represent a significant escalatory event in the cyber dimension of the conflict. Multiple credible assessments converge on the following outlook:

Near-Term Threat (1–4 weeks): Active and Escalating

As of March 3rd, the conflict has entered a phase of decentralized, proxy-driven cyber retaliation. CrowdStrike reports a surge in hacktivist claims spanning DDoS, defacements, and alleged interference across the Middle East, the US, and parts of Asia. Flashpoint reports the Cyber Islamic Resistance coalition, Fatimiyoun Electronic Team, and multiple hacktivist groups have begun active offensive operations. Unit 42 assesses approximately 60 hacktivist groups are now active, including pro-Russian groups operating under the new “Electronic Operations Room” umbrella. Google Threat Intelligence confirms Iranian state-backed cyberespionage has resumed after an initial lull. Anomali assesses that pre-positioned implants and foreign-based operators can continue operating despite the domestic internet blackout. Fortune reported (citing Flashpoint’s Raines) that Iranian leadership decapitation is producing more unpredictable attacks driven by mid-level operatives without central oversight.

Critical Assessment Shift

Unit 42 assesses that while state-aligned nation-state groups within Iran are likely hampered by the internet blackout and leadership degradation in the near term, state-aligned cyber units may be acting in operational isolation, producing deviations from established patterns. Hacktivist groups based outside Iran are expected to generate low-to-medium sophistication disruptions. However, the ICS/SCADA intrusion claims against Jordanian grain infrastructure and Israeli control systems signal an elevated risk to operational technology environments. Flashpoint and multiple firms agree the cyber domain is shifting toward high-impact targets with civilian and economic consequences.

Priority Targets

US critical infrastructure sectors including water and wastewater, energy/power grid, healthcare, telecommunications, defense industrial base (particularly firms with Israeli partnerships), financial services, and transportation. CISA has specifically warned about OT/ICS environments running unpatched systems with default credentials. Gulf state infrastructure (airports, banks, telecoms) facing active DDoS campaigns. Organizations with Middle East cloud hosting face cloud concentration risk following the AWS disruptions.

Operational Constraints

CISA is operating with reduced staffing due to DHS funding lapses, reducing domestic detection and response capacity at a critical moment. DHS Secretary Noem is expected to face Senate questioning on this issue. Recorded Future notes Iranian cyber operators are likely in a defensive posture, with widespread blackouts amplifying the lack of visibility into state-directed operations. This creates a dangerous gap: sophisticated state attacks may be in preparation but invisible to defenders until execution.

At Flare, we will continue to monitor this conflict and update this article as we learn more information.