Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict

This brief catalogues confirmed and credibly reported cyber operations from the last 24 hours directly linked to the US-Israel-Iran military conflict. The conflict entered its 41st day on April 9, 2026. For historical entries and background context, refer to TIB-2026-0408-IRAN Rev. 38.

The two-week ceasefire announced on April 7 took effect on April 8. Within hours, both sides accused each other of violations. Israel launched Operation Eternal Darkness against Hezbollah in Lebanon, striking over 100 targets in 10 minutes across Beirut, southern Lebanon, and the Bekaa Valley. Lebanon reported 182 killed on April 8, the highest single-day death toll of the Israel-Hezbollah war. Iran accused the US of violating three of its 10 ceasefire conditions: continued Israeli strikes in Lebanon, an alleged drone incursion into Iranian airspace, and denial of uranium enrichment rights. Iranian Parliament Speaker Ghalibaf called the ceasefire “unreasonable” under current conditions. VP Vance stated the ceasefire never included Lebanon. The ceasefire remains fragile and should not be interpreted as a reduction in cyber threat levels.

Iran launched missiles and drones toward Israel and multiple Gulf states on April 8 despite the ceasefire. Kuwait reported 28 drone attacks, the UAE reported 35, and Qatar confirmed intercepting 7 missiles and drones. A fire broke out at Abu Dhabi’s Habshan gas complex. A Saudi pipeline was hit directly by a drone. Kuwait reported significant damage to oil facilities, power stations, and water desalination plants. The Lavan Oil Refinery on Lavan Island was struck after the ceasefire took effect. Iranian-allied groups in Iraq hit a diplomatic support centre at Baghdad International Airport. The US embassy issued a warning to citizens in the region.Handala announced on April 8 that it was temporarily postponing attacks on the US but would continue to target Israel. Handala stated on X: “The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.” Nozomi Networks cybersecurity executive Markus Mueller assessed that cyber activity would likely expand in scale and scope during the ceasefire, as proxy groups shift from regional targets to US organizations involved in the war effort. CISA did not respond to questions about the ceasefire’s impact on cybersecurity posture. DomainTools Investigations published a report this week identifying Homeland Justice, Karma/KarmaBelow80, and Handala Hack as a single coordinated cyber influence ecosystem aligned with MOIS, not distinct hacktivist groups. JUMPSEC published findings linking MuddyWater to the CastleRAT criminal framework and a new blockchain-based malware called ChainShell. The Iran internet blackout entered Day 41 on April 9 with connectivity at approximately 1% of pre-war levels.

We will continue to update this timeline with the most recent information as the situation develops.

For customers seeking further details, please reach out to your Customer Success Manager, and for non-customers please reach out here.

US-Israel-Iran Conflict Timeline & Cyber Context

The cyber operations documented in this brief are responses to three major kinetic escalations:

Confirmed & Credibly Reported Cyber Attacks

We are updating this section to include only the newest incidents. For customers seeking further details of past incidents, please reach out to your Customer Success Manager, and for non-customers please reach out here.

CSIS Assesses Iran Cyber Posture Shifted to Sustained Strategic Campaign Against US Critical Infrastructure (April 10, 2026)

• Threat actor: Iranian state-sponsored APTs / IRGC / MOIS / proxy hacktivist ecosystem
• Target: US energy, water, transportation, and government sectors
• Attack type: Strategic assessment; pre-positioning for future escalation; ICS/OT exploitation; legacy system targeting

CSIS published an analysis on April 10 assessing that Iran’s approach to cyber conflict is no longer episodic or symbolic but reflects a sustained, strategic posture. The report identified Iranian actors as positioned to exploit legacy industrial control systems and weak network segmentation in US critical infrastructure, with the objective of pre-positioning access for future escalation rather than achieving immediate disruption. CSIS noted that Iran’s cyber doctrine favors asymmetric responses, using cyber operations as a lower-cost, deniable alternative to direct military retaliation. The use of proxies enables scale and plausible deniability while complicating attribution.

The analysis highlighted that the energy sector remains the primary target, citing data from the European Repository of Cyber Incidents showing that energy sector cyberattacks were second only to telecommunications during periods of geopolitical conflict. CSIS assessed that the current threat environment is uniquely volatile because of the blend of state capability and proxy intent. The report warned that pre-positioned access inside US networks may only surface during moments of geopolitical crisis, creating latent risk that is difficult to detect. The findings reinforce the CISA AA26-097A advisory and underscore the need for accelerated ICS/OT hardening across all sectors.Sources: CSIS (Apr 10, 2026); Industrial Cyber (Apr 10); Utility Dive (Apr 9); Cybersecurity Dive (Apr 9)

NERC Confirms Active Grid Monitoring Following CISA PLC Advisory; 3,000+ Rockwell Devices Remain Exposed (Apr 9, 2026)

• Threat actor: Iranian-affiliated APT / CyberAv3ngers / Shahid Kaveh Group / IRGC CEC
• Target: US energy grid; water and wastewater systems; government services
• Attack type: PLC exploitation; SCADA/HMI data manipulation; operational disruption

NERC confirmed on April 9 that it is actively monitoring the grid and coordinating with the Department of Energy and the Electricity Subsector Coordinating Council in response to the CISA advisory AA26-097A on Iranian-affiliated PLC exploitation. The advisory, issued on April 7, documented active exploitation of internet-facing Rockwell Automation/Allen-Bradley PLCs across multiple US critical infrastructure sectors including energy, water, and government facilities. The attacks resulted in operational disruption and financial loss at victim organizations.

Nozomi Networks field CISO Markus Mueller confirmed that over 3,000 Rockwell devices remain visible on the public internet, creating a significant attack surface. Check Point Research threat intelligence group manager Sergey Shykevich stated that the targeting patterns were consistent with activity observed against Israeli PLCs in March. The advisory identified malicious traffic directed at ports 44818, 2222, 102, 22, and 502, and noted that targeting of ports associated with other OT vendors suggests the campaign may extend beyond Rockwell devices. The ceasefire does not address ongoing PLC exploitation, and all victim organizations are urged to implement mitigations immediately.

Sources: Utility Dive (Apr 9, 2026); CISA Advisory AA26-097A (Apr 7); Cybersecurity Dive (Apr 9); SecurityWeek (Apr 7); The Hacker News (Apr 9); CyberScoop (Apr 7); Nozomi Networks; Check Point Research

Signature Healthcare Brockton Hospital Cyberattack Enters Day 4; Dark Web Breach Listing Confirmed (April 9, 2026)

• Threat actor: Unknown; no group has claimed responsibility
• Target: Signature Healthcare Brockton Hospital (Massachusetts); 216-bed community hospital; 15 care locations
• Attack type: Network compromise; EHR system disruption; ambulance diversion; pharmacy closure; data breach

Signature Healthcare Brockton Hospital continued operating under downtime procedures on April 9, entering the fourth day of disruption following a cyberattack detected on April 6. On April 9, dark web monitoring sites reported that Signature Healthcare had been named as a data breach victim, indicating that threat actors may have exfiltrated sensitive patient data. The hospital treats approximately 70,000 patients per year across Southeastern Massachusetts.

The attack forced the diversion of ambulance traffic to alternate facilities, the cancellation of chemotherapy infusion services on April 7, the closure of retail pharmacies in Brockton and East Bridgewater, and the shutdown of electronic medical record systems and the patient portal. Chemotherapy treatments partially resumed on April 8 under safety protocols. Surgeries and emergency services continued throughout the incident. Signature Healthcare COO Kim Walsh confirmed the hospital is working with federal officials and third-party cybersecurity specialists to investigate the source and scope of the breach. No ransomware group or hacktivist persona has claimed responsibility as of April 9.

Sources: Boston Globe (Apr 7, 2026); TechTarget (Apr 7); HIPAA Journal (Apr 8); SecurityAffairs (Apr 8); The Cyber Express (Apr 9); Migliaccio & Rathod (Apr 9); GovInfoSecurity (Apr 7)

Iran Rejects Temporary Ceasefire; Proposes 10-Point Counterplan; Hezbollah Resumes Strikes on Northern Israel (April 9, 2026)

• Target: Ceasefire framework stability; Israeli civilian areas; cyber threat posture implications
• Attack type: Kinetic-cyber hybrid escalation risk; diplomatic rejection; Hezbollah rocket attacks

Iran delivered a formal response to the United States via Pakistan on April 9 rejecting the temporary ceasefire and proposing its own 10-point plan. The counterproposal includes demands for a solution to all regional conflicts, full lifting of sanctions, reconstruction assistance, and a protocol to reopen the Strait of Hormuz. Iranian Ambassador to Pakistan Reza Amiri-Moghaddam described the negotiations as having reached a critical, sensitive stage. Iranian parliamentary speaker Mohammad Bagher Ghalibaf stated the agreement had been violated and argued that a bilateral ceasefire was unreasonable under current conditions.

Hezbollah claimed responsibility for rocket attacks on Kiryat Shmona, Taibe, and Manara in northern Israel in the early hours of April 9, stating that attacks would continue until Israel stopped operations in Lebanese territory. The Strait of Hormuz remains effectively closed despite ceasefire provisions requiring its reopening, with Iran charging tolls exceeding $1 million per ship. Only four dry cargo vessels managed to pass on the first day of the truce, against a wartime daily average of nine ships. No new missile or drone attacks were reported against Gulf states on April 9. Pakistani diplomatic efforts reportedly prevented an Iranian retaliatory strike overnight on April 8-9 in response to Israeli operations in Lebanon. Organizations should continue to assume that kinetic escalation could resume at any point and maintain maximum cyber defensive posture.

Sources: Wikipedia (Apr 10, 2026); PBS (Apr 8-9); CBS (Apr 8-9); Washington Post (Apr 8); Times of Israel (Apr 8)

Iran Internet Blackout Enters Day 42; 970+ Consecutive Hours Offline; Ceasefire Does Not Address Connectivity (April 10, 2026)

• Target: Iranian civilian population (90+ million)
• Attack type: Near-total internet blackout; connectivity at 1% of pre-war levels; National Information Network whitelist enforcement

The internet blackout entered its 42nd consecutive day on April 10, with connectivity remaining at approximately 1% of pre-war levels. The blackout has exceeded 970 consecutive hours, extending the longest nationwide shutdown on record. Only whitelisted officials and state-run media outlets retain access through a controlled whitelist system. The domestic intranet remains operational. The ceasefire does not include any provisions addressing internet connectivity for the 90 million civilians who remain cut off.

The blackout continues to have no measurable impact on externally based proxy groups, who operate from Starlink and other circumvention infrastructure outside Iran. Mesh networking apps remain the primary alternative communication method for civilians inside the country. The blackout effectively limits state-sponsored groups operating from within Iran while having no constraining effect on geographically dispersed proxy operators. The lack of internet connectivity also prevents civilian access to missile alert systems, with the crowdsourced Mahsa Alert app and website serving as a critical workaround.

Sources: Wikipedia (Apr 10, 2026); NetBlocks (Apr 6); Al Jazeera (Apr 5); The National (Apr 5); Iran International (Apr 2026)

Key Threat Actor Summaries

Relevant Government Advisories

New advisories issued since previous report (April 9):

For historical advisories, please reach out to your Customer Success Manager if you are a customer, and reach out here if you are not a customer.

Assessment & Outlook

The conflict has entered its 41st day. As of April 10, the following assessment reflects developments from the previous 24 hours.

Near-Term Threat (1-4 weeks): CRITICAL & DETERIORATING

Iran’s formal rejection of the temporary ceasefire framework and submission of a 10-point counterplan signals that the diplomatic process remains far from resolution. Hezbollah’s resumption of rocket attacks on northern Israel on April 9 demonstrates that proxy kinetic operations are continuing regardless of the ceasefire. The Strait of Hormuz remains effectively closed. Pakistani diplomatic efforts prevented an overnight Iranian retaliatory strike on April 8-9, but this intervention underscores the fragility of the current pause. Organizations should assume that kinetic and cyber escalation could resume at any point.

The CSIS assessment published on April 10 reframes the threat environment. Iran’s cyber operations are no longer reactive or episodic but reflect a sustained strategic posture aimed at pre-positioning access inside US critical infrastructure networks. The convergence of state-sponsored APTs, proxy hacktivists, and commercially available criminal tooling creates a layered threat that is difficult to detect and attribute. The NERC confirmation of active grid monitoring and the continued exposure of over 3,000 Rockwell PLCs on the public internet indicate that the attack surface remains large and inadequately defended.

The Signature Healthcare cyberattack, while not yet attributed to an Iranian actor, fits the pattern of healthcare targeting observed throughout the conflict. The dark web data breach listing on April 9 suggests that exfiltration occurred prior to or during the disruption phase. Healthcare organizations should treat this as a warning indicator and review their own exposure to similar attack vectors.

Priority Targets (Updated April 10)

• US critical infrastructure with internet-facing PLCs and OT devices (CRITICAL, ESCALATED): CISA advisory AA26-097A and CSIS analysis both confirm active exploitation and pre-positioned access. Over 3,000 Rockwell devices remain exposed. NERC is actively monitoring. Remove all PLCs from direct internet exposure immediately.
• US energy grid operators and utilities (CRITICAL, ELEVATED): CSIS identified the energy sector as the primary target based on historical incident data and current threat activity. NERC is coordinating with DOE and the Electricity Subsector Coordinating Council. All grid operators should assume they are targets.
• US healthcare organizations (CRITICAL, ELEVATED): Signature Healthcare attack represents the latest in a series of healthcare-sector incidents during the conflict. Organizations should audit EHR systems, validate backup procedures, and prepare downtime protocols.
• US data centers, tech companies, and defense contractors (CRITICAL, ONGOING): Nozomi Networks assessment indicates these sectors are likely targets during the ceasefire period as proxy groups shift focus from regional to US targets.
• Maritime, energy, and financial sectors (CRITICAL, ONGOING): Strait of Hormuz remains effectively closed. Financial markets remain volatile. Prepare for potential ceasefire breakdown.

At Flare, we will continue to monitor this conflict and update this article as we learn more information.