One Iran hacking group was told to pause ‘overt’ attacks. But for others, the ceasefire is go time

A pause in the conflict between the United States and Iran doesn’t mean that Iranian hackers and their allies in other countries who have been attacking and threatening critical infrastructure will set aside their weapons, as statements released after the diplomatic pact went into effect reflect.

The Iranian hacker group behind a massive wiper attack on a U.S. medical technology company and the breach of the FBI director’s personal email declared today that some of its members had been killed in the war and that it would not recognize a cessation in hostilities — yet, at the same time, it has “currently postponed overt confrontation” with the United States per “highest leadership” orders.

“The cyber war did not begin with the military conflict, and it will not end with any military ceasefire,” Handala, which is backed by the Iranian government, said in a statement posted to its Telegram channel. “Our cyber jihad is the extension of our martyrs’ blood, and it will go on until full vengeance is achieved.”

On Sunday, Handala claimed that they were poised to inflict water, electricity and oil sector attacks on the United States and its allies of a caliber to “send your lives back to the Middle Ages” if the U.S. hits Iran’s power grid, as President Donald Trump had threatened.

After the two-week ceasefire between the U.S. and Iran was announced Tuesday evening, Handala said it “continues its cyber operations” against Israeli infrastructure “at full force” for the time being.

“Rest assured: when the time comes, the darkest of nights will have only just begun for America and all its supporters,” the group vowed.

Yet CyberAv3ngers, an Iranian cyber actor affiliated with the Islamic Revolutionary Guard Corps that has claimed multiple critical infrastructure attacks in the past several years, primarily against the energy and water sectors in the United Staes, Israel and elsewhere, indicated on its Telegram channel that it was proceeding with attacks on both U.S. and Israeli interests.

In late Tuesday (EST) posts, CyberAv3ngers posted a video screen grab to support their claim that they had tampered with alert sirens in Israel.

Then, they posted images of screens that appeared to be associated with industrial control systems. CyberAv3ngers claimed that an operative “has access to America’s electrical infrastructure and telecommunications sites, May God bless the American people.”

In a Tuesday multi-agency U.S. government advisory warning of Iran-affiliated threat actors exploiting internet-facing operational technology devices including programmable logic controllers, leading to “disruptions across several U.S. critical infrastructure sectors” including water, energy and government, the campaign was noted as similar to CyberAv3ngers’ attacks that began in November 2023. “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel,” the advisory warned.

On March 27, Handala, APT IRAN and CyberAv3ngers vowed to inflict “irreparable damages” on U.S. water infrastructure if water systems in Iran are threatened, APT IRAN said in a Telegram post announcing the groups’ alliance.

Cyber Islamic Resistance posted on their Telegram channel Tuesday evening, “Trump the fool! … We are sprouting like olive seeds in our land. We will witness a large-scale attack on the Zionist entity’s servers. Our strikes are powerful and painful.”

They also posted a message from the Russian hacking group Killnet’s Telegram channel: “Our friends in Iran are going through a difficult time right now; let us support our brothers’ resistance against all American and Israeli scum,” said Killnet, which specializes in DDoS attacks.

RuskiNet Group, a Russian hacking collective that carried an earlier Handala post on its Telegram channel and claimed March 29 to have swiped personnel information from the General Services Administration, continued its recent claims of taking down various Israeli websites by claiming it hit the site of the Israel Defense and Security Forum today.

Handala claimed today that some of its hackers have been among the war’s death toll.

“In the past forty days, we have not only witnessed the martyrdom of our most cherished anonymous Handala fighters, youths whose own families were unaware of their sacrifice, but these losses have only ignited our faith and resolve even more,” the statement said. “Handala’s martyrs are warriors with no photos, no graves, no public recognition, yet they fought tirelessly on the frontlines of the cyber jihad until their last breath.”

Handala did not offer further details about the circumstances, yet in another post indicated that some of their members are Lebanese.

“It is us who will write the ending to this battle,” the post continued. “They may have started it, but we will finish it, and that is an unbreakable promise.”

On Monday, Handala issued an appeal to “all cyber resistance fighters” to “join the united front of cyber struggle.”

“Know this: every action you take against the infrastructures of the Zionist regime, the US, and their allied states will be backed technically and strategically by Handala,” the group continued. “We are here to break down the so-called ‘impenetrable’ walls of the enemy.”

The hacking group urged any recruits to contact them “If you need advice, support, or coordination for your operations,” and told them that “every strike you deliver is a blow to the arrogance of the enemies of freedom.”