Pro-Iran hackers claim DDoS attacks on critical infrastructure targets, including U.S. port

Pro-Iran cyber threat actors began their promised retaliatory operations against Western and Gulf entities with largely a campaign of distributed denial of service (DDoS) attacks, claiming an American port’s website as one of their targets along with other critical infrastructure sectors.

The “great epic” cyber war, as one hacking collective branded the battle, has also apparently drawn into the fray a wanted IRGC threat actor known for critical infrastructure strikes.

The U.S. has a $10 million Rewards for Justice bounty on Islamic Revolutionary Guard Corps hackers CyberAv3ngers, associated with the online persona Mr. Soul and accused of targeting ICS/SCADA devices in U.S. and global critical infrastructure.

CyberKnow, which tracks threat actors’ allegiances in the conflict, posted a statement attributed to Mr Soul saying that the hacker “decided to start again independently … with full power” after “witnessing the brutal massacre today against the innocent children of Iran.” The New York Times reported that two strikes appeared to have hit schools in Iran since the U.S. and Israel offensive began.

“Starting tonight, you should be afraid of me and wait for further news from me,” Mr. Soul added.

A message on a Mr. Soul Telegram channel Saturday declared “say goodbye to Iron Dome,” the missile-defense system used by Israel to intercept Iran projectiles.

The Iranian hacking group Handala claimed in an X post Saturday night to have hacked gas stations in Jordan, which couldn’t be immediately verified, in response to “blatant betrayal of the Jordanian rulers to the resistance front.”

“Right now, the cyber infrastructure of the Zionist regime’s oil and gas sector is being destroyed,” a Handala post claimed today.

DieNet, a pro-Palestinian hacking group that has claimed DDoS attacks against multiple U.S. critical infrastructure sectors since emerging in March 2025, has been posting a stream of claims targeting websites in the transportation, government and financial sectors.

“Good luck next time, Bahrain Airport,” the group said on its Telegram channel Saturday along with a screenshot showing the site down. “The thousands of IP addresses you use to protect your server won’t help you.”

A post on the channel also referred to a Check Host page that showed the Port of Los Angeles website to be inaccessible at that point.

DieNet posted similar documentation in its claims to have hit government sites in Qatar, Bahrain and the United Arab Emirates, along with a DDoS attack on Bahrain telecommunications company Batelco.

“Good night Bahrain,” the group posted along with an inaccessibility screenshot for the government portal bahrain.bh. “It’s [sic] seems your website didn’t respond.”

DieNet posted claims to have targeted the portals of Saudi financial institutions Al Rajhi Bank and Riyad Bank, posting a screenshot of the latter’s site down They also claimed targeting the Bank of Jordan and Jordan Commercial Bank, Weyay Bank in Kuwait, and Jordan Kuwait Bank.

The website of Ras Al Khaimah International Airport in the UAE, which has suspended all flights in line with other airports in the region, was also claimed as an attack target along with Sharjah International Airport. Today, DieNet claimed it temporarily took down the websites of Kuwait’s Ministry of Electricity, Water and Renewable Energy and the Kuwait International Airport, where a passenger terminal was also struck by a drone Saturday.

“Good luck next time, coordination has been made with SYLHET GANG-SG To strike these vital targets, and we will continue as long as the war on Iran continues,” DieNet said.

Sylhet Gang-SG today renewed its call for Muslim threat actors to unite and “declare war against those who declared war against you!!!”

“We annouce [sic] the Termination of Saudi Ministry of Home Affair’s HCM and Internal Management Systems,” Sylhet Gang-SG claimed on its Telegram channel today. “The attack was done in retaliation to the Saudi Permit for Americans to use their Bases on Saudi Land and the Airspace of them. We will solidify the attack on them in upcoming days.”

Cyber Islamic Resistance, which posted a recruitment call Saturday for “cyber warfare experts” to join “in the great epic battle,” has been announcing new alliances with other threat actors on its Telegram channel. The Cyb3r Drag0nz Team, which claimed an attack last year on the website of Iraq’s mission to the United Nations, “learned the truth about the Americans and Israelis, and they are now on the front lines in the great battle,” Cyber Islamic Resistance said in one of its announcements.

Today, Cyber Islamic Resistance posted screenshots claiming that they had temporarily taken down access to a Military OneSource guide to U.S. installations. They also claimed that VigilAir drone detection systems were targeted and that “five platforms belonging to these systems … were disabled.”

The Cybersecurity and Infrastructure Security Agency, among the agencies affected by the current Department of Homeland Security shutdown, has not yet issued alerts specific to the fresh hostilities.

Former CISA official Brian Harrell, a McCrary Institute senior fellow, told Threat Beat that “this conflict will likely see a surge in state-sponsored APT activity, specifically targeting operational technology and critical infrastructure through the exploitation of internet-facing Industrial Control Systems and vulnerable PLC hardware.”

“Iranian threat actors, such as Charming Kitten and CyberAv3ngers, are leveraging generative AI to scale spear-phishing campaigns and utilizing living-off-the-land techniques to bypass traditional detection,” Harrell said. “Critical Infrastructure owners have seen this coming for weeks, but for those who haven’t been paying attention, organizations must enforce strict network segmentation, disable exposed administrative interfaces on edge devices and implement hardening measures.”

Harrell warned that “threat hunters should be working overtime right now.”

“By combining disruptive attacks with bombastic rhetoric, Iran will seek to erode public trust in government institutions and project domestic strength during this period of heightened conflict,” he said.