Pro-Iran hackers claim Microsoft outage, vow to ramp up attacks on U.S. companies

Hackers supporting Iran claimed to be behind today’s Microsoft outage issues while a collective that has urged “epic war” allies to stand as unified “mujahideen” on the cyber front is vowing to target more U.S. companies and conducting fundraising to beef up hackers’ infrastructure.

An Iranian group closely linked to CyberAv3ngers that has previously focused on operational technology targets also made a chilling yet unverified claim of responsibility for a deadly explosion at a Nebraska biofuels plant this past summer.

While many of the site attacks reported in the past several days by pro-Iran hackers have still been focused on Israel and Gulf nations allied with the United States, the Islamic Cyber ​​Resistance in Iraq – 313 Team said last week that it launched a cyber offensive in response to Romania’s Wednesday approval of a request by the U.S. to use the country’s bases for refueling planes and equipment for surveillance and satellite communications.

“Romanian government servers and digital assets are now considered legitimate targets for the Islamic Cyber ​​Resistance in Iraq – 313 Team,” the group said in a Wednesday post on its Telegram channel, claiming first that it shut down the Romanian government’s web portal for two hours. The group similarly claimed two-hour attacks against Romania’s Ministry of Defense and National Agency for Fiscal Administration websites, and said that an attack on Ministry of Foreign Affairs servers froze the availability of e-visas for up to five hours.

313 Team also claimed Friday that it temporarily knocked down the donaldjtrump.com site, posting a screenshot with a 503 error that they said proved their claim. Sylhet Gang-SG, a pro-Iran Bangladesh-based hacking group, posted on their Telegram channel that “we saw team downd donaldjtrump.com so we took fun on second website of trump lol,” posting a screenshot of trump.com.

“In the coming days we will target all companies affiliated with US President Trump,” 313 Team subsequently posted. They later claimed to have caused an outage on the website of U.S.-based Commerce Bank, and posted a screenshot Sunday depicting an increase in user reports on DownDetector.

Today, the 313 Team claimed to have “launched a cyberattack targeting Microsoft 365 servers, completely shutting down the website” for five hours. “Reports of Microsoft 365 service outages continue to pour in on DownDetector, a testament to the power and capability we possess,” they posted this afternoon.

The hackers posted screenshots of posts from the official X feed for Microsoft 365 service incidents. “We’re investigating reports of some users experiencing issues when accessing their Exchange Online mailbox via one or more connection methods,” the company said, adding about two and a half hours later, “We identified and resolved an underlying issue involving the supporting network infrastructure that resulted in service degradation. After a period of monitoring, we can confirm that the service is healthy.”

313 Team said in response on their Telegram channel that their effort against Microsoft “continues,” and they pointed to users reporting problems on DownDetector throughout the day. They also posted Bleeping Computer’s article about the outage.

“We in the Cyber ​​Islamic Resistance in Iraq – 313 Team have decided to extend the attack time for an additional five hours,” the hacking group claimed in a post just before 4 p.m. EST. “During this time, Microsoft servers will be down, and Microsoft 365, Microsoft Outlook, and other services will remain unavailable.”

The Cyber Islamic Resistance collective, which has demonstrated an alliance with 313 Team through joint claims, posted on its Telegram channel this evening that “a new target has been set in stone,” adding a screenshot of a 504 error involving Azure Front Door.

“Globally, Microsoft Store has been targeted by us with DDoS attacks,” Cyber Islamic Resistance said. “We will continue to target other U.S companies due to Trump’s actions in the middle east.”

APT IRAN, which has focused on targeting operational technology and detailed an attack manipulating agricultural sector control systems in an incident the Jordanian government said was aimed at destroying a strategic wheat stockpile, claimed responsibility in a Sunday Telegram post for a deadly explosion at a Nebraska wood refining facility last July.

“In our last attack on an industrial site in the US in Fremont, Nebraska, the Horizon plant last year, one person was killed,” the group stated. “This person was a father of two daughters and we did not target him and he was accidentally killed by a massive explosion in the building. Now, we don’t want to get our hands dirty with anyone’s blood. Stay away from candlelight… (Please)”

APT IRAN posted no other proof, just a video capturing the explosion and a news report on the investigation into the Horizon Biofuels incident that killed 32-year-old Dylan Danielson and his 8- and 12-year-old daughters, who were waiting at the plant for Danielson to end his shift.

Cyber Islamic Resistance posted a Friday fundraising appeal on a designated Telegram donations channel, declaring that “even the smallest donation can make a significant impact in this battle fought not with bullets but with servers, networks, firewalls, and software.”

“Our battlefield is digital, yet the risks are real,” the collective said, adding that “we resist by building a strong infrastructure.”

“Your contribution — even if just one dollar — is not charity but a stance and declaration of defiance,” the appeal stated, giving avenues through which to donate and asking for engagement with their Telegram posts.