Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Inside the cyber battlefield: More hacking groups in Iran’s camp, but notable attacks from Israel’s corner

An image released by pro-Israeli hacking group Predatory Sparrow claiming a cyber ​​attack on the computer systems of Iran's Ministry of Roads and Urban Development on Oct. 26, 2021. (Gonjeshke Darande/X)

By Bridget Johnson

Cyberattacks act as a “strategic equalizer” as Iran’s conventional military capabilities lag behind those of Israel, and actors working on behalf of Tehran or aligned with the Islamic Republic could take attacks beyond the borders of physical combat to target entities in Western nations that are seen as aligning with Israel, said a new report from Trustwave SpiderLabs.

The cyberwar landscape in the fresh conflict between Iran and Israel is characterized as a hybrid threat ecosystem: “a few state-linked actors embedded within a dense jungle of ideological, opportunistic and proxy-driven cyber collectives,” researchers described.

“While the most visible operations often come from hacktivist fronts or public defacement campaigns, it is important to note that both Israel and Iran are also conducting highly targeted, stealthy cyber operations behind the scenes,” the report noted. “These state-level campaigns are typically more strategic, involve advanced capabilities and rarely surface in open-source channels, making them harder to detect, attribute or assess in real time.”

As of Tuesday, CyberKnow’s Iran and Israel War Cybertracker has pinpointed 80 non-state hacktivist coalitions supporting Iran, 14 anti-Iran groups and 10 cyber collectives that identify as pro-Israel.

(CyberKnow/X)

“Several groups first observed in the Hamas–Israel cyber theater, such as Gaza Cybergang, APT-C-23 (AridViper) and entities under the Cyber Av3ngers or Storm-1133 labels, have also been detected in operations linked to Iranian interests,” the SpiderLabs report stated. “These actors often exhibit technical, linguistic, and operational patterns consistent with Iranian cyber doctrine, suggesting either direct coordination or shared resources.” Potential “operational overlap” is also seen between Hamas-linked groups and those supporting the “broader Iranian cyber narrative” such as the Al-Qassam Cyber Brigades and Cyber Fattah Team.

Smaller hacktivist groups are operating under umbrella identities such as the Cyber Islamic Resistance or United Cyber Front for Palestine and Iran, acting as loosely affiliated “cyber unions” that “share resources and synchronize campaigns, amplifying their impact despite limited technical sophistication,” said SpiderLabs.

The identity of DieNet, which has claimed DDoS attack attempts on Israel’s alert system that warns civilians of incoming missiles, is even blurrier. The group “operates under a pro-Iranian and pro-Hamas narrative” yet evidence points to “Russian-speaking members and technical connections to cyber communities in Eastern Europe” — illustrating “the growing interoperability among ideologically aligned cyber groups, even when they hail from different geopolitical environments.” 

“DieNet’s attacks often coincide with physical escalation on the ground, such as IDF strikes in Gaza or IRGC operations abroad, suggesting the group is at least loosely aligned with the timing and objectives of state-linked campaigns,” the report continued. “…Its existence reinforces the idea that cyberwarfare in 2025 is no longer defined by national borders alone but by dynamic, ideological alliances operating across continents and languages.”

The pro-Palestinian, pro-Iranian hacktivist collective Handala re-emerged June 14 to claim breaches of AeroDreams, an Argentinian drone firm they claim acts as a “silent front” for the Israeli military, and the petroleum conglomerate Delek Group. “Your fuel stations are vulnerable,” the hackers warned the latter, claiming to have swiped more than 2TB of classified data. Handala’s other claims include purported hacks of Israeli construction company Y.G. New Idan and internet service provider 099 Primo Communications. While the claims have been uncorroborated thus far, the hackers have reaped “relevance during a peak phase of the Israel–Iran cyber escalation,” noted the SpiderLabs report.

Cybersecurity firm Radware reported Sunday that there was a 700% spike in cyberattacks — including attempts to breach critical infrastructure — against Israel shortly after the initial news broke of Israel’s strikes on Iran. 

Pro-Israeli hackers, meanwhile, have scored notable hits. The group Gonjeshke Darande, or “Predatory Sparrow,” claimed Tuesday on X “cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ ‘Bank Sepah’ … an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program.” 

“This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies,” the group added.

Predatory Sparrow, which first emerged in 2021, then said Wednesday that they “burned $90M from the wallets of the regime’s favorite sanctions violation tool” Nobitex, Iran’s largest cryptocurrency exchange. Today, the group posted what they said was the full source code: “ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” they declared.

The Trustwave SpiderLabs report characterizes Predatory Sparrow as a “highly sophisticated and likely state-aligned cybergroup widely believed to be affiliated with Israeli intelligence” that has previously hit Iranian infrastructure including fuel distribution systems, steel plants and railway networks.

The report called the Bank Sepah and Nobitex attacks “significant” in that the “compromise of financial infrastructure, especially one involved in sanction evasion and international crypto transactions, has the potential for far-reaching geopolitical and economic consequences.”

Attacks by Iranian-linked cyber groups in the current conflict have included fake emergency alerts sent to civilians. Trustwave researchers also highlighted a dataset posted on the dark web that was claimed to be a large-scale Israeli-related data leak, but analysis of the data indicated that it may have not come from a breach.

“Leaks” such as this can be for “theatrical” benefit, the report explained. “As with many aspects of modern cyber conflict, the perception of compromise can be as potent as compromise itself,” SpiderLabs stated. “Whether authentic or partially fabricated, such leaks play into a larger psychological and media-driven layer of cyber warfare, especially relevant in the Israel–Iran narrative, where strategic information placement is often weaponized.”

The conflicts between Russia and Ukraine, Hamas and Israel, and Israel and Iran have shared similarities when it comes to their integration with broader military campaigns and the “targeting of civilian infrastructure to create psychological pressure,” such as Iranian-linked groups MuddyWater and APT34 attacking Israeli water systems and transport networks, Hamas-affiliated hackers going after emergency response systems and public broadcasting, and Russian threat actors such as Sandworm and APT28 targeting hospitals, railways and energy providers, researchers noted. Campaigns also similarly target public narratives by deploying “a strong disinformation component.”

Another similarity is often-blurred affiliations of threat groups. “Iran and Russia rely on cyber militias and plausible deniability, allowing them to engage in aggressive operations while disavowing direct responsibility,” the SpiderLabs report noted. “These groups often communicate through Telegram channels or low-tier forums, coordinating campaigns that blur the line between activism, cybercrime and state-sponsored sabotage.”

The report warns that even though the bulk of the attacks observed by Trustwave researchers has been confined to Israel and Iran, “companies, institutions and governments beyond the region should maintain a heightened level of caution as this conflict progresses.”

“The balance of hacktivists is largely in the pro-Iranian camp, and because these are non-state actors, they often cast a wide net for targets” — with the risk for Western entities likely increasing the more that the U.S. aligns with Israel in the conflict. And with the hybrid threat landscape, “the blurring lines between patriotic hackers, ideological militants, and state proxies make attribution difficult, retaliation risky and escalation more likely,” SpiderLabs said.

Click to listen highlighted text!