The joint military operation launched on February 28 by the United States and Israel has prompted an immediate response from the cyber ecosystem aligned with Iran, opening a new front of digital confrontation that extends beyond the regional scope. This scenario combines coordinated hacktivism, propaganda campaigns, and pressure on infrastructure considered strategic.
According to the latest report from Unit 42, Palo Alto Networks’ threat intelligence team, the simultaneous activation of over 60 pro-Iranian and pro-Russian groups has been detected. The analysis also points to the emergence of a platform called “Electronic Operations Room,” which appears to act as a coordination hub for operational activities and narrative control to execute disruptive attacks in various countries. Among the most active groups identified by Unit 42 are:
- Handala Hack, linked to Iran’s Ministry of Intelligence and Security (MOIS), which combines data exfiltration with psychological operations.
- APT Iran, known for hack-and-leak campaigns.
- Cyber Islamic Resistance, an umbrella group coordinating teams like RipperSec and Cyb3rDrag0nzz in DDoS attacks and destructive operations.
- Dark Storm Team, specialized in DDoS and ransomware.
- FAD Team (Fatimiyoun Cyber Team), focusing on wiper malware and permanent data destruction.
- Evil Markhors, focused on credential harvesting and identifying unpatched critical systems.
- Sylhet Gang, acting as a narrative amplifier and recruitment driver.
- 313 Team (Islamic Cyber Resistance in Iraq).
- DieNet, active in DDoS attacks in the Middle East.
Meanwhile, pro-Russian groups such as Cardinal, NoName057(16), and Russian Legion have claimed attacks against Israeli entities, including municipal, political, telecommunications, and defense systems. Russian Legion, in particular, asserted that it gained access to the Iron Dome missile defense system and to decommissioned servers of the IDF, claims that are part of their public communications.
Unit 42 highlights that since the morning of February 28, internet connectivity available in Iran has dropped to estimated levels between 1% and 4%. The loss of connectivity, coupled with the degradation of leadership and command structures, will likely hinder actors aligned with the state from coordinating and executing sophisticated cyberattacks in the short term.
Attacks, active campaigns, and potential threat evolution
Activities identified by Unit 42 include unauthorized access to sensitive environments such as industrial SCADA/PLC systems, as well as infrastructure and services related to sectors like energy, payments, financial entities, public agencies, transportation, and administration.
The investigation also documents an active phishing campaign employing a malicious replica of the Israeli Home Front Command RedAlert app, distributed via SMS messages with links to download an APK. According to Unit 42, the file appears legitimate and is used to deploy mobile malware aimed at surveillance and data exfiltration. The report also notes cases of vishing in the United Arab Emirates, where attackers impersonate the Ministry of Interior to obtain credentials and identification data.
Furthermore, Unit 42 reports an escalation in digital intimidation tactics. Specifically, Handala Hack reportedly sent emails with direct threats to Iranian-American and Iranian-Canadian influencers, including claims that their physical addresses had been leaked.
Recommendations for high-risk environments
In a rapidly evolving threat landscape, Palo Alto Networks recommends adopting a multi-layered defense approach based on advanced technology and reinforced cybersecurity hygiene:
- Maintain at least one critical backup that is disconnected (air-gapped).
- Implement out-of-band verification for sensitive requests.
- Enhance monitoring of internet-exposed assets, including websites, VPNs, and cloud environments.
- Apply security patches and best practices for hardening critical infrastructure.
- Train employees on phishing techniques and social engineering.
- Evaluate geographic blocking of IP addresses in regions with no legitimate activity.
- Update business continuity plans and crisis management protocols.
- Establish procedures to quickly validate and respond to potential breach or leak reports.
- Maintain continuous vigilance against reputation pressure campaigns and narrative amplification by threat actors.
The company also emphasizes the importance of relying on consolidated security solutions, advanced detection and response capabilities, and specialized threat intelligence and incident response teams to mitigate the potential impact of such campaigns.