Iran–Israel/US War 2026: Cyber Attack Dashboard

U.S. & Israel / Iran War — Operation Epic Fury · Cyber Domain Intelligence

A live cyber threat intelligence dashboard tracking cyber operations linked to the Iran–Israel/US conflict, including attack timelines, regional targeting patterns, state-sponsored APT activity, and hacktivist campaigns.

Last updated: April 6, 2026

🏭 FSociety1337 — Israeli Industrial Control System, ICS/SCADA Access Claimed

🗺

Regional Operations Map

HOT ZONE

Cyber Attacker / Target

Primary Target

Secondary Target

Russian Actor

Allied Cyber Strike

Iran Retaliation

US military bases

1,075+ claims · 15+ countries targeted · 15+ actors active

Key takeaway

Gulf states and Israel remain primary targets; US bases (Al Udeid, 5th Fleet, Ali Al Salem, Al Dhafra) in scope. Iran-led operations and pro-Russian hacktivists driving regional cyber escalation.

Regional Threat: Elevated Map & incident data last updated: March 2026 🇷🇴 NoName057(16) — Ten Romanian Targets, #TimeOfRetribution

Last update: This page was last updated on April 6.

📊Cyber Attack Method Distribution

🎯

Cyber Attack Target Intensity by Country

Israel 37.6%

Kuwait 8.5%

Bahrain 4.8%

United States 4.7%

Saudi Arabia 4.6%

Cyprus 4.3%

United Arab Emirates 3.8%

Romania 3.7%

Jordan 2.9%

Qatar 2.6%

Conflict Metrics - Operation Epic Fury

⚡

1,583

Cyber Attack Claims

📢

80+

Active Telegram Channels Monitored

🎯

Targeted Countries

👥

Iranian APT Groups Identified

📊

110

Peak Daily Cyber Attack Claims

🌐

Iran Internet Connectivity

⏱

Incident Timeline

Apr 6, 2026
Day 38

🏭 Z-PENTEST Alliance — South Korean Industrial Water Treatment System, #OpSouthKorea

Z-PENTEST Alliance claimed access to a PureWater 100 ultrapure water treatment system by MSTEC, publishing a video showing real-time control of inlet/outlet sensors, drain valves, pH calibration, and solenoid valves. The group stated the facility serves chip manufacturing and pharmaceutical production. Claim is unverified but technically detailed.

ICS/OT Z-PENTEST Alliance South Korea Unverified

Apr 6, 2026
Day 38

📢 Morning Star — Anti-US Provocation Post, #OpUSA

A Telegram channel posted a bilingual (Russian/English) tirade directed at the US and Israel, sharing what appear to be CCTV footage stills alongside inflammatory messaging. No technical attack claimed — assessed as psychological operations and influence content rather than an active operation.

PsyOps #OpUSA Pro-Iran

Apr 5, 2026
Day 37

💻 RuskiNet — Energy Team and BLEnergy, Israel, #OpIsrael

RuskiNet claimed DDoS disruption of two Israeli companies: Energy Team (energyteam.co.il), an AI-focused IT services firm with defense sector clients, and BLEnergy (blenergy.co.il), a large-scale battery energy storage integrator. Connection timeouts and 502 Bad Gateway errors were check-host verified for both targets.

DDoS RuskiNetGroup Israel

Apr 4, 2026
Day 36

🕵️ Handala — 50 Senior Unit 9900 Officers Allegedly Exposed

Handala published what it claims are the complete personal details of 50 senior officers from Unit 9900, the Israeli military's geospatial intelligence unit. The group framed it as the result of months of surveillance and cyber operations. No independent verification of the data's authenticity has been confirmed.

Data Leak Handala Unverified

Apr 4, 2026
Day 36

💻 RuskiNet — Israel Agricultural Research Institute (agri.gov.il), #OpIsrael

RuskiNet claimed a DDoS against agri.gov.il, the website of Israel's primary agricultural research institution under the Ministry of Agriculture. A 504 Gateway Timeout error was check-host verified at time of posting.

DDoS RuskiNetGroup Israel

Apr 3, 2026
Day 35

💻 RuskiNet — Masdar (masdar.ae), UAE

RuskiNet claimed disruption of masdar.ae, the official site of Abu Dhabi's state-owned renewable energy company. An HTTP 503 Service Unavailable error was check-host verified.

DDoS RuskiNetGroup UAE

Apr 3, 2026
Day 35

🌐 #OpsShadowStrike — Royal College of Management Studies, India, Defaced

The Royal Institute's website (royalinstitute.co.in) was defaced under the #OpsShadowStrike banner, with credit attributed to a coalition of Malaysian hacktivist groups including TengkorakCyberCrew, EagleCyberCrew, and MalaysiaHacktivist, among others.

Defacement #OpsShadowStrike India

Apr 3, 2026
Day 35

📢 BD Anonymous — #OpProsecuteZionist Announced

BD Anonymous issued a formal statement declaring the launch of #OpProsecuteZionist, threatening attacks against government databases, ministry servers, and "propaganda outlets." The statement is rhetorical in nature; no technical activity has been confirmed yet.

Announcement BD Anonymous Pro-Palestine

Apr 2, 2026
Day 34

🕵️ Handala — 22TB Wiper Operation Against 14 Israeli Companies, Timed to Passover

Handala claimed the complete erasure of 22TB of data across 14 Israeli companies, naming targets including DanielBengioCPA, Fuse Stereo, Migvan 2002, and Opal Plastic among others. The operation was framed as "a modest Passover gift."

Wiper Handala Israel

Apr 2, 2026
Day 34

🔐 Handala — PSK WIND Technologies Breached, Israeli Air Defense C2 Data Allegedly Exfiltrated

Handala claimed full infiltration of PSK WIND Technologies — described as the primary designer of Israel's air defense command and control systems — and stated all extracted classified data was transmitted to "missile units of the Axis of Resistance." Unverified.

Data Exfiltration Handala Israel Unverified

Apr 2, 2026
Day 34

💻 RuskiNet — Geophysical Institute of Israel Taken Down, #OpIsrael

RuskiNet claimed a DDoS against gii.co.il, the state-owned Geophysical Institute of Israel under the Ministry of Energy. Host confirmed returning unknown server error via check-host verification.

DDoS RuskiNetGroup Israel

Apr 1, 2026
Day 33

⚠️ Threat Context — IRGC Names 18 US Tech Companies as Military Targets, Effective April 1

The IRGC warned that 18 US tech companies including Apple, Microsoft, Google, Meta, Nvidia, IBM, Intel, Oracle, Cisco, HP, Dell, Palantir, JPMorgan, Tesla, GE, Boeing, and Spire Solutions, along with UAE-based G42, would be considered legitimate targets starting April 1 at 8 PM Tehran time. Employees were told to leave workplaces immediately and residents within one kilometer of company facilities were advised to evacuate.The IRGC framed the companies as directly enabling US-Israeli targeting operations through AI and cloud infrastructure.

Threat Context US Tech Sector IRGC April 1 Deadline Middle East Critical Escalation

Apr 1, 2026
Day 33

🛒 313 Team — Amazon Saudi Arabia (amazon.sa), Four-Hour Shutdown

313 Team claimed a complete four-hour shutdown of Amazon Saudi Arabia's official e-commerce platform, with Check-Host verification confirming full downtime. The attack coincides directly with the IRGC's declared deadline targeting US tech companies in the region including Amazon.

DDoS Saudi Arabia E-Commerce US Tech Sector 313 Team CIR IRGC Threat Alignment

Apr 1, 2026
Day 33

🇳🇵 INDOHAXSEC — SAGE Nepal University, Defacement

INDOHAXSEC defaced sage.edu.np, the website of SAGE College Nepal, under the #OpsShadowStrike banner. Defacement credited to team member ./RAZOR. Tagged #PREEPALESTINE and #SUPPORTIRAN.

Defacement Nepal Education Sector INDOHAXSEC #OpsShadowStrike

Apr 1, 2026
Day 33

🎯 Harvesting Time — US Military Position in Kuwait Geolocated

Harvesting Time published video analysis identifying the launch position of a missile fired from Kuwait, alongside satellite imagery showing US GMLRS ER air defense systems firing from Bubiyan Island toward Iran. Coordinates published. Also confirms US military presence on the island. No breach claim — targeting and reconnaissance intelligence.

Targeting Intelligence Kuwait US Military Harvesting Time Bubiyan Island

Apr 1, 2026
Day 33

🏛️ Handala — St. Joseph County, Indiana, US

Handala claimed full control of St. Joseph County's centralized IT infrastructure in Indiana, alleging extraction of 2TB of data from the Prosecutor's Office, health centers, and police, and wiping of 12TB from main servers. Over 2,000 documents published publicly as proof. Unverified. Today is April 1 — treat with additional skepticism pending independent confirmation.

Wiper Data Breach United States Local Government Handala MOIS-Linked Unverified

Mar 31, 2026
Day 32

🛍️ RuskiNet Group — Speeddeal.co.il, Israel

RuskiNet claimed a data leak from Speeddeal.co.il, an Israeli online clothing, footwear, and fashion accessories retailer, publishing 50,000+ lines of customer phone numbers and emails under #OpIsrael.

Data Leak Israel E-Commerce Civilian Target RuskiNet

Mar 31, 2026
Day 32

Handala — IranWire, Iran/Media

Handala claimed a full breach of IranWire, an independent Persian-language news outlet, alleging extraction of correspondence, affiliate lists, and confidential data, which it stated had been delivered to Iranian intelligence. All individuals identified as having contact with the outlet were warned they are now under surveillance. Unverified.

Data Breach Media Sector Iran Counter-Dissent Handala

Mar 30, 2026
Day 30

🇧🇩 BD Anonymous — Take Down of Molise Regional Government Site, Warns Italy of Escalation

BD Anonymous claimed a DDoS takedown of regione.molise.it, verified via ERR_CONNECTION_CLOSED. The group cited Italy's refusal to recognize Palestine as a state and warned "bigger things are coming."

Cyber Context DDoS BD Anonymous Italy Escalation Warning Strategic Context

Mar 30, 2026
Day 30

🇹🇷 Cyber Context — Wolves of Turan and BD Anonymous Announce Formal Alliance

Turkish hacktivist group Wolves of Turan and Bangladeshi group BD Anonymous announced a formal operational alliance, declaring "One Ummah One Mission." The partnership signals expanding coordination between South Asian and Turkish hacktivist networks under the pro-Palestinian cyber coalition.

Cyber Context Alliance Wolves of Turan BD Anonymous Coalition Expansion Strategic Context

Mar 29, 2026
Day 30

🇮🇳 Indian Hackers — Handala Websites Under DDoS

Handala's operational sites handala-hack.tw and handala-hack.ps returned "no response" across all check-host nodes. Owner account @FIA posted both verification links. Outage is consistent with the FBI's March 19 domain seizure operation targeting Handala infrastructure.

Cyber Context Infrastructure Handala Counter-Operation Strategic Context

Mar 29, 2026
Day 30

🚨 Cyber Av3ngers — Claimed Siren Disruption, Warn Alarms Won't Sound in Future Attacks

IRGC-linked Cyber Av3ngers — a pre-existing, well-documented group active before the current conflict — claimed they silenced Israeli air-raid sirens during an Iranian missile attack. On March 30 they posted a 53.5 MB video as alleged proof, warning residents alarms will not sound in future strikes.

Cyber Context PsyOps Cyber Av3ngers Israel ICS/Infrastructure Strategic Context

Mar 28, 2026
Day 29

🇮🇱🇷🇴🇦🇪 Cyber U.N.I.T.Y — Leaks Romanian MoD, Israeli Military Personnel Files, UAE Passport Data

Cyber U.N.I.T.Y posted an alleged Romanian Ministry of National Defense database (~70K lines) in collaboration with AnonGhost. Separate posts included Israeli reserve unit personnel data with family details, a 145K Israel combolist, WhatsApp number database (52.8 MB), transport infrastructure data, bank card files, and a UAE passport database (77 MB).

Cyber Context Data Leak Cyber U.N.I.T.Y Romania Israel UAE Strategic Context

Mar 28, 2026
Day 29

🇺🇬 Uganda ? — BD Anonymous Takes Down Uganda Police Website Over Pro-Israel Stance

BD Anonymous claimed a DDoS takedown of the Uganda Police Force's official site (upf.go.ug), verified with ERR_CONNECTION_CLOSED. The group cited Uganda's failure to speak for Palestine and reports of Ugandan military signaling support for Israel as justification.

Cyber Context DDoS BD Anonymous Uganda Pro-Palestine Strategic Context

Mar 27, 2026
Day 28

🕵️ Handala — FBI Director's Personal Email

Iran-linked Handala announced the breach of FBI Director Kash Patel's personal Gmail, releasing 300+ emails, personal photos, and a resume. The FBI confirmed the data was historical (2010–2019) with no government material. Handala framed it as retaliation for the March 19 seizure of four of its domains and the DOJ's $10M bounty on the group's members.

Cyber Context Account Breach Handala United States Retaliation Strategic Context

Mar 27, 2026
Day 28

🏃 313 Team — Strava, United States

313 Team claimed a complete one-hour shutdown of Strava, the global fitness tracking platform used for running, cycling, and walking. Website confirmed down and app disrupted. Check-Host verified.

DDoS United States Civilian Platform 313 Team CIR

Mar 27, 2026
Day 28

💼 RuskiNet Group — Hunter.co.il, Israel

RuskiNet claimed disruption of hunter.co.il, an Israeli executive search and recruitment firm based in Herzliya serving technology, finance, and industrial sectors. SSL handshake failure confirmed via Check-Host.

DDoS Israel Recruitment Sector RuskiNet Civilian Target

Mar 27, 2026
Day 28

🌾 Z-Pentest Alliance (forwarded by NoName057(16)) — Israeli Industrial Silo Control System

Z-Pentest Alliance claimed full access to an Israeli industrial silo control system, publishing a video showing live weight, temperature, and parameter readings across six silos and auxiliary systems. The group stated it could change settings, reset parameters, or shut down equipment at any time. Forwarded by NoName057(16) under #OpIsrael. Unverified but technically detailed.

ICS/OT Israel Agricultural Infrastructure Z-Pentest Alliance Russian Actor Unverified

Mar 27, 2026
Day 28

🇵🇭 Nullsec Philippines — Iranian Cyber Police and Government Portals, #OpIran

Nullsec Philippines launched #OperationIran, claiming DDoS against the Iranian Cyber Police unit, ATF Iran, and MyGOV Iran, with Check-Host verification for all three. Framed around the death of Mary Anne Velasquez de Vera, a 32-year-old Filipino worker killed by an Iranian ballistic missile while helping an elderly woman to safety. First confirmed Philippines-based pro-Israel cyber operation of the conflict.

DDoS Iran Government Pro-Israel Nullsec Philippines #OpIran New Actor

Mar 26, 2026
Day 27

⚠️ Handala — Lockheed Martin IL, Pre-Announcement

Handala published a teaser post on its website targeting Lockheed Martin's Israeli operations, promising to reveal "secrets that could change the balance of power" and stating "you will see tomorrow." No data published yet. The manufacturer of the F-35, F-22, THAAD, and advanced electronic warfare systems is framed as the next target. Pre-announcement only.

Pre-Announcement United States Defense Sector Lockheed Martin Handala MOIS-Linked

Mar 26, 2026
Day 27

🇦🇹 313 Team — Austrian Federal Police (bmi.gv.at)

313 Team claimed a complete shutdown of the Austrian Federal Police website (bmi.gv.at) for one hour, with Check-Host verification confirming ERR_CONNECTION_TIMED_OUT across nodes. The Austrian Federal Police is responsible for internal security and law enforcement nationwide. First confirmed Austrian government target of the conflict.

DDoS Austria Law Enforcement 313 Team CIR European Expansion

Mar 25, 2026
Day 26

🌍 Keymous Plus — Ministry of Interior Egypt, #Op_Epstein_Gulf

Keymous Plus returned to Egypt with a focused hit on the Ministry of Interior (moi.gov.eg), publishing a Check-Host report showing connection timeouts across 20+ global nodes. Site confirmed still down at time of posting.

DDoS Egypt Government #Op_Epstein_Gulf Keymous+

Mar 25, 2026
Day 26

🌐 BD Anonymous — Interpol Website, #ForJustice

BD Anonymous claimed a DDoS against interpol.int on March 25, publishing IP, port, and ISP details for the attack. Framed around the ICC warrant for Netanyahu, with the message "Open Your Eyes Global Law Enforcement! Arrest These War Criminals!" Site hosted on Akamai Technologies infrastructure.

DDoS Interpol International Organization BD Anonymous #ForJustice

Mar 25, 2026
Day 26

🇮🇱 Babayo Error System — Four Israeli State Subdomains

Babayo Error System claimed DDoS disruption of four Israeli state subdomains with Check-Host verification. Tagged #Fuck_Israel. No specific subdomain names published.

DDoS Israel Government Babayo Error System

Mar 25, 2026
Day 26

🕵️ Handala — Tamir Pardo Doxxed, 14GB of Alleged Mossad Documents Published

Handala published a post titled "From Hunter to Hunted" on March 25, targeting Tamir Pardo, former head of Mossad. The group claimed to have released 14GB of personal and confidential documents as a Proof of Concept, alleging the files contain details of assassination projects and covert operations. Pardo is named in connection with the Stuxnet project and targeted killings of Iranian scientists. Download link and password published publicly.

Doxxing Data Leak Israel Intelligence Sector Handala MOIS-Linked Unverified

Mar 24, 2026
Day 25

🤝 Cyber Fattah Team — Entry Statement, Reconnaissance Phase

Cyber Fattah published a formal team statement announcing planned attacks after "collecting specific resources," warning that "all types of attacks" will follow. Signals a pre-operational reconnaissance phase rather than active operations.

Announcement Pre-Operational Cyber Fattah Pro-Iran

Mar 24, 2026
Day 25

💰 Handala — $50M Bounty on Trump and Netanyahu

Handala published a $50M reward offer for anyone who "eliminates" Trump and Netanyahu, framing it as a direct response to the US DOJ's $10M bounty on Handala members following the FBI domain seizure.

Incitement Handala MOIS-Linked Retaliation DOJ Response

Mar 24, 2026
Day 25

⚔️ Fynix — Kurdish Governments and Organizations Targeted

Iran-aligned group Fynix announced attacks on Kurdish government websites, organizations, and companies, citing "insults to the Islamic Republic of Iran by Kurdish cyber teams" as justification. Marks the beginning of a direct Iran-aligned vs Kurdish cyber confrontation.

DDoS Kurdish Targets Fynix Pro-Iran New Front

Mar 24, 2026
Day 25

🔄 Cyb3r Drag0nz Kurdish — Breaks from CIR, Turns Against Iran

Cyb3r Drag0nz Kurdish, formerly part of the Cyber Islamic Resistance coalition, published a post mourning six Peshmerga martyred in Iranian strikes on Kurdish forces, condemning the Iranian regime directly and calling on Kurdish diaspora to stand against Iran alongside Israel and the US. The group's departure from CIR marks one of the conflict's clearest alliance fractures.

Alliance Fracture Kurdish Actor Anti-Iran CIR Departure Cyb3r Drag0nz

Mar 23, 2026
Day 24

🌐 Conquerors Electronic Army (CIR) — t.co.il Israeli Business Directory

Claimed DDoS against t.co.il, an Israeli companies and services directory, with Check-Host verification. Attack provided via Beamed.cc. Tagged #Free_Palestine #C_E_Army #Cyber_Islamic_Resistance.

DDoS Israel Civilian Infrastructure CIR Conquerors Electronic Army

Mar 23, 2026
Day 24

🇩🇰 NoName057(16) — Back to Europe Denmark and Greenland

NoName shifted focus to Europe, targeting Air Greenland Authorization Portal and Nuup Bussii public transport in Nuuk with Check-Host verified downtime. Framed around Danish PM Frederiksen's announcement of early elections on March 24, linked to Trump's Greenland threats, not related to Iran conflict.

DDoS Denmark Greenland Transport #OpDenmark NoName057(16) Geographic Expansion

Mar 23, 2026
Day 24

🗺️ Handala — Israeli Power Infrastructure Maps Published

Handala published a grid of nine detailed schematic maps showing what appear to be Israeli power plant and electrical grid layouts, watermarked with the Handala logo and linked to a post on the Handala site. No breach claim — pure targeting intelligence against critical infrastructure.

Targeting Intelligence Israel Power Infrastructure Handala Critical Infrastructure

Mar 23, 2026
Day 24

🚗 DieNet — Lamborghini Website, Google-Hosted

DieNet claimed to have bypassed Google LLC's protection on the Lamborghini website, publishing a Check-Host verification link. Framed as proof that Google's hosting infrastructure is not sufficient protection.

DDoS Civilian Target DieNet Protection Bypass #DieNet_Network_V5

Mar 22, 2026
Day 23

🌍 Keymous Plus — Six Egyptian Government Targets, #Op_Epstein_Gulf

Claimed DDoS across Egypt Government Portal, Cabinet, Ministry of Interior, Ministry of Finance, Ministry of Petroleum, and Ministry of Water Resources and Irrigation. All Check-Host verified.

DDoS Egypt Government Keymous Plus #Op_Epstein_Gulf

Mar 22, 2026
Day 23

🎯 Harvesting Time — King David Hotel Jerusalem and Erbil Rotana Hotel Geolocated

Newly surfaced channel published satellite imagery with precise locations of the King David Hotel in Jerusalem and the Erbil Rotana Hotel in Iraqi Kurdistan. No breach claim. Pure targeting intelligence.

Targeting Intelligence Israel Infrastructure New Actor

Mar 22, 2026
Day 23

⚠️ APT IRAN — Lockheed Martin PoC

Cyber Fattah forwarded APT IRAN's Lockheed Martin breach claim with an alleged Proof of Concept including a dark web domain and sample data. Raises the claim above the initial announcement but remains unverified.

Unverified United States Defense Sector PoC Published APT IRAN

Mar 22, 2026
Day 23

⚔️ Kinetic Context — Iran Strikes Dimona and Arad, Trump Issues 48-Hour Hormuz Ultimatum

Iran struck Arad and Dimona near Israel's nuclear research center, injuring approximately 180 people. Israel's air defenses failed to intercept. Trump gave Iran 48 hours to reopen the Strait of Hormuz, threatening to obliterate Iranian power plants if it failed. Iran warned it would completely shut the strait in response.

Kinetic Context Dimona Arad Hormuz Ultimatum Strategic Context

Mar 21, 2026
Day 22

🏦 RuskiNet Group — Bank of Jerusalem, Israel

RuskiNet republished a 2025 Bank of Jerusalem data leak, originally obtained via a security vulnerability exploited that year. Re-release framed for those who missed it at the time.

Data Leak Israel Financial Sector RuskiNet Republished

Mar 21, 2026
Day 22

🇷🇴 NoName057(16) — Romanian Oil, Rail, and Justice Sector, #OpRomania

DDoS across MOL Romania, TIM Rail Cargo SRL, Romanian Railways Authority, Bucharest Metro, Chamber of Deputies, and Romanian Railways. Tagged #FuckEastwood #TimeOfRetribution.

DDoS Romania Transport Government #OpRomania NoName057(16)

Mar 21, 2026
Day 22

🇷🇴 NoName057(16) — Romanian Courts and Infrastructure, #OpRomania Continues

Second wave: Supreme Court, Supreme Court of Cassation, Industrial Real Estate Management Agency, and a state rail construction plant. Both courts closed by geo-restriction at time of reporting.

DDoS Romania Legal Sector #OpRomania NoName057(16)

Mar 21, 2026
Day 22

🌐 DieNet — 100+ Attacks on 50+ Israeli Websites, #CanYouResist

DieNet claimed over 100 attacks against 50+ Israeli targets including El Al, IDF military portal, Rafael, Hotnet, IsraelInternet, and SEM. Some military sites remained down for extended periods.

DDoS Israel Defense Aviation Telecom DieNet #CanYouResist

Mar 21, 2026
Day 22

⚔️ Kinetic Context — UK Authorizes US Strikes from British Bases, Iran Attacks on Eid and Nowruz

The UK authorized the US to use RAF Fairford and Diego Garcia to strike Iranian missile sites targeting Strait of Hormuz shipping. Iran warned the decision constitutes participation in aggression. Iran continued striking Gulf states on Eid al-Fitr and Nowruz. Qatar warned Iranian missile damage to its LNG capacity could take five years to recover from. Trump said the US was considering winding down military efforts.

Kinetic Context UK Bases Strait of Hormuz Eid Nowruz Strategic Context

Mar 20, 2026
Day 21

🕌 Conflict Context — Eid al-Fitr and Nowruz Coincide on March 20

March 20 marks the simultaneous arrival of Eid al-Fitr, the end of Ramadan, and Nowruz, the Persian New Year — one of the most significant cultural and religious dates in the Iranian calendar. Hacktivist activity from Islamic-aligned groups is expected to be lower today. Iranian state and proxy actors may use the occasion for symbolic messaging rather than technical operations.

Conflict Context Eid al-Fitr Nowruz Iran Symbolic Messaging

Mar 20, 2026
Day 21

🏭 APT IRAN — Kupferle Water Solutions / Company, Fenton, United States

APT IRAN claimed access to an industrial water treatment control system belonging to Kupferle Water Solutions in Fenton, publishing a screenshot of an active HMI panel showing chlorine levels, temperature readings, and flush cycle status dated March 10, 2026. The group claims the device was rebooted and accessed. Unverified.

ICS/OT United States Water Infrastructure APT IRAN HMI Access Unverified

Mar 20, 2026
Day 21

⚠️ Unverified Claim — Lockheed Martin Breach, 375TB Alleged

An unattributed dark web post claimed infiltration of Lockheed Martin infrastructure and exfiltration of 375TB of data including F-35 Block 4 documentation, future missile defense system architecture, Pentagon contracts, and personnel records. Data offered for sale via ThreatMarket on a .onion domain. Highly likely exaggerated or fabricated. No verification published. Treat as unverified threat actor claim only.

Unverified United States Defense Sector Data Claim Dark Web

Mar 19, 2026
Day 20

🚨 Threat Context — FBI Seizes Handala Domain (handala-redwanted.to)

The FBI seized handala-redwanted.to under a warrant from the US District Court for the District of Maryland, citing use of the domain to conduct, facilitate, or support malicious cyber activities on behalf of a foreign state actor. The domain's nameservers now point to ns1.fbi.seized.gov and ns2.fbi.seized.gov. Handala subsequently migrated to a new domain.

Seizure FBI Handala MOIS-Linked US Law Enforcement Domain Takedown

Mar 19, 2026
Day 20

🌐 313 Team — Internet Archive (archive.org)

313 Team claimed a DDoS attack against archive.org, causing the Internet Archive to go offline. Check-Host verification published.

DDoS United States 313 Team CIR Internet Archive Civilian Infrastructure

Mar 19, 2026
Day 20

🌐 ShadowStrike — #OpsShadowStrike Announced, Countries Allied with Israel

Malaysian-language hacktivist group announced #OpsShadowStrike, declaring attacks on countries allied with Israel to launch after Hari Raya Aidilfitri. Mobilization post, no technical activity yet.

Announcement Global #OpsShadowStrike Pro-Iran Southeast Asia

Mar 19, 2026
Day 20

🎓 Conquerors Electronic Army (CIR) — Wizo Academy, Haifa, Israel

Claimed DDoS against Wizo Academy Center for Social Sciences and Education in Haifa, framed under the Battle of the Great Confrontation. Check-Host verification published.

DDoS Israel Education Sector CIR Conquerors Electronic Army

Mar 19, 2026
Day 20

🇰🇷 BD Anonymous — South Korea Ministry of National Defence, #OpSouthKorea

Claimed takedown of mnd.go.kr with two Check-Host verification links and DownDetector confirmation. Stated grievance: South Korea not raising its voice for Palestine and supporting the US-Israel coalition.

DDoS South Korea Government #OpSouthKorea BD Anonymous #HackForHumanity

Mar 18, 2026
Day 19

⚔️ Kinetic Context — Intelligence Minister Khatib Killed, South Pars Gas Field Struck

Israel struck South Pars natural gas field with US coordination and killed Intelligence Minister Esmail Khatib overnight. Iran's president confirmed Khatib's death. Three senior Iranian officials killed in under 24 hours.

Kinetic Context South Pars Khatib Leadership Decapitation Energy

Mar 18, 2026
Day 19

⚔️ Kinetic Context — Larijani and Basij Commander Killed, Iran Retaliates with 100+ Strikes

Iran confirmed the killing of Ali Larijani, secretary of the Supreme National Security Council — the highest-ranking official killed since Khamenei's assassination on February 28.Israel also killed Basij commander Gholamreza Soleimani, his deputy, and the IRGC's Aerospace Force chief in the same operation. Iran's IRGC said its missiles struck more than 100 military and security targets inside Israel in retaliation.

Kinetic Context Larijani Basij Iran Retaliation Strategic Context

Mar 18, 2026
Day 19

🇮🇱 NoName057(16) — Israeli Insurance Sector and Defense Technology, #OpIsrael

Swept six Israeli targets with Check-Host verified downtime: Gahat Systems Ltd (defense-adjacent firefighting and tactical technology), Shlomo Insurance, Shomera Insurance, Harel Insurance, Igudbit Insurance Association, and Hachshara Insurance Company. Hachshara noted as closed by geo-restriction.

DDoS Israel Insurance Sector Defense Tech #OpIsrael NoName057(16)

Mar 18, 2026
Day 19

🗳️ INDOHAXSEC — 8.3 Million Israeli Voter Records Published

an alleged dataset of 8.3 million Israeli residents sourced from general election results, comprising 1,618 files across 116 folders, 2GB original size compressed to 617MB, hosted via Anonymous File Upload. Fields include names, addresses, emails, phone numbers, national ID numbers, and geolocation. Tagged #SAVEGAZA and #SUPPORTIRAN. Unverified.

Data Leak Israel Election Data Civilian PII INDOHAXSEC Unverified

Mar 18, 2026
Day 19

🔓 Cyber Islamic Resistance — Logit E.D, Israel

Published a 58.1MB video claiming server access at Israeli firm Logit E.D on March 17, framed under the Battle of the Great Confrontation banner referencing the Yemeni Islamic Resistance. Unverified.

Data Breach Israel CIR Unverified

Mar 18, 2026
Day 19

⚠️ APT IRAN — Starlink Tracking Warning and VPN Seller Threat, Iran

APT IRAN warned Iranian Starlink users that Israeli intelligence has compromised the devices to track precise user locations inside Iran and announced an imminent "widespread shutdown" of Starlink terminals. Follow-up posts threatened to expose VPN sellers and their customer networks operating inside Iran, naming them as counter-intelligence facilitators. Consistent with MOIS-linked intimidation and counter-surveillance patterns.

Threat Context Iran Starlink VPN Counter-Surveillance APT IRAN MOIS-Linked

Mar 17, 2026
Day 18

💻 313 Team + Anti-Zionist Cyber Group — Microsoft 365, Outlook, and Copilot

Two CIR-affiliated groups jointly claimed DDoS disruption of Microsoft's core cloud services — office.com, m365.cloud.microsoft, and copilot.cloud.microsoft — with Check-Host verified downtime and Azure Front Door errors confirmed. Anti-Zionist Cyber Group stated intentions to continue targeting US companies over Trump's actions in the Middle East.

DDoS United States Microsoft Cloud 313 Team Anti-Zionist Cyber Group

Mar 17, 2026
Day 18

💻 Keymous Plus — Microsoft 365 Services

Independently from CIR, Keymous Plus also claimed disruption of Microsoft 365 via elitestress.st, logging 59 downtime reports. Simultaneous but uncoordinated targeting of the same infrastructure by two separate pro-Iranian clusters on the same day.

DDoS United States Microsoft Cloud Infrastructure Keymous+

Mar 17, 2026
Day 18

⚖️ NetStrike — Israeli Lawyers Database, Israel

NetStrike resurfaced after its assumed dormancy, publishing an alleged database of 29,300 Israeli lawyers under #OpIsrael, including names, addresses, emails, phone numbers, firm affiliations, and geolocation data. Unverified.

Data Leak Doxxing Israel Legal Sector #OpIsrael Unverified NetStrike

Mar 17, 2026
Day 18

🇰🇷 Hider_Nex — 15+ South Korean Government Domains, #OpSouthKorea

Hider_Nex swept South Korea with Check-Host verified DDoS claims across 15+ domains including the Ministry of National Defence, National Intelligence Service, Ministry of Justice, Ministry of Foreign Affairs, and Ministry of Finance. First large-scale hacktivist sweep of South Korean infrastructure in this conflict cycle.

DDoS South Korea Government #OpSouthKorea Geographic Expansion Hider_Nex

Mar 17, 2026
Day 18

🌍 Keymous Plus — Telecom Egypt, Egypt

Keymous Plus claimed disruption of Telecom Egypt (te.eg), the country's primary telephone operator, verified via EliteStress under #Op_Epstein_Gulf. Egypt's inclusion extends the operation into North Africa for the first time.

DDoS Egypt Telecom #Op_Epstein_Gulf North Africa Expansion Keymous+

Mar 16, 2026
Day 17

📡 Mad Ghost — Israeli 4G Mobile Core Infrastructure

Mad Ghost claimed a attack on MME/PGW devices belonging to Cyberpower Ltd, LB Annatel Ltd, and Welcome Mobile Ltd, publishing IP addresses and GTP-C protocol details. Technically coherent, unverified.

Telecom Israel 4G Infrastructure Unverified Mad Ghost

Mar 16, 2026
Day 17

🔬 Cyber Threat Context — Handala's MOIS Handler Killed in Opening Strikes

Check Point's Void Manticore report confirmed that Panjaki, the MOIS deputy assessed to have directed Handala, Karma, and Homeland Justice operations, was killed on March 2. Handala's continued operational tempo raises the question of whether current operations are pre-planned or running under a new handler.

Threat Context Handala MOIS Void Manticore Leadership Disruption

Mar 16, 2026
Day 17

⚔️ Kinetic Context — Dubai Airport Hit, IDF Launches Ground Operation in Lebanon

A drone-related incident sparked a fuel tank fire near Dubai International Airport, temporarily suspending flights. Israel announced a targeted ground operation in southern Lebanon, with Defense Minister Katz stating it would continue until Hezbollah no longer posed a threat to northern Israel. Trump said he had received positive responses to his call for help securing the Strait of Hormuz, but no country made a firm public commitment.

Kinetic Context Dubai Lebanon Ground Operation Strait of Hormuz

Mar 16, 2026
Day 17

🇷🇴 NoName057(16) — Ten Romanian Targets, #TimeOfRetribution

Over the weekend of March 14-16, NoName057(16) shifted from Cyprus to Romania, claiming DDoS across the Ministry of National Defence, Ministry of Justice, Supreme Court, Chamber of Deputies, MOL Romania, Metrorex, CFR SA, Autoritatea Feroviară Română, Tim Rail Cargo, and Informatică Feroviară SA. Romania's second targeting in three days, following 313 Team's March 12 hit on the National Tax Agency.

DDoS Romania Government Transport #TimeOfRetribution NoName057(16)

Mar 15, 2026
Day 16

🛰️ Golden Falcon — Israeli Military Satellite Site, Geolocated

Golden Falcon published alleged satellite imagery of a compound labeled "a military satellite site in Israel" with coordinates. No breach claim. Pure targeting intelligence distributed to tens of thousands of Telegram followers.

OSINT Israel Military Targeting Intelligence Golden Falcon

Mar 15, 2026
Day 16

🌐 RipperSec — Christians United for Israel & International Christian Embassy Jerusalem, United States/Israel

On March 15, RipperSec claimed DDoS attacks against two pro-Israel Christian organizations: Christians United for Israel (cufi.org), protected by Cloudflare, and the International Christian Embassy Jerusalem (icej.org), which had no WAF in place. Both attacks carried the message "Stop Killings People, We Are Watching Your Action."

DDoS United States Israel RipperSec #OpIsrael

Mar 14, 2026
Day 15

🌍 Keymous Plus — Eight Syrian Government Domains, #Op_Epstein_Gulf

Keymous Plus swept Syria for the second time in three days, taking down the Presidency, Parliament, Ministry of Defense, Foreign Affairs, Transport, Information, Agriculture, and Social Affairs via elitestress.st with Check-Host verification.

DDoS Syria Government #Op_Epstein_Gulf Keymous Plus

Mar 14, 2026
Day 15

🇮🇷 Anonymous Syria Hackers — Iranian Educational Institution, #Op_Iran

Published a 3.2GB leak from a Khamenei-linked Iranian educational institution, exposing staff names, national ID numbers, dates of birth, scanned certificates, and personal photos.

Data Breach Iran Education Sector #Op_Iran Pro-Israel

Mar 14, 2026
Day 15

⚔️ Kinetic Context — New Supreme Leader Reportedly Wounded, Five Missile Salvos Hit Israel

Mojtaba Khamenei issued his first statement warning attacks will continue unless US bases in the region are closed. US Defense Secretary Hegseth said Khamenei is wounded and "likely disfigured." Saudi Arabia intercepted four drones over Riyadh and destroyed six ballistic missiles over al-Kharj. The IRGC claimed 10 missiles and drones were launched against US forces at UAE's al-Dhafra airbase.

Kinetic Context Iran Israel Supreme Leader Gulf Attacks Strategic Context

Mar 13, 2026
Day 14

🕌 Quds Day — Strategic Messaging Across the Conflict

Quds Day, observed on the last Friday of Ramadan and designated by Iran as an annual day of solidarity with Palestine, fell on the 14th day of Operation Epic Fury in 2026. Iran-linked actors used the occasion to frame, amplify, and legitimize cyber operations against Israeli and other regional targets through coordinated propaganda and symbolic timing.

Conflict Context Quds Day Iran Strategic Messaging

Mar 13, 2026
Day 14

🎓 Handala — Hebrew University of Jerusalem, Israel

Handala claimed a breach of the Hebrew University of Jerusalem on Quds Day, alleging compromise of all servers and the wiping of more than 40TB of data including research, financial, and communications records. Shared screenshots appeared to show access to vCenter server management and internal file directories. The claim remains unverified but, if genuine, would represent a major escalation against Israel’s education sector.

Data Breach Wiper Israel Education Sector MOIS-Linked Unverified

Mar 13, 2026
Day 14

🔓 Cyber Islamic Resistance — MEGINIM DATA SERVICES, Israel

Cyber Islamic Resistance claimed a breach of Israeli cybersecurity firm MEGINIM DATA SERVICES and published three batches of alleged exfiltrated material, including file directories and database exports. Targeting a cybersecurity company carries strong symbolic value, aiming to undermine confidence in Israeli defensive capabilities. The claim is currently unverified.

Data Breach Israel Cybersecurity Sector Unverified Cyber Islamic Resistance

Mar 13, 2026
Day 14

🌐 313 Team — 20 UAE Government Domains Targeted

313 Team claimed DDoS disruption of 20 UAE government servers across Abu Dhabi and Dubai in partnership with elitestress.st. Reported targets included the Digital Authority, Civil Defence, Municipality, Urban Planning, Public Prosecution portals, and the Government Empowerment Department, signaling continued Gulf expansion by Iraq-aligned cyber actors.

DDoS UAE Government 313 Team Gulf Expansion

Mar 13, 2026
Day 14

🇨🇾 NoName057(16) — Municipal, Media, and Utility Targets, Cyprus

NoName057(16) returned to Cyprus for the third consecutive day under #OpCyprus, adding municipal portals, Politis newspaper, Alithia news portal, and the EAC Electricity Authority to its target list. Check-Host links were published to reinforce claims that geo-restricted services remained inaccessible, continuing the group’s pressure campaign against Cypriot institutions.

DDoS #OpCyprus Cyprus Russian Actor Media Municipal

Mar 13, 2026
Day 14

✈️ Kinetic Context — Israel Strikes Tehran, US KC-135 Crashes in Iraq

Israel launched a new extensive wave of strikes on Tehran as the conflict entered its 14th day. A US KC-135 refueling aircraft crashed in western Iraq, killing four crew members, while France confirmed its first casualty after a drone strike in Iraqi Kurdistan. Kuwait’s international airport was also damaged, and Bahrain arrested four citizens accused of spying for the IRGC, underscoring widening regional escalation.

Kinetic Context Tehran US Casualties Gulf Attacks Strategic Context

Mar 12, 2026
Day 13

🚢 Kinetic Context — Iran Mines Strait of Hormuz

Iran deployed approximately a dozen naval mines in the Strait of Hormuz, prompting CENTCOM to destroy 28 Iranian minelaying vessels in response. At least 14 vessels have been struck since the conflict began, including the Thai-flagged tanker Mayuree Naree set ablaze on March 12. Iraq suspended oil terminal operations after two tankers were hit, while IRGC officials warned that any ship transiting the strait could be targeted.

Kinetic Context Strait of Hormuz Maritime Energy Crisis Strategic Context

Mar 12, 2026
Day 13

🧹 Handala — Global Wiper Attack Claim Against Stryker

Handala claimed a mass wiper attack against medical technology firm Stryker, allegedly abusing Microsoft Intune to remotely wipe more than 200,000 devices across 79 countries. Over 5,000 workers were reportedly sent home from Stryker's Ireland hub while emergency procedures were triggered at the company's US headquarters. The group framed the operation as retaliation for a February 28 missile strike on an Iranian school.

Wiper Global MedTech MOIS-Linked Microsoft Intune

Mar 12, 2026
Day 13

⚠️ Handala — Verifone Breach Claim (Denied)

Handala claimed a breach of Verifone systems in Israel. The company publicly denied the claim, stating no evidence of compromise or service disruption was detected. The claim aligns with the group's pattern of publicizing attacks regardless of confirmed access.

Unverified Israel Denial FinTech

Mar 12, 2026
Day 13

🌍 Keymous Plus — Multi-Country Government DDoS Campaign

Keymous Plus published more than 50 DDoS claims targeting government ministries across Bahrain, Kuwait, Jordan, Qatar, Syria, and the UAE under the #Op_Epstein_Gulf banner. Targets included ministries of Interior, Finance, Justice, and Transport as well as Qatar Central Bank and the UAE Government portal. Syria's inclusion marked the first time Damascus was targeted in this Gulf-focused operation.

DDoS #Op_Epstein_Gulf Gulf States Multi-Country

Mar 12, 2026
Day 13

🇷🇴 313 Team — Romania National Tax Agency Targeted

313 Team claimed a one-hour shutdown of Romania's National Tax Agency (anaf.ro) in retaliation for the Romanian president allowing US forces to use Romanian bases for strikes against Iran. A Check-Host verification link was shared. This marks the first confirmed European government target hit by an Iraq-based group during this conflict cycle.

DDoS Romania Europe 313 Team

Mar 12, 2026
Day 13

🇨🇾 NoName057(16) — #OpCyprus Infrastructure Campaign Continues

NoName057(16) continued the #OpCyprus campaign with a new wave of DDoS claims against 14 Cypriot government and infrastructure entities including the Cyprus Government Portal, Supreme Court, Electricity Authority, Ministry of Justice, and Cyprus Ports Authority. The campaign remains linked to Ukraine-related grievances under the #FuckEastwood and #TimeOfRetribution narratives.

DDoS #OpCyprus Cyprus Russian Actor

Mar 12, 2026
Day 13

🛢️ Kinetic Context — UNSC Resolution and Oil Price Surge

The UN Security Council passed a resolution backed by 135 countries urging Iran to halt attacks on neighboring states and maritime routes. China and Russia abstained. Brent crude surged to $126 per barrel, marking the most significant global energy supply disruption since the 1970s oil crisis.

Kinetic Context UN Resolution Energy Markets Strategic Context

Mar 11, 2026
Day 12

🤝 Hider_Nex — Alliance with NoName057(16)

Tunisian group Hider_Nex announced a formal alliance with pro-Russian NoName057(16), framing it as a shared fight for justice. The declaration was immediately followed by an operational sweep against Kuwait, suggesting the alliance was coordinated in advance rather than symbolic.

New Alliance Tunisian Actor Russian Actor Coalition Expansion

Mar 11, 2026
Day 12

🌐 Hider_Nex — 18 Kuwaiti Government Domains Targeted

Claimed DDoS attacks against 18 Kuwaiti government domains under #OpKuwait including the Ministries of Defense, Foreign Affairs, Health, Education and Finance, as well as the electricity and water authority, PACI civil registry, national news agency KUNA and Burgan Bank. The scale mirrors the earlier 313 Team sweep targeting Kuwait's government infrastructure.

DDoS #OpKuwait Kuwait Government Financial Targeting

Mar 11, 2026
Day 12

🏦 Moroccan Black Cyber Army — Discount Bank, Israel

Claimed DDoS disruption against Discount Bank, one of Israel's largest financial institutions based in Tel Aviv. A Check-Host link accompanied the post. The site experienced a brief outage despite strong messaging framing the attack as a strike against Israel's economy.

DDoS #OpIsrael Israel Financial Sector

Mar 11, 2026
Day 12

⚡ NetStrike — Galey Israel Radio Station Targeted

Newly created group NetStrike declared an alliance with Keymous+ and claimed a DDoS attack against Galey Israel, a Hebrew-language radio station serving central and northern Israel. Check-Host evidence was shared, though no sustained operational activity followed. The pattern aligns with short-lived groups appearing during the conflict for visibility.

DDoS #OpIsrael Israel Media Sector New Group

Mar 11, 2026
Day 12

🚢 Kinetic Context — Strait of Hormuz Escalation

Trump warned Iran of strikes "20 times harder" if it attempts to mine or block the Strait of Hormuz, through which roughly 20% of global oil supply passes. Iran has effectively halted tanker traffic through the strait amid attacks on merchant vessels. The US Navy escorted its first tanker through the corridor since the conflict began while Aramco confirmed rerouting shipments and pushing the East-West pipeline to full capacity.

Kinetic Context Strait of Hormuz Energy Infrastructure Strategic Context

Mar 10, 2026
Day 11

💥 Team Fearless — Alon Oil, Goldtec Defense, and Commercial Targets, Israel

Claimed DDoS attacks against four Israeli entities including Alon Oil, advanced defense firm Goldtec, and additional industrial service companies. Check-Host links were provided for verification. The mix of targets across energy, defense, and commercial sectors suggests deliberate cross-sector disruption attempts.

DDoS#OpIsraelEnergy SectorDefense SectorCommercial Targeting

Mar 10, 2026
Day 11

💧 NoName057(16) — Bezeq, Mekorot, Kavim, E.M.I.T. Aviation, Israel

Claimed disruption of Israel's primary telecom provider Bezeq, national water company Mekorot, public transport operator Kavim, and UAV manufacturer E.M.I.T. Aviation in a single coordinated post. Check-Host links were included for each target, indicating continued targeting of national infrastructure and defense-related services.

DDoSIsraelTelecom InfrastructureWater InfrastructureDefense SectorRussian Actor

Mar 10, 2026
Day 11

🇨🇾 NoName057(16) — Government, Airport, and Electricity Authority, Cyprus

Continued #OpCyprus campaign targeting multiple Cypriot services including the Office of the Republic, Limassol Airport Express, OSYPA bus tracking systems, and the Cyprus Electricity Authority. The campaign appears tied primarily to Ukraine-related grievances rather than the Iran conflict theater.

DDoSCyprusGovernmentTransportEnergy InfrastructureRussian Actor

Mar 10, 2026
Day 11

⚠️ FSociety — 42-Hour Threat Against Israel and the US

A Russian-language Telegram post threatened to "destroy Israel and the Israeli alliance" within 42 hours, calling for mass cyber mobilization against Israeli and U.S. networks. No technical activity has been confirmed so far, consistent with FSociety's pattern of conflict-driven recruitment messaging.

Unverified ThreatSignalingMobilizationIsraelUS Networks

Mar 9, 2026
Day 10

👑 Kinetic Context — Mojtaba Khamenei Elected Supreme Leader

Mojtaba Khamenei was elected on March 8 to succeed his father as Iran's Supreme Leader. Senior Iranian leadership including Ghalibaf, Larijani, and Pezeshkian pledged allegiance. The leadership transition may accelerate coordinated state-directed cyber operations as the new regime consolidates authority and signals strategic continuity.

Kinetic ContextLeadership TransitionIranStrategic Context

Mar 9, 2026
Day 10

💥 NoName057(16) — Six Cypriot Government and Financial Targets

Claimed DDoS attacks against the Authorization Audit Office, Hellenic Bank portal, Central Bank, Public Transport Cyprus, Cyprus Chamber of Commerce (CCCI), and the CY Login national digital identity system. The campaign was justified by Cyprus hosting Swarmly, manufacturer of H-10 Poseidon drones used by Ukrainian artillery.

DDoSCyprusRussian ActorFinancial Targeting

Mar 9, 2026
Day 10

🎓 Cyber Islamic Resistance & 313 Team — Saudi University of Business and Technology

Joint operation targeting the official website of UBT (staging.ubt.edu.sa), resulting in full defacement. The page was replaced with Cyber Islamic Resistance branding and “Wa'd al-Akhira” messaging, marking the first confirmed defacement of a Saudi academic institution in this conflict cycle.

DefacementSaudi ArabiaEducation Sector313 Team

Mar 8, 2026
Day 9

💥 Team Fearless — Five Saudi Arabian Government Portals

Claimed DDoS attacks against the Saudi Embassy website, Ministry of Interior, Ministry of Commerce, Ministry of Health, and the National Portal for Digital Government Information. Check-Host links accompanied each target, with the campaign tagged under #hackforhumanity and #RedEyeOfPalestine.

DDoSSaudi ArabiaGulf ExpansionMulti-Sector

Mar 8, 2026
Day 9

🏭 Cyber Islamic Resistance — Multiple ICS/SCADA Systems

Published a grid of screenshots allegedly showing access to multiple industrial control systems including building management interfaces, pipeline schematics, and process automation dashboards. The post described the activity as a "first wave" of systems accessed and controlled, with additional operations promised.

OT/ICSMulti-TargetSCADA Escalation

Mar 8, 2026
Day 9

📹 NoName057(16) — CCTV Access, United Kingdom

DDoSia Project volunteers claimed live access to surveillance cameras at Anglia Indoor Karting in Ipswich, United Kingdom. The operation was tagged under #OpUnitedKingdom and #TimeOfRetribution, indicating geographic expansion toward UK civilian infrastructure.

SurveillanceUnited KingdomRussian Actor#OpUnitedKingdom

Mar 8, 2026
Day 9

⚡ Cyber Isnaad Front — Continued Leak Operations

IRGC-aligned Cyber Isnaad Front continues publishing data tied to its claimed breach of telecom and fuel logistics infrastructure. The sustained leak activity suggests the group is maintaining an information operation beyond the initial breach claim, increasing pressure regardless of whether the intrusion itself is verified.

UnverifiedOngoing LeaksTelecomIRGC-Aligned

Mar 7, 2026
Day 8

🏭 Cyber Islamic Resistance — Prima Park Hotel and Technion, Tel Aviv

Claimed a coordinated attack on Prima Park Hotel in Tel Aviv, alleging electricity and water disruption alongside customer data exfiltration. The group also claimed targeting Technion's administration network and Haifa's main electrical line, framing the operation as retaliation for 165 students killed in Iran.

OT/ICSIsrael EnergyData Exfiltration

Mar 7, 2026
Day 8

🏦 APT Iran — Bank al Etihad, Jordan

Claimed access to Bank al Etihad's solar PV monitoring and control systems via a backdoor. The same campaign also alleged breaches of Aqaba Special Economic Zone and ISAR Engineering through legacy FileManager vulnerabilities, with screenshots showing live energy dashboards and full read/write access.

OT/ICSJordan BankingEnergy Infrastructure

Mar 7, 2026
Day 8

💧 NoName057(16) / DDoSia — Israeli Water Pumping Infrastructure

DDoSia Project volunteers claimed full access to an Israeli industrial pump control HMI, including real-time control of pumps, valves, alarms, and manual or automatic mode switching. The group said it disabled an important part of Israel's critical infrastructure within minutes.

OT/ICSWater InfrastructureIsraelRussian Actor

Mar 7, 2026
Day 8

⚡ Cyber Isnaad Front — Telecom and Fuel Logistics Supply Chain Claims

IRGC-aligned Cyber Isnaad Front claimed breaches affecting more than 160 telecom data centers, exfiltration of 5TB from a national fuel logistics provider, and compromise of logistics and tracking systems. Screenshots are circulating, but the claims remain unverified. If confirmed, this would mark a significant escalation toward supply chain targeting.

UnverifiedTelecomEnergy Supply ChainIRGC-Aligned

Mar 6, 2026
Day 7

🔓 MuddyWater — Dindoor Backdoor on U.S. and Israeli Networks

Symantec/Carbon Black confirmed MOIS-linked MuddyWater deployed the new Dindoor backdoor on a U.S. bank, the Israeli branch of a defense-adjacent software firm, and a Canadian NGO. A second backdoor, Fakeset, was discovered on a U.S. airport network. Activity began in early February, predating Operation Epic Fury and indicating strategic pre-positioning.

State-Sponsored BackdoorUS NetworksPre-Positioning

Mar 6, 2026
Day 7

💥 RuskiNet — Turpaz Industries, Israel

Claimed DDoS against publicly traded Israeli flavor and fragrance manufacturer Turpaz Industries (TASE: TRPZ). Check-Host links indicate a disruption window. The operation signals a pivot toward commercial industrial targets as government websites move behind stronger mitigation layers.

DDoSRussian Actor#OpIsraelCommercial Targeting

Mar 6, 2026
Day 7

💥 DieNet — Nine Qatari Government Domains

Claimed takedown of data.gov.qa and eight additional government portals routed through Amazon Technologies infrastructure, highlighting alleged WAF/CDN bypass. The attack was framed as retaliation for Qatar's media blackout on Iranian strike coverage.

DDoSQatarCDN BypassGulf Expansion

Mar 6, 2026
Day 7

🏛️ 313 Team — 26 Kuwaiti Government Domains

Claimed shutdown of 26 Kuwaiti government IP domains including the Ministry of Defense, National Guard, Credit Bank, and Civil Service Commission. The national e-government portal was reportedly offline for more than 18 hours.

DDoSKuwaitMulti-SectorE-Government

Mar 6, 2026
Day 7

💥 Conquerors Electronic Army — British Charity in Attack Propaganda

A “Wa'd al-Akhira” propaganda post referenced a UK-registered charity funding civil society projects in Israel. A Check-Host link in the same post suggests an attempted disruption operation alongside the influence narrative.

DDoSInfluence OperationUK-Linked#OpIsrael

Mar 6, 2026
Day 7

✅ Jordan NCC — Wheat Silo OT Attack Officially Confirmed Thwarted

Jordan's National Cybersecurity Center confirmed it blocked an Iranian cyberattack targeting the national wheat silo management system. This marks the first government-confirmed thwarted OT intrusion of the conflict, partially corroborating APT Iran's earlier Day 4 claims.

OT/ICSFood InfrastructureJordanConfirmed Thwarted

Mar 5, 2026
Day 6

🌐 Cyber Jihad Movement — Global Campaign Declaration

Called for attacks on systems tied to the US, Israel, Arab governments, Pakistan, and India. Declared entry into both the Iran-US war and the Afghanistan-Pakistan conflict zone, claiming cyber assistance to Taliban-aligned actors. No technical evidence yet.

PropagandaMobilizationIndia-Pakistan Spillover

Mar 5, 2026
Day 6

🔓 Anonymous Syria Hackers — Iranian E-Commerce Breach

Claimed breach of an Iranian retail platform under #OP_IRAN, leaking PayPal credentials, usernames, emails, and encrypted passwords. Posted to BreachForums behind a comment-to-unlock gate.

Data Leak#OP_IRANBreachForums

Mar 5, 2026
Day 6

🎓 Keymous — Israeli Ministry of Education Portal

Claimed access to Israel's internal Education Institutions Portal, alleging 300,000+ records including student names, class lists, teacher data, and matriculation exam records.

Data BreachEducation SectorIsrael

Mar 5, 2026
Day 6

💥 DarkStorm Team — Seven Israeli Targets

Claimed simultaneous DDoS on MAX, PM's Office, Ministries of Foreign Affairs, Finance and Justice, Israel Security Agency, and an intelligence agency.

DDoS#OpIsraelFinancial Targeting

Mar 5, 2026
Day 6

💥 Team Fearless — IDF, Tax Authority, Sony Pictures Israel

Claimed DDoS on Israeli Tax Authority, IDF site, Sony Pictures Israel, a civic platform, a transit tech firm, and Oron Group. Commercial targets are now in scope alongside government infrastructure.

DDoS#OpIsraelCommercial Targeting

Mar 5, 2026
Day 6

🇷🇺 Server Killers — Russian Group Joins the Conflict

Officially announced entry into the cyberwar citing US-Israel strikes. Continues the pro-Russian coalition expansion trend flagged on March 3.

Russian ActorNew EntrantCoalition Expansion

Mar 4, 2026
Day 5

🌾 APT Iran — OT Intrusion into Jordanian Grain Storage

Claimed phishing-enabled access to Jordan Silos Company, alleging temperature manipulation to degrade wheat, weighing software tampered to underreport by 10%, and solar inverters disabled. High-detail but unverified — treat with caution.

OT/ICSFood InfrastructureJordanUnverified

Mar 4, 2026
Day 5

💧 Z-Pentest Alliance — Israeli Water Infrastructure

Claimed full access to an Israeli pump control HMI, publishing a screenshot of Hebrew-language controls for pressure, flow, and pump hours. Attribution to a specific operator remains unconfirmed.

OT/ICSWater InfrastructureIsraelRussian Actor

Mar 4, 2026
Day 5

💥 Conquerors Electronic Army — Five-Sector DDoS Against Israel

Claimed five attacks in 12 hours under "Wa'd al-Akhira," hitting emergency alerting, finance, media, industrial, and healthcare. Civil alert system targeting is the most sensitive claim.

DDoSMulti-SectorIsraelEmergency Systems

Mar 4, 2026
Day 5

📰 NoName057(16) — Jerusalem Post and Israeli ISP

Claimed DDoS on a major Israeli news outlet and ISP. Both moved behind mitigation stubs, which NoName framed as the defender "hiding" — a narrative tactic to preserve momentum.

DDoSRussian ActorMedia#OpIsrael

Mar 3, 2026
Day 4

📡 IRGC Narratives — 160 Data Centers & Healthcare Infrastructure Claims

An IRGC-linked Telegram channel with 526,000+ subscribers claimed penetration of 160 data centers disrupting Israeli communication networks — no technical evidence provided, assessed as narrative-driven propaganda. Claims of attack against Clalit Health Services (Israel's largest HMO) raised psychological stakes but lacked verified evidence. Liwaamohammad distributed files allegedly containing Mossad agent lists and military databases (authenticity unverified).

IRGC PropagandaHealthcare NarrativeData Leak Claims

Mar 3, 2026
Day 4

🇷🇺 Pro-Russian Hackers Enter the Theater — NoName057(16) Targets Israel

Russian-affiliated hacktivist clusters divided operational focus between Europe and the Middle East, signaling structured targeting priorities rather than spontaneous mobilization. NoName057(16) launched DDoS campaigns against Israel. DarkStorm targeted Israeli banking institutions. Keymous Plus declared Kuwait, Jordan and Saudi Arabia as daily "visit" targets. DieNet became one of the first groups to target Oman's government portal. #OpIsrael coordinated campaign launched across multiple channels.

Russian ActorNoName057(16)DarkStorm#OpIsraelFinancial Targeting

Mar 2, 2026
Day 3

🌍 Gulf Expansion — DieNet, 313 Team & Government Portals

DieNet published a structured list of targets across Qatar, Bahrain, UAE, Kuwait and Saudi Arabia — ministries, airports, banks, telecom, and electricity/water authorities. Cyprus declared a target due to British military bases (narrative circulated before public reporting of UK permissions for U.S. ops). Nation of Saviors claimed 21GB from Saudi engineering firm Baran Company. Handala claimed access to i24 News admin interface. Team Fearless and CyberAv3ngers resurfaced from dormancy.

DieNet Arsenal313 TeamJordan .gov AttackCyprus Expansion

Mar 2, 2026
Day 3

🏭 Critical Infrastructure Escalation — OT/ICS, Ransomware & Defacement

OT/ICS: Cyber Islamic Resistance shared screenshots allegedly showing access to PLC controller interfaces (VeroPoint) and live energy monitoring dashboards, claiming operational parameter manipulation. APT IRAN claimed month-long access to Jordan's power plant control systems with alleged 75% electricity output reduction.
Ransomware: Israeli firm ramet-trom.co.il appeared on INC Ransomware's disclosure blog — ~1TB of data (blueprints, contracts) listed as a "political attack" rather than financial.
Defacement: Cyber Islamic Resistance and Cyb3r Drag0nz claimed defacement of Israeli websites with coordinated coalition branding.

ICS/OT AttackRansomwareDefacementAnonGhost US Recon

Feb 28 –
Mar 2, 2026
Day 0/+2

📣 Hacktivist Mobilization — Cyber Islamic Resistance Formed

Cyber Islamic Resistance announced formation of a unified "Electronic Operations Room" and declared general cyber mobilization. RipperSec and Cyb3rDrag0nzz teams formally joined the axis. Within 15 days: 600+ distinct attack claims across 100+ Telegram channels. Peak daily volume exceeded 80 claims. Israel accounted for 70%+ of claims.

Coalition FormedTelegram CoordinationMr. Hamza #1 Group

Feb 28, 2026
Day 0

🚀 Iran's Kinetic Retaliation — Spillover into Gulf States

Iran targeted 27 U.S. military bases and Israel. Bahrain's 5th Fleet HQ struck. Drone attack on Kuwait International Airport. Saudi air defenses intercepted salvos toward Riyadh. Shahed drone hit Dubai's Fairmont Hotel on the Palm Jumeirah. Abu Dhabi Zayed International Airport strike: 1 killed, 7 injured. Qatar air defenses engaged. Financial hubs and expat capitals absorbed the shockwave — not frontlines.

Regional SpilloverUAE StruckKuwait HitBahrain Struck

Feb 28, 2026
Day 0

💥 Operation Epic Fury Launched — Coordinated Kinetic + Cyber Strike

U.S. and Israel simultaneously struck Iran's military command, missile infrastructure, and senior leadership. In parallel: Iran's internet connectivity dropped to 4%; IRNA news agency taken offline; IRGC-linked Tasnim agency hacked and forced to display anti-Khamenei messages; Saba Wind prayer app compromised with "Help has arrived" messages. Israeli sources claimed it was "the largest cyberattack in history." Western intelligence confirmed deliberate destruction of IRGC communications infrastructure.

Kinetic StrikeHistoric CyberattackIRNA OfflineTasnim Hacked1% Connectivity

January 2026

🛰 Satellite Broadcasts Hacked — Preparation Phase

Iranian state television satellite broadcasts were hacked; regime-change content was aired to millions of Iranian households. Assessed as the cyber precursor to Operation Epic Fury — groundwork for psychological and electronic warfare.

Broadcast HijackPsychological OperationUS-Israel

🕵

Iranian State-Sponsored APT Groups

STATE ACTOR

Group	Aliases	Primary Targets	Key Tactics	Risk
APT33 Elfin / Refined Kitten Magnallium / HOLMIUM	Refined Kitten, Magnallium	Aerospace, energy, defense	Spear phishing, custom malware, wipers	CRITICAL
APT34 OilRig / Helix Kitten Cobalt Gypsy / Hazel Sandstorm	OilRig, Hazel Sandstorm	Middle East govt, telecom, finance	Credential harvesting, DNS hijacking, custom backdoors	CRITICAL
APT35 Charming Kitten / Phosphorus TA453 / Mint Sandstorm	Charming Kitten, Mint Sandstorm	Journalists, academics, policy experts	Social engineering, credential theft, cloud account harvesting	HIGH
APT39 Remexi / Chafer	Chafer, Remexi	Telecom, travel, IT providers	Data exfiltration, surveillance tooling	HIGH
APT42 TA453 / Mint Sandstorm	Mint Sandstorm	NGOs, civil society, healthcare, academia	Spear phishing, impersonation, cloud credential harvesting	HIGH
MuddyWater Static Kitten / Seedworm Mercury / Mango Sandstorm	Seedworm, Mercury	Government, transport, industrial	Phishing, PowerShell loaders, lateral movement, RMM abuse	CRITICAL
Tortoiseshell Imperial Kitten	Imperial Kitten	Defense contractors, supply chain	Fake recruitment portals, watering hole attacks	HIGH
Cyber Av3ngers CyberAvengers (IRGC)	CyberAvengers	Water utilities, ICS/OT systems	OT device defacement, PLC exploitation	CRITICAL
Fox Kitten UNC757	UNC757	VPN appliances, edge devices	Exploiting unpatched perimeter systems for initial access	HIGH

⚡

Active Hacktivist Groups

HACKTIVIST

Cyber Islamic Resistance

🌍 Global — Coordinator

DDoSDefacementICS

Electronic Operations Room coordinator; Israel, Gulf governments

313 Team

🇮🇶 Iraq — Islamic Cyber Resistance

DDoSDefacement

Jordan .gov, Saudi, UAE, Kuwait government portals

DieNet

🌍 Distributed — DDoS Provider

DDoS ToolkitAutomation

Kuwait, Qatar, UAE, Bahrain, KSA, Oman, Cyprus

Nation of Saviors

🌍 Pro-Iran

Data LeakDoxxingDDoS

Israeli Edu. Ministry, US military doxxing, Saudi Baran Co. (21GB)

Moroccan Black Cyber Army

🇲🇦 Morocco

DDoSTelecom

TCS Communications Tel Aviv, service-layer infrastructure

Handala

🌍 Pro-Palestine

DefacementLeak

i24 News admin interface; Israeli fuel and energy sector

Keymous Plus

🌍 Regional

DDoSRecon

Kuwait, Jordan, Saudi Arabia (daily target declarations)

AnonGhost

🌍 Pro-Islam

Port ScanningRecon

US IP ranges (120K_USA_NetBlock.txt), 72.x.x.x blocks

DarkStorm

🌍 Pro-Iran / Regional

DDoS

Israeli banking and financial institutions

Cyber Av3ngers

🇮🇷 Iran — IRGC-linked

ICS/OTPLC Attack

Water infrastructure, industrial control systems

Liwaamohammad

🌍 Pro-Iran / IRGC

Data Leak

Alleged Mossad agent lists, military datasets (unverified)

SYLHET GANG-SG

🌍 Southeast Asia

DDoSRelay

Kuwait government domains via DieNet toolkit

NoName057(16)

🇷🇺 Russia — Pro-Russian

DDoS

Israel (split focus with European targets — structured)

RipperSec

🌍 Southeast Asia

DDoSDefacement

Joined Cyber Islamic Resistance axis; Israeli websites

Team Fearless

🌍 Pro-Palestine

DDoSRecon

Returned from dormancy; re-entered operational landscape

📸

Key Attack Evidence & Telegram Posts

UNVERIFIED / LATEST DEVELOPMENTS

🇮🇷

Operation Epic Fury — Cyber Dimension

February 28, 2026

HISTORIC

Saba Wind Prayer Times app hacked — political messages displayed to millions of Iranian users:

"Help has arrived" — "Do not fear, defend them, and they will defend you." Delivered to millions of Iranian app users. (@Vahid)

[SABA WIND APP — AZAN APP] ────────────────────────── STATUS: COMPROMISED ⚠ MESSAGE: "یاری رسید" [Help has arrived] "نترسید از آن‌ها دفاع کنید" TARGET: Iranian civilian users IMPACT: Mass psychological operation

⚡

Cyber Islamic Resistance — Coalition

Feb 28 – Mar 2, 2026

COALITION

Unified Electronic Operations Room established. General cyber mobilization declared:

"Multiple hacktivist teams have formally joined the Electronic Operations Room. Coordinated attacks against Israeli websites have begun under the Islamic Resistance Axis."

JOINED TEAMS: ✓ RipperSec (Southeast Asia) ✓ Cyb3rDrag0nzz ✓ 313 Team (Iraq) ✓ Moroccan Black Cyber Army ✓ Nation of Saviors ✓ DieNet (DDoS arsenal) ✓ [+additional groups] ALLEGED PROOF: Network device mgmt interface + ACL panel access

🇮🇶

313 Team — Iraq / Islamic Cyber Resistance

March 2, 2026

DDoS

Jordan government portal (jordan.gov.jo) attack claimed:

"Full website disablement claimed. SSL error screenshot shared as proof. Third-party uptime verification links referenced."

TARGET: jordan.gov.jo STATUS: SSL ERROR / DOWN ✗ VERIFY: check-host.net [timeout] NEXT TARGETS DECLARED: → Jordan (active) → Saudi Arabia → UAE → Kuwait → Israel + United States "The hand of revenge will reach the servers of these states"

🏭

Cyber Islamic Resistance — ICS/OT

March 2, 2026

CRITICAL INFRA

Alleged access to PLC controller interfaces and live energy monitoring dashboards:

"Attackers accessed internal networks of energy-related facilities and manipulated operational parameters. Prolonged access before disclosure."

ALLEGED SCREENSHOTS: • VeroPoint PLC Controller Interface • Live energy production dashboard • Operational data visualization panel APT IRAN CLAIM (Jordan power plants): "Infiltrated critical infrastructure" "Maintained access for 1+ month" "Manipulated power plant controls" "Up to 75% electricity output drop" ⚠ INDEPENDENT VALIDATION PENDING

💰

INC Ransomware — Political Attack

March 2, 2026

RANSOMWARE

Israeli firm listed on INC Ransomware's disclosure blog:

"ramet-trom.co.il — approximately 1 terabyte of exfiltrated data including blueprints and contracts. Listed as a 'political attack' rather than financial."

RANSOMWARE BLOG DISCLOSURE: Victim: ramet-trom.co.il (Israel) Data Volume: ~1 TB Content: Blueprints, contracts Motivation: POLITICAL (non-financial) Status: Data release threatened Classification: Conflict-driven attack

🇷🇺

NoName057(16) — Israel Targeting

March 3, 2026

RUSSIAN ACTOR

Pro-Russian hacktivist clusters entered Middle East conflict theater:

"Russian-affiliated clusters divide operational focus between Europe and the Middle East — signals structured targeting priorities rather than spontaneous mobilization."

GROUP: NoName057(16) [Russia-linked] STATUS: Active in Middle East theater OPERATION SPLIT: 50% → European targets 50% → Israeli targets DARK STORM: Israeli financial institutions CAMPAIGN: #OpIsrael coordinated NOTE: Ecosystem is decentralized, narrative-driven; actors from SE Asia, Pakistan, Gulf diaspora, Shia communities

📡

IRGC Telegram Channel (526K+ subscribers)

March 3, 2026

PROPAGANDA

IRGC-linked channel claimed large-scale operation against Israeli communications:

"Large-scale cyber attack against communication networks of the Zionist regime — penetration into over 160 data centers, disruption of internal systems across multiple locations."

CHANNEL FOLLOWERS: 526,000+ AFFILIATION: IRGC-linked CLAIM: 160 data centers breached Israeli telecom networks hit Internal systems disrupted ⚠ NO TECHNICAL EVIDENCE PROVIDED TYPE: Narrative-driven post INTENT: Signal scale, project impact VERDICT: Propaganda / Unverified

🌊

DieNet — DDoS Toolkit & Gulf Expansion

Mar 2–3, 2026

DDoS

DieNet published structured Gulf target list and declared Cyprus a target:

"Cyprus targeted due to British military bases. Narrative circulated before public reporting that UK granted permissions for U.S. operations — suggesting early intelligence."

DieNet STRUCTURED TARGET LIST: Qatar: ministries, airports, banks Bahrain: government, aviation UAE: utilities, telecom Kuwait: govt portals, airport ✓ Saudi Arabia: ministries Oman: government portal ✓ NEW Cyprus: British bases ← EXPANSION CHECK-HOST RESULTS: Connection timeouts on gov domains DDoS type: volumetric / app-layer

🛡

Security Recommendations

SOCRadar

Organizations in the Middle East and Gulf Council States, government sectors, and critical infrastructure operators should assume elevated cyber threat levels during Operation Epic Fury. The following defensive measures are recommended immediately.

🔑Access & Identity

Enforce MFA on all government and infrastructure accounts without exception

Audit and immediately revoke unnecessary remote access privileges

Remove unmanaged RMM tools from government networks — MuddyWater actively abuses legitimate remote management software for persistence

Rotate credentials for all privileged accounts and cloud administrator roles

🌐Network & Perimeter

Patch all internet-facing devices, VPN appliances, and edge infrastructure immediately — Fox Kitten specializes in unpatched perimeter exploitation

Review DNS query logs for anomalous patterns — OilRig uses DNS hijacking as primary exfiltration technique

Activate or validate DDoS mitigation on all public-facing portals — Jordan, Kuwait, and Israeli government domains already targeted

Segment and isolate all ICS and OT environments — CyberAv3ngers require minimal capability to disrupt industrial control systems

🔍Detection & Response

Deploy detection rules for PowerShell-based loaders, RMM abuse, and spear phishing TTPs consistent with MuddyWater and OilRig

Establish a clear internal protocol for responding to Telegram breach claims before they generate press coverage — Iran's information operations are designed to force public response on the attacker's timeline

Review and test incident response plans now — do not wait for an active incident to discover gaps

Brief senior leadership on the information operations dimension — fabricated breach claims and leaked documents are part of the playbook

❓

Frequently Asked Questions

FAQ

Which countries are most at risk of Iranian cyberattacks right now?

Organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting, with regional partners including Jordan, the UAE, Egypt, and Saudi Arabia also in scope. Gulf states hosting US military bases, Bahrain, Kuwait, and Qatar, face an elevated risk given they are already physical targets. Any country perceived as complicit in or supportive of Operation Epic Fury should treat itself as a potential cyber target.

Are NGOs and civil society organizations at risk?

Yes, and they are a priority target for Iranian APTs even outside of active conflict. APT42 specifically targets Western and Middle Eastern NGOs, media organizations, academic institutions, and activists. As recently as January 2026, the Iran-linked RedKitten campaign targeted human rights NGOs and activists using macro-laced documents disguised as records of protesters killed during the January crackdown, with malware using GitHub, Google Drive, and Telegram for command-and-control.

Which industries are most likely to be targeted?

Government, critical infrastructure, defense, financial services, academic, and media sectors face the highest direct targeting risk. Beyond these, energy, healthcare, and shipping are historically prioritized, with Iran demonstrating willingness to hit ICS and OT systems in water treatment, oil and gas, and port infrastructure.

What types of attacks should organizations expect?

Organizations should prepare for a mix of DDoS campaigns, ransomware, hack-and-leak operations, website defacements, and attacks targeting exposed edge devices with default passwords. Higher-value targets face spearphishing, credential harvesting via cloud environments, and potential destructive wiper deployments. Iran will also amplify the psychological impact of whatever it achieves: Tehran has a documented pattern of overstating the scope of successful intrusions, turning a single compromised machine into a claimed facility-wide breach as part of its information operations strategy.

Is the threat limited to the Middle East?

No, in past conflicts, Iran has conducted DDoS attacks against more than 50 US banks, ransomware campaigns against critical infrastructure, and disinformation operations aimed at creating political and social chaos within the United States. With CISA operating at reduced staffing due to a DHS funding lapse, the defensive posture of US civilian infrastructure is weaker than it should be at precisely the wrong moment.

Are there any pro-Israel or pro-US groups active?

Yes, but the imbalance is structural rather than a capability gap. Past escalations saw dozens of pro-Iranian groups versus only a handful of pro-Israeli ones — the current cycle is no different.

Allied-side actors include Predatory Sparrow (Israeli intelligence-linked, previously struck Iranian steel and fuel infrastructure), Indian Cyber Force (explicitly pro-Israel, active since 2022), and Syrian opposition-aligned groups like Anonymous Syria Hackers — whose recent breach claim against an Iranian tech firm signals a broader reorientation of former Iranian proxies following Damascus’s change of government.

The reason the allied side looks quieter is simple: Israel operates at the state level, making independent hacktivists largely redundant. Allied-side actors also don’t generate CISA advisories or vendor reports aimed at Western defenders — so they’re under-documented, not inactive. The Telegram asymmetry reflects who needs Telegram, not who is actually operating.

Why are fewer hacktivist groups active compared to the previous 12-day war period?

The lower activity appears linked to Iran’s recent internet restrictions, which disrupted Telegram based coordination and slowed proxy mobilization. At the same time, some Russian-aligned groups have divided their focus between Europe and the Middle East instead of concentrating on one theater. Most visible operations now come from pro-Iranian actors outside Iran, particularly in Southeast Asia, Pakistan, and the broader Middle East. This suggests a temporary coordination slowdown rather than a structural decline in long term state-level cyber capability.

🎯 Key Targeted Organizations

Organizations last targeted in the Iran–Israel cyber conflict

🇺🇸 Stryker

Healthcare

Attacked byHandala

Attack TypeData Breach

🇮🇱 Verifone

Financial / Tech

Attacked byHandala

Attack TypeData Breach

🇰🇼 Kuwait Government

Government

Attacked by313 Team

Attack TypeDDoS

🇰🇼 Kuwait Min. of Defense

Gov / Defense

Attacked by313 Team

Attack TypeDDoS

🇧🇭 Govt. of Bahrain

Government

Attacked by313 Team

Attack TypeDDoS

🇷🇴 Romanian MoD

Gov / Defense

Attacked by313 Team

Attack TypeDDoS

🇮🇱 Israel Sec. Cameras

Infrastructure

Attacked byHandala

Attack TypeExploit

🇮🇱 MEGENIM Data Svcs

Infrastructure

Attacked byCyber Islamic Res.

Attack TypeData Breach

🇦🇺 Zionist Council AU

Political / NGO

Attacked byRipperSec

Attack TypeDDoS

🇺🇸Stryker

Healthcare

Attacked byHandala

Attack TypeData Breach

🇮🇱Verifone

Financial / Tech

Attacked byHandala

Attack TypeData Breach

🇰🇼Kuwait Government

Government

Attacked by313 Team

Attack TypeDDoS

🇰🇼Kuwait Min. of Defense

Gov / Defense

Attacked by313 Team

Attack TypeDDoS

🇧🇭Govt. of Bahrain

Government

Attacked by313 Team

Attack TypeDDoS

🇷🇴Romanian MoD

Gov / Defense

Attacked by313 Team

Attack TypeDDoS

🇮🇱Israel Sec. Cameras

Infrastructure

Attacked byHandala

Attack TypeExploit

🇮🇱MEGENIM Data Svcs

Infrastructure

Attacked byCyber Islamic Res.

Attack TypeData Breach

🇦🇺Zionist Council AU

Political / NGO

Attacked byRipperSec

Attack TypeDDoS

Target Country Analysis

Cyber Operations Linked to the Iran–Israel Conflict

Israel

595

Kuwait

134

Bahrain

United States

Saudi Arabia

Cyprus

United Arab Emirates

Romania

Jordan

Qatar

Target Country

Number of Attacks 0 430

Global Targeting Heatmap

Cyber Activity in the Iran–Israel Conflict

Activity Level

High

Medium

Low

🏢 TARGETED INDUSTRIES

Distribution of victim organizations by industry based on observed cyber incidents.

Government

540

Financial Services

144

Defense / Aerospace

122

Transportation / Logistics

106

Energy / Utilities

Education

Technology

Telecommunications

Media / News

Healthcare

📊 Cyber Attack Method Distribution

Distribution of observed attack methods across the conflict dataset

Total

1,583

DDoS

1249 79.3%

Data Leak

85 5.4%

Defacement

71 4.5%

Targeting / Reconnaissance

64 4.1%

Destructive Attack

36 2.3%

ICS / SCADA Intrusion

22 1.4%

Intrusion

15 1.0%

Surveillance System Intrusion

13 0.8%

Unauthorized Access

13 0.8%

Doxing

7 0.4%

🎯 Top Threat Actors

Most active actors ranked by total number of attacks

Keymous Plus (🇩🇿 Algeria / North Africa)

240

313 Team (🇮🇶 Iraq)

238

NoName057(16) (🇷🇺 Russia)

192

DieNet (🌍 Likely Syria / unconfirmed)

123

Hider_Nex (🇹🇳 Tunisia)

106

Conquerors Electronic Army (🌍 Middle East / unconfirmed)

101

Harvesting Time (🌍 Unconfirmed)

RuskiNet (🇷🇺 Russia-linked / unconfirmed)

Handala (🇮🇷 Iran-linked / unconfirmed)

Anonymous For Justice (🌍 Unconfirmed)

Groups populating in real-time — 45 / 47 loaded

LIVE INTELLIGENCE

🕵 Advanced Persistent Threat (APT) Groups State-sponsored, long-term operations

🇮🇷

Handala Hack

Elfin / Refined Kitten

State-Aligned

MOIS-linked destructive threat actor combining wiper attacks with hack-and-leak operations for maximum psychological impact.

Known Targets

Medtech Education Finance Government

🇮🇷

APT33

Elfin / Refined Kitten

APT

IRGC-linked threat actor targeting aerospace, energy and defense industries.

Known Targets

Aerospace Energy Defense

🇮🇷

APT34

OilRig / Helix Kitten

APT

Iranian espionage actor targeting telecom, finance and government sectors across the Middle East.

Known Targets

Telecom Finance Government

🇮🇷

APT35

Charming Kitten / Phosphorus

APT

Iranian intelligence-linked group focused on credential harvesting and social-engineering campaigns.

Known Targets

NGOs Academia Journalists

Iranian surveillance actor focused on telecom and travel sector monitoring.

Known Targets

Telecom Travel Hospitality

MOIS-linked cyber espionage group targeting government and infrastructure organizations worldwide.

Known Targets

Government Infrastructure Telecom

🇮🇷

APT42

Mint Sandstorm / TA453

APT

Targets civil society, health sector, and NGOs. Expanded campaigns in 2026 against think tanks and diaspora.

Known Targets

Civil society Healthcare Think tanks

Specializes in exploiting unpatched VPN appliances and edge devices to provide initial access to other Iranian groups.

Known Targets

Enterprise VPNs Edge devices Fortinet/Pulse

🇮🇷

Tortoiseshell

Imperial Kitten / Yellow Liderc

APT

Watering hole and fake recruitment attacks against defense contractors and IT supply chains. Active on LinkedIn.

Known Targets

Defense contractors Supply chain IT staffing

🇮🇷

Cyber Av3ngers

CyberAvengers (IRGC CEC)

NEW

APT

Directly linked to IRGC Cyber & Electronic Command. PLC exploitation against water and energy utilities. Active globally.

Known Targets

Water utilities ICS/OT systems PLCs

💰 Ransomware & Destructive Groups Data encryption, sabotage, political pressure

No ransom demand — pure sabotage. Deploys wipers against Israeli private sector. Uses BitLocker abuse. Psychologically motivated.

Known Targets

Israeli private sector Law firms IT companies

Targeted Israeli defense and aviation firms. Operated under tight deadlines forcing rapid payments or permanent data loss.

Known Targets

Israeli defense Aviation firms Tech companies

🇮🇷

Agrius

BlackShadow / Pink Sandstorm

NEW

Ransomware

Disguises destructive wiper attacks as ransomware. Hit Israeli hospital, insurance, and logistics sectors. Iranian origin confirmed.

Known Targets

Israeli hospitals Insurance sector Logistics

MOIS-linked. Partners with BullDozer cluster for access brokering. Deploys BiBi-Linux/Windows wipers, no recovery possible.

Known Targets

Albanian government Israeli orgs Gulf firms

🇮🇷

INC Ransomware

Iran use / Politically deployed vector

Ransomware

Commercially available RaaS weaponized for political purposes against Israeli targets. ramet-trom.co.il: ~1TB exfiltrated, political motive confirmed.

Known Targets

ramet-trom.co.il Israeli contractors Defense supply

🇮🇷

Emennet Pasargad

Cotton Sandstorm / Neptunium

Ransomware

Iranian influence + hack-and-leak ops. Targeted US 2020 election, Israeli civilians. Launders ops through “hacktivist” cover identities.

Known Targets

US election infra Israeli civilians Media companies

⚡ Hacktivist & Proxy Groups DDoS, defacement, leaks, psychological ops

Russia's most active DDoS collective. Coordinated multi-country sweep campaigns with verified uptime checking. Fixated on Cyprus throughout Operation Epic Fury, hitting municipal, utility, and media targets across three consecutive days.

Known Targets

Cyprus government portals EU infrastructure Israeli allies

Pro-Russian DDoS collective operating in coordination with NoName057(16). Targets NATO-aligned and Western-friendly infrastructure and joined conflict operations following the outbreak of Operation Epic Fury.

Known Targets

Western infrastructure NATO allies Government portals

Pro-Russian collective focused on ICS and SCADA targeting. Claims access to industrial control systems in Western and Gulf-aligned countries. Operates under patriotic branding with technical pretensions.

Known Targets

ICS systems SCADA networks Energy infrastructure

🇷🇺

ServerKillers

ServerKillers Collective

Hacktivist

Volumetric DDoS group aligned with the Russian hacktivist ecosystem. Participates in coordinated pile-on campaigns against targets designated by larger collectives.

Known Targets

Government portals Financial sector EU entities

🌍

Cyber Islamic Resistance

Electronic Operations Room

Hacktivist

Umbrella coordinator for the current conflict. Formed joint ops room with 15+ groups. Directs attacks across Gulf and Israel.

Known Targets

Israel .gov/.co.il Gulf ministries US entities

🇮🇶

313 Team

Islamic Cyber Resistance Iraq

Hacktivist

Iraq-based affiliate of CIR. Known for jordan.gov.jo takedown. Declared revenge campaign against Jordan, Saudi, UAE, Kuwait.

Known Targets

Jordan .gov Saudi Arabia Kuwait

🌍

DieNet

DDoS Network / Tool Provider

Hacktivist

Primary DDoS toolkit supplier for allied hacktivist groups. Structured target lists, automated check-host verification. Gulf-wide ops.

Known Targets

Qatar Bahrain UAE Kuwait Oman Cyprus

Data leak and doxxing specialist. 21GB from Saudi Baran Company. US military personnel doxxing. Israel education ministry DDoS.

Known Targets

Saudi Baran Co. US military Israel Ministry

Pro-Palestine. Strategic infrastructure focus: fuel, energy, media. Claimed i24 News admin panel access. Not just symbolic targets.

Known Targets

i24 News Israeli fuel sector Energy infrastructure

🇲🇦

Moroccan Black Cyber Army

MBCA

Hacktivist

Telecom-layer targeting. Hit TCS Communications Tel Aviv disrupting communication services. Part of CIR coalition.

Known Targets

TCS Communications Israeli telecom Al-Jazeera mirror

Daily target declarations (Kuwait → Jordan → Saudi → Oman). Structured campaign cadence with public uptime verification.

Known Targets

Kuwait ministries Jordan govt Saudi Arabia Oman

Reconnaissance specialist. Released 120K_USA_NetBlock.txt scanning 72.x.x.x US IP ranges. Port scanning at scale.

Known Targets

US IP ranges UAE infrastructure Gulf CDNs

Coordinated with NoName057 on financial sector sweep. Targeted Bank Hapoalim, Bank Leumi, Mizrahi-Tefahot simultaneously.

Known Targets

Israeli banks Financial sector Insurance

Southeast Asian collective channeling DieNet tools against Kuwaiti government infrastructure. Cross-regional cooperation pattern.

Known Targets

Kuwait .gov Gulf portals Ministry sites

Leak and doxxing channel. Distributed files claiming Mossad agent lists and military datasets. Authenticity unverified.

Known Targets

Israeli intelligence Military personnel Mossad agents

🇮🇷

CyberAv3ngers

Cyber Avengers (IRGC front)

Hacktivist

Resurfaced after dormancy. PLC exploitation against water/ICS systems. Operates under hacktivist branding for deniability.

Known Targets

Water facilities Israeli ICS Industrial control

Southeast Asian group formally integrated into CIR Electronic Operations Room. DDoS + defacement against Israeli targets.

Known Targets

Israeli websites Government portals Media

Returned from months of dormancy. First post-return operation: Rafael Advanced Defense Systems. DDoS confirmed successful.

Known Targets

Rafael Defense Israeli tech Defense contractors

Joined DieNet operational cluster targeting Bahrain government infrastructure. Amplification and coordination role.

Known Targets

Bahrain .gov Gulf portals

Defacement specialist. 14 Israeli websites defaced with joint coalition banners. Switched to Saudi targets on CIR command.

Known Targets

Israeli .co.il Saudi Aramco web SAMA portal

Joint operations with Handala. Targeting Israeli media and streaming infrastructure. Operation “Silence the Lies” active.

Known Targets

Israeli media Streaming services News portals

🇸🇾

Anonymous Syria Hackers

#OpIran faction

Hacktivist

Pro-Israel counter-hacktivist group targeting Iranian government channels, propaganda outlets, and IRGC-linked infrastructure in solidarity operations alongside Israeli cyber defenders.

Known Targets

IRGC websitesIranian govtPropaganda channels

Launched counter-operations against Iranian digital infrastructure. Targeted IRGC-linked channels and propaganda websites.

Known Targets

IRGC websitesIranian propagandaPress TV

🇮🇳

Indian Cyber Force NEW

ICF

Hacktivist

Declared pro-Israel stance. Targeted pro-Iran Telegram channels, defaced Pakistani and Iranian websites in solidarity ops.

Known Targets

Pro-Iran channelsPakistani infraIranian .gov

🔒 Live Telegram Feed

Enter password to access.

ⓘ Contact your Customer Success Manager to obtain the password.

Not a SOCRadar customer?
This section contains intelligence available only to SOCRadar customers.
You can still explore a limited subset of threat intelligence data using the free platform.

📢 Channels 23 online

⚡ Live Message Stream

STREAMING

📊 Live Stats

Messages Today

Attack Claims

Active Channels

⚡ Top Active Groups

🎯 Attack Types (live)

🌍 Top Targets

🔒 Live Twitter (X) Feed

Enter password to access.

ⓘ Contact your Customer Success Manager to obtain the password.

Not a SOCRadar customer?
This section contains intelligence available only to SOCRadar customers.
You can still explore a limited subset of threat intelligence data using the free platform.

𝕏 Live Twitter (X) Feed Feed

LIVE

Operation Epic Fury

DDoS / Attack

Data Leak

Op Israel / Hacktivist

📊 Stats

Total Tweets

By column

Operation Epic Fury0

DDoS / Attack0

Data Leak0

Op Israel0

🏷️ Tag counts (live)