TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES ICS/OT SECURITY CYBER RISK NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks Iran and its supporters have taken to cyberspace to retaliate for US-Israeli military action, with an aim to cause economic and physical disruption. Elizabeth Montalbano,Contributing Writer March 3, 2026 6 Min Read SOURCE: MUHAMMAD TOQEER VIA SHUTTERSTOCK The joint US-Israeli attack on Iran already has spurred a cyber response from multiple corners, including a barrage of distributed denial of service (DDoS) hits, critical infrastructure attacks, and network compromises that aim to do significant physical, reputational, and financial damage, according to security researchers. On Saturday, the US and Israel launched a broad military action in Iran, killing the country's Supreme Leader Ayatollah Ali Khamenei as well as dozens of other government officials. Iran has retaliated with both military action and cyber warfare — the latter a realm where it has more leverage against its adversaries than on the physical battlefield. The US said it expects a significant cyber response from the prolific array of pro-Iranian cyber actors already working in cyberespionage and cyber-sabotage, both in the immediate wake of the initial attacks and for the foreseeable future. The attacks will come from groups linked to Iranian state entities such as the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as hacktivist groups sympathetic to Iran's cause. Related:Iran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount A coalition of pro-Iranian and pro-Russian cyber actors already has launched the "#OpIsrael" campaign, focusing on critical infrastructure and data exfiltration, while other hacktivists have struck out against individual targets in protest of the military action and as a counter to the Islamic Republic's military losses, according to research from Check Point Research, Flashpoint, Palo Alto Networks' Unit 42, Cisco Talos, and others. Meanwhile, the IRGC has targeted the energy sector with a cyberattack Saudi Arabia’s Aramco facility at Ras Tanura, and an Amazon Web Services (AWS) data center in the United Arab Emirates, both countries where the US have military installations, according to a report by Flashpoint emailed to Dark Reading. Indeed, Iran's intent appears to be to inflict maximum global economic pain and infrastructure disruption via cyber means as a counter-pressure to its military losses, in "a shift to severe economic warfare and a higher risk for global energy supply," according to Flashpoint. "This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification," Check Point Research wrote in its analysis of the activity, noting it expects the targeting to intensify and broaden across the US and its allies. Related:Latin America's Cyber Maturity Lags Threat Landscape Specific Cyberattacks from Various Groups Researchers from Check Point, Flashpoint, and Unit 42 have revealed a laundry list of specific attacks and activity from Iran-linked or pro-Iranian groups that have already occurred since the initial bombing started Saturday. These attacks include several by Cotton Sandstorm (aka Emennet Pasargad, Aria Sepehr Ayandehsazan, MarnanBridge, and Haywire Kitten), an Iranian cyber actor affiliated with the IRGC. The group revived its old cyber persona, Altoufan Team, which mostly specialized in targeting Bahrain and had been silent for more than a year, according to Check Point. It's now claimed new alleged targets in Bahrain, where there are US military bases. Another group, the FAD Team (aka Iran’s Resistance Hub and the Fatimion Cyber Team) has executed a global SQL injection campaign, leaking personally identifiable information (PII) from a wide range of targets, according to Flashpoint. These include a virtual US Air Force group and educational institutions in France, India, and Vietnam. The FAD Team also claimed control over network monitoring dashboards for firewall devices in Mecca and Medina, Saudi Arabia, and targeted other US-allied Arab states, disabling the Bahrain News Agency and launching DDoS attacks against Qatari oil firm Gasco and Qatar Radio, according to Flashpoint. Related:Asia Fumbles With Throttling Back Telnet Traffic in Region Meanwhile, according to Unit 42, Handala Hack, a hacktivist persona linked to Iran's MOIS, has combined data exfiltration with cyber operations against the Israeli political and defense establishment. So far since Saturday the group has claimed responsibility for compromising an Israeli energy exploration company and the fuel system of the country of Jordan. Handala also claimed to target Israeli civilian healthcare institutions to create domestic pressure just days before the war broke out. Another pro-Iranian umbrella collective called the Cyber Islamic Resistance, which coordinates multiple hacktivist teams — including groups like RipperSec and Cyb3rDrag0nzz — has launched synchronized DDoS attacks, data-wiping operations, and website defacements against Israeli and Western infrastructure to support Iran. So far they have claimed responsibility for compromising an Israeli drone defense and detection system, as well as payment infrastructure in Israel, according to Unit 42. Iran's Allies Join the Cyber Fray Aside from threat groups directly linked to Iran, groups outside of the country with Iranian sympathies are making coordinated cyberattacks to support the Islamic Republic. Pro-Palestinian group Dark Storm Team (aka DarkStorm or MRHELL112) for instance claims to have targeted several Israeli websites, including that of an Israeli bank, with DDoS attacks, its specialty, according to Unit 42. Meanwhile, several pro-Russia hacktivist groups have claimed attacks of their own to support Iran. The "Cardinal" group claimed to target the Israel Defense Forces (IDF) systems via their public Telegram board, infiltrating IDF networks and posting the leaked information publicly. The pro-Russian hacktivist group NoName057(16) also has claimed multiple Israeli targets, including disruptive operations against a range of Israeli municipal, political, telecom, and defense-related entities. Meanwhile, a partnership between this group and the Cyber Islamic Resistance has conducted DDoS attacks against Israeli defense contractor Elbit Systems and municipal governments, according to Unit 42. Buckle Up, Cyber Defenders What all this amounts to is that organizations, critical infrastructure operators, and even individuals on the ground will feel the impact, both cyber and physical, from the conflict, and should buckle up and get ready for a bumpy ride in the weeks and months ahead, according to the researchers. Organizations across the board should implement maximum-security protocols and prepare for physical-to-cyber hybrid attacks, with special attention paid to secure third-party partners or customers in the Middle East region with network links to US-based companies, Cisco Talos researchers noted. "Since this activity appears to be regionally focused, making sure enterprises are aware of any impacts to partners and third-party suppliers in the region will be paramount," according to a post by Cisco Talos. "Additional inspection or controls may be warranted to insulate potential larger impacts to the wider organization." In general, all organizations should ensure they are practicing sound security hygiene, including having multifactor authentication (MFA) enabled, being diligent around any links or documents that are circulating, and ensuring proper monitoring is in place to confront any collateral impacts as they arise. Read more about: DR Global Middle East & Africa About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 THREAT INTELLIGENCE Pentagon, CISA Deny Change in US Cyber Policy on Russia by Jai Vijayan