The digital battlefield has flared dramatically in the wake of the U.S.-Israel coordinated military campaign against Iran, codenamed Epic Fury and Roaring Lion. Cybersecurity researchers are sounding the alarm over a significant surge in retaliatory hacktivist activity, transforming geopolitical tensions into widespread cyber disruption.
A Deluge of Digital Attacks: The Scale of Hacktivism
Between February 28 and March 2, a staggering 149 hacktivist Distributed Denial-of-Service (DDoS) attacks were recorded, impacting 110 distinct organizations across 16 nations. This onslaught underscores the expanding digital front, which now mirrors the physical conflicts in its intensity and reach.
Who’s Behind the Onslaught?
- Two groups, Keymous+ and DieNet, were identified by Radware as the primary drivers, responsible for nearly 70% of all attack activity.
- Overall, 12 different groups participated, with Keymous+, DieNet, and NoName057(16)
collectively accounting for 74.6% of the total claims.
- Notable mentions include Hider Nex
(aka Tunisian Maskers Cyber Force), a shadowy pro-Palestinian group that launched the first recorded DDoS attack on February 28, 2026. This group employs a potent hack-and-leak strategy, combining DDoS with data breaches to further its geopolitical agenda.
Geographic and Sectoral Impact
The concentration of these cyber assaults reveals a clear strategic focus:
- Middle East Epicenter: A vast majority (107) of the attacks were concentrated in the Middle East, disproportionately targeting public infrastructure and state-level entities. Kuwait (28%), Israel (27.1%), and Jordan (21.5%) bore the brunt of these claims.
- European Spillover: Europe was not immune, experiencing 22.8% of the global activity during this period.
Key Sectors Under Fire:
Globally, the government sector was the most heavily targeted, accounting for nearly 47.8% of all affected organizations. This was followed by the finance sector (11.9%) and telecommunications (6.7%), highlighting the intent to disrupt critical national services and economic stability.
Beyond DDoS: A Spectrum of Cyber Tactics
The hacktivist landscape is employing a diverse array of sophisticated tactics:
- Military Network Breaches: Pro-Russian hacktivist groups like Cardinal and Russian Legion claimed breaches of Israeli military networks, including its formidable Iron Dome missile defense system.
- Deceptive Phishing Campaigns: An insidious SMS phishing campaign leveraged a rogue replica of the Israeli Home Front Command RedAlert application. CloudSEK reported that this malicious APK, disguised as an urgent wartime update, deployed an invasive surveillance engine designed to prey on a hyper-vigilant population.
- Critical Infrastructure Strikes: Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted vital energy and digital infrastructure in the Middle East, including Saudi Aramco and an Amazon Web Services data center in the U.A.E. Flashpoint noted the intent was to “inflict maximum global economic pain as a counter-pressure to military losses.”
- Website Defacement and Data Leaks: Groups like Cotton Sandstorm (aka Haywire Kitten, reviving its Altoufan Team persona) claimed to have hacked websites in Bahrain, reflecting the reactive nature of these campaigns. Sophos also observed pro-Iran personas like Handala Hack team and APT Iran engaging in DDoS attacks and website defacements.
State-Sponsored Activity and the Crypto Connection
The conflict has also seen the heightened involvement of state-sponsored actors and a unique intersection with the cryptocurrency world.
Iranian State-Sponsored Operations:
Nozomi Networks data indicates that UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail), an Iranian state-sponsored hacking group, was the fourth most active actor in the latter half of 2025. Its focus on defense, aerospace, telecommunications, and regional government entities underscores Iran’s strategic geopolitical priorities.
Cryptocurrency Under Strain:
Major Iranian cryptocurrency exchanges have faced operational adjustments, including suspended or batched withdrawals, and have issued risk guidance. Ari Redbord, Global Head of Policy at TRM Labs, explained, “What we’re seeing in Iran is not clear evidence of mass capital flight, but rather a market managing volatility under constrained connectivity and regulatory intervention.” He added that Iran’s long-standing crypto-based shadow economy, used to evade sanctions, is now undergoing a “real-time stress test” amidst war, connectivity shutdowns, and volatile markets.
Expert Outlook: A Surge, Not Necessarily an Escalation of Risk
While the volume of attacks is undeniable, some experts offer a nuanced perspective. Sophos, for instance, “observed a surge in hacktivist activity, but not an escalation in risk.” This suggests that while the digital noise is considerable, the immediate impact on global cybersecurity infrastructure might be contained, though the geopolitical implications remain significant.
As the physical conflict continues to evolve, the digital front promises to remain a critical arena, with hacktivist groups and state-sponsored actors alike leveraging cyber capabilities to exert influence and inflict pressure.
For more details, visit our website.
Source: Link
Leave a comment