Cyber War: Pro-Iranian Hackers Intensify Attacks Amid Fragile Ceasefire
A potential civilisational collapse in Iran has been temporarily averted, yet the fragile ceasefire has not quelled the ambitions of hacktivists and state-affiliated hackers. These groups are anticipated to persist in their cyber offensives against perceived adversaries, maintaining a climate of uncertainty and risk.
“The current environment reflects a fragmented ceasefire. Hostilities are continuing across key theatres, particularly in Lebanon and across Gulf energy infrastructure,” stated Kathryn Raines, cyber threat intelligence team lead for the national security solutions team at Flashpoint, in a recent threat summary.
This fragmentation introduces additional uncertainty. When hostilities persist despite formal agreements, predicting escalation pathways becomes increasingly complex, thereby heightening operational risks for organizations with regional exposure. Cyber attacks, due to their non-kinetic nature, offer a particularly accessible avenue for continuing hostilities, according to Raines.
“A military ceasefire does not translate to a cyber pause. What we’re seeing is continuity in activity, with threat actors maintaining tempo while adjusting targeting and messaging,” she explained.
For organizations, this means that risk remains elevated. Critical infrastructure, especially in energy and water systems, continues to be actively targeted, and the use of the ceasefire as a cover adds layers of uncertainty regarding future developments.
War by Any Other Means
Ceasefires are essentially agreements between sovereign powers, yet hacktivist groups like Handala operate outside such constraints. Despite recent actions by U.S. authorities that resulted in the takedown of one of its websites, Handala has expressed its determination to continue its cyber campaigns.
“The cyber war did not begin with the military conflict, and it will not end with any military ceasefire,” Handala asserted in an April 8 blog post. “Our cyber jihad is the extension of our martyrs’ blood, and it will go on until full vengeance is achieved.”
While the group has agreed to postpone “overt confrontation with the United States,” it has also indicated that more activities are forthcoming. “The hack of the FBI director was just a glimpse of our power; for us, no land is too distant and no network is truly secure,” Handala added. “Rest assured: when the time comes, the darkest of nights will have only just begun for America and all its supporters.”
As of April 8, several cyber incidents have been linked to the ongoing conflict in Iran. A group identifying itself as the Cyber Islamic Resistance has expressed solidarity with the Russian hacking group Team Killnet, indicating a potential alliance among groups with extreme anti-Western ideologies. The pro-Islam group Conquerors Electronic Army claimed responsibility for a distributed denial-of-service attack on various Israeli entities, including volunteer organizations Beit Cham and All-Volunteer Force.
Even Australia, geographically distant from the conflict, is not immune. A group known as the 313 Team claimed to have executed a large-scale attack on an Australian government portal. Concurrently, U.S. authorities issued advisories warning of Iran-linked threat actors targeting critical infrastructure entities via internet-facing hardware in the water and energy sectors.
Critical Threats to Infrastructure
In the latter case, hackers are focusing on hardware that was traditionally not internet-connected—specifically programmable logic controllers—creating unique challenges for defenders. “The threat actors here are assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). They accessed CompactLogix and Micro850 devices using Rockwell Automation’s Studio 5000 Logix Designer,” stated Markus Mueller, CISO at Nozomi Networks.
“The traffic looks like a regular remote engineering session because that’s exactly what it was. The difference is who was sitting at the keyboard.” According to Mueller, such malicious activities are an unavoidable consequence of geopolitical tensions.
“That correlation isn’t new—Iranian-affiliated operational technology activity has tracked with periods of kinetic escalation consistently over the past several years,” he noted. “That doesn’t mean your threat level should spike with every news cycle, but when the regional picture gets more volatile, it’s a reasonable prompt to re-verify your exposure, refresh your indicators of compromise (IOC) hunts, and confirm your monitoring coverage is actually running the way you think it is. In critical infrastructure, geopolitical context is a legitimate input to threat posture.”
Addressing the potential scale of future cyber threats from Iran, Andrew Chipman, GRC manager at cybersecurity and compliance firm ProCircular, provided a stark assessment. “The threat of cyber attack from Iran is real. At this time, we expect to see that threat realized through proxies, hacktivists, and other allies to the Iranian regime,” Chipman stated.
“If Iran is able to rebuild its regime, we may see direct retaliation in the form of cyber attacks against highly visible targets. History teaches us that hospitals and medical service providers are prime targets for the regime and its supporters.” While Chipman contends that Iran may not currently be positioned to wage large-scale cyber warfare against the U.S. and its allies, the country has other options at its disposal.
“Hacktivists and proxy attackers are plentiful—expect attacks to come and prepare appropriately,” he advised.
Source: www.cyberdaily.au
Keep reading for the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East.
