Surge in Iran- and Russia-Aligned Hacktivist Activity Following U.S.-Israeli Strikes on Iran
Following recent U.S.-Israeli kinetic strikes on Iranian targets, reporting indicates a spike in cyber activity tied to the #OpIsrael campaign, including collaboration between Iran-linked operators and pro-Russia hacktivist groups targeting organizations in the U.S., Israel, and the broader region. Activity cited includes DDoS operations attributed to Iran’s Cyber Islamic Resistance working alongside NoName057(16) against an Israeli defense contractor and municipal entities, plus additional claimed intrusions against Israeli organizations and a wider set of targets (including a Pennsylvania town and various educational entities abroad) associated with groups such as FAD Team.
FortiGuard Labs assesses that, despite heightened concern about state-directed retaliation, there is limited evidence so far of a large-scale, coordinated Iranian cyber response directly tied to the strikes. Instead, observed activity is characterized as a surge of loosely affiliated hacktivism and “geopolitical noise,” including defacements, opportunistic intrusion attempts, broadcast/media disruptions, internet connectivity issues inside Iran, and increased Telegram-based claims of attacks across the region; FortiGuard notes there is no confirmed evidence at this time of destructive Iranian wiper campaigns or large-scale retaliatory critical infrastructure attacks, while warning the risk could escalate based on historical patterns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Analysts warn U.S. critical infrastructure remains at risk
The Foundation for Defense of Democracies warned that U.S. critical infrastructure organizations remain at risk of compromise despite Iran’s limited effective cyber response so far.
Researchers flag BadeSaba app abuse as possible pre-positioning
FortiGuard highlighted reported compromise or abuse of the BadeSaba calendar app as suggestive of backend access and possible pre-positioning rather than a one-day intrusion, underscoring the risk of delayed follow-on operations.
FortiGuard reports no confirmed large-scale Iranian cyber retaliation yet
FortiGuard Labs said it had seen limited evidence of a large-scale, coordinated Iranian cyber response directly tied to the strikes, while warning that Iranian operators may have pre-positioned access and could activate operations days or weeks later.
FAD Team expands targeting to U.S. and international organizations
Activity attributed to the FAD Team included attacks or claimed targeting of a Pennsylvania town, a virtual U.S. Air Force group, and educational organizations in France, India, and Vietnam, indicating spillover beyond Israel.
Cyber Islamic Resistance and NoName057(16) target Israeli entities
Distributed denial-of-service attacks were attributed to Iran’s Cyber Islamic Resistance and the pro-Russian group NoName057(16) against an Israeli defense contractor and multiple municipal entities, alongside a claimed attack on an Israeli health insurance provider.
Iran- and Russia-linked actors join #OpIsrael cyber activity
Palo Alto Networks Unit 42 assessed that Iran- and Russia-linked actors were among nearly 60 threat actors conducting attacks after the strikes, with Iran-linked operations reportedly coordinating with pro-Russia hacktivist groups under the #OpIsrael banner.
Retaliatory strikes and regional cyber activity follow the attacks
After the initial strikes, subsequent retaliatory strikes were accompanied by a surge in regional cyber activity, including defacements, broadcast disruptions, opportunistic intrusion attempts, and numerous Telegram-based claims with limited technical validation.
U.S. and Israel conduct missile strikes on Iranian targets
Joint U.S.-Israeli kinetic strikes against Iranian targets triggered concern about possible cyber retaliation and became the catalyst for subsequent hacktivist and threat-actor activity discussed in the reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
May 6, 2026
Cyber and information operations intensify amid US-Israel strikes on Iran under “Operation Epic Fury”
US and Israeli military action against Iran under **“Operation Epic Fury”** has been accompanied by heightened cyber activity and public acknowledgment of offensive cyber operations. Reporting indicated a surge of pro-Iranian activity including **DDoS attacks**, attempted compromises, and targeting of **critical infrastructure**, with researchers warning that Iranian state-linked actors tied to the **IRGC** and **MOIS**, as well as aligned hacktivists, are likely to sustain retaliatory operations aimed at economic, reputational, and potentially physical disruption. Separately, reporting alleged Israeli intelligence conducted long-running surveillance by compromising **Tehran traffic cameras**, exfiltrating encrypted video and telemetry to servers outside Iran to build “pattern of life” intelligence on senior leadership movements. The Pentagon also elevated the visibility of cyber as a warfighting domain, with the Chairman of the Joint Chiefs describing coordinated **space and cyber** effects used to “disrupt, degrade, and blind” Iranian communications and sensor networks, though without operational detail. In parallel but unrelated to the Iran conflict, Russia’s internet regulator **Roskomnadzor** and the Russian Defense Ministry reported a “complex multi-vector” **DDoS** incident that temporarily disrupted multiple government sites, with traffic attributed to botnets and servers across several countries and continued user-reported instability after initial containment.
Mar 21, 2026
Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint **U.S.–Israel strikes on Iran** (described as *Operation Epic Fury*), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early **DDoS campaigns against Israeli government sites** expanding into a wider coalition of **pro-Iranian, pro-Palestinian, and Russian-aligned** groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on **critical infrastructure**; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links. U.S. state and local governments were separately warned by **MS-ISAC** to expect heightened “low-level” activity—particularly **DDoS**—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Apr 22, 2026