As the US Department of Homeland Security (DHS) warns of retaliatory cyberattacks against the US after bombing Iran’s nuclear infrastructure this weekend, a former Colonel of the IDF’s 8200 Cyber Unit talks cyberwarfare, Iranian hacker groups, and what the US can anticipate as the Israel-Iran conflict continues to evolve.
-
US Homeland Security officials warn of Iranian hackers targeting American critical infrastucture in response to last weekend's bombing campaign on Iran's nuclear facilities.
-
A former Colonel with the Israel Defense Forces Cyber Unit believes it's likely that Iranian APT threat groups are lying in wait, pre-positioned to attack when given the go-ahead by Iran's leaders.
-
130 hacktivist groups are actively targeting Israel, the US, and NATO interests since the Israel-Iran war began, including DDoS attacks this week on US banks, oil companies, and even Donald Trump's TruthSocial.
In the days after Trump’s America dropped its bunker-busting bombs on three of Iran’s most concerning nuclear sites in solidarity with Israel, the cybersecurity industry went on full alert.
Ariel Parnes, a former Colonel of the Israel Defense Forces’ 8200 Cyber Unit and current co-founder and COO at cybersecurity firm Mitiga, points out that the Middle East has always been a politically fragile region of the world.
Parnes says Israel and Iran have both stepped up offensive cyber operations since the October 7th Hamas attack, but “as tensions escalate with the current aerial bombardment campaign, each side is deploying a mix of destructive, espionage, influence, and infrastructure-focused cyberattacks.”
US Secretary of Homeland Security Kristi Noem released a National Security Warning on Sunday for organizations to be prepared for an influx of Iranian-linked “low-level cyberattacks,” and Jen Easterly, former head of the US Cybersecurity and Infrastructure Security Agency (CISA), reiterated the DHS advisory, telling CISOs to "be vigilant" and brace themselves for retaliatory attacks.
“Organizations should act now: Raise awareness, tighten posture, improve detection, proactively hunt, and exercise your response plans,” Parnes says.
All bark and no bite?
Surprisingly, though, besides a few distributed denial-of-service (DDoS) attacks carried out by pro-Iranian hacker groups over the weekend, the ‘tenuous-at-best’ cease-fire brokered between Israel and Iran seems to have appeased the usual suspects – at least for now.
In what could have been (and maybe still is) a foreshadowing of things to come, the first DDoS attack against Donald Trump’s social media site TruthSocial came just hours after the US strikes on June 21st, carried out by the pro-Iranian group “Team 311.”
The second set of pro-Tehranian DDoS attacks was launched against more than a dozen aviation firms, banks, and oil companies by another group known as the “Mysterious Team.” The Washington Post reported.
However, most DDoS hacktivist attacks by nature are time-limited, lasting only a few hours, considered more of a nuisance than causing permanent network damage, and are primarily about a show of perceived power and garnering public attention, which in this case, was mission accomplished.
"Over the past few years, Iran has used cyber as a reliable tool of retaliation, targeting hospitals, utilities, and government systems across the US, Europe, and the Middle East. These operations aren’t random. They’re calculated, low-cost moves designed to create disruption, project power, and signal intent," Parnes explains.
Furthermore, the two groups – who perfectly fit the DHS’s ‘low-level cyberattack’ profile – have since been observed by security insiders at Cyberknow to have already begun reverting back to their business-as-usual targeting Israel and supportive NATO members.
It appears Israel-hating hacktivists are way more motivated by pro-Palestinian causes than those of Iran’s Supreme Leader Ayatollah Ali Khamenei, who on Thursday, declared Iran would never surrender to the US – his first public statement since Saturday’s US fly-by attack.
Still, this week, the hacktivist campground known as Telegram has been rife with self-proclaimed alliances and cross-promoting among pro-Iranian hacking groups.
Besides the 311 and Mysterious Teams, we have seen action from several other groups, including Handala Hack, Cyber Jihad Movement, Mr. Hanza, the Holy League, and the Cyber Islamic Resistance.
On Wednesday, the threat intelligence gurus at CyberKnow, who have been tracking the number of hacktivist groups and their activity related to the ongoing Iran-Israel War, have reported “there are now 130 hacktivist groups who are active from this geopolitical flashpoint.”
🚨🚨 Iran-Israel War Cybertracker #4 🚨🚨
undefined CyberKnow (@Cyberknow20) June 25, 2025
25 June 2025 update for hacktivist activity related to the ongoing Iran-Israel War.
- There are now 130 hacktivist groups who are active from this geopolitical flashpoint. Some groups are newly created.
- There is starting to… pic.twitter.com/sUqAOoeF12
Apparently, almost a dozen of these hacktivist groups have been “newly created“ since the US bombs dropped in Iran – and this does not even touch upon the Iranian-backed nation-state Advanced Persistent Threats (APTs).
For instance, Charming Kitten has been currently busy at work focusing their sights on spear phishing Israeli universities' top cyber and computer science experts this past month, according to new research by CheckPoint.
Threat of pre-positioned "red button" attacks
So, with July 4th celebrations in full swing next week, can the US cyberspace take a sigh of relief, or is the next big cyber bang just around the corner?
In the wake of Operation Midnight Hammer, Parnes says that cyber retaliation should be expected.
“The US military involvement in the conflict will certainly exacerbate the Iranian cyber threat and will focus more effort by Iranian forces – such as the Islamic Revolutionary Guard Corps (IRGC)’s Quds Force – against US critical infrastructure targets,” Parnes says.
"It is important to emphasize that in some cases, it may already be in motion: pre-positioned access waiting to be triggered, the so-called 'red button' play," he warns.
The IRGC backs several Iranian cyberespionage threat groups, with most of them, including APT 33 (Elfin Team, Peach Sandstorm, Refined Kitten), APT 34 (OilRig, Helix Kitten), APT 35 (Charming Kitten, Phosphorus, Mint Sandstorm), and APT 42 (Crooked Charms, TA453), operating since at least 2014.
“Actors like APT34 and APT42 go after both specific industries and the technologies they depend on,” Parnes says, adding that those industries include “energy, finance, and healthcare sectors, and platforms like Microsoft 365, Google Workspace, and cloud-native infrastructure.”
"These methods center on credential theft, phishing, and abusing misconfigurations - not flashy exploits, but persistent access," he points out.
Parnes further notes that as both sides launch their own state-aligned attacks, “the non-state actors tend to adopt similar tools or feel emboldened to launch their own campaigns globally."
This can often result in increased attacks on "soft targets, such as schools, hospitals, or small businesses," he adds.
Another point Parnes makes is that the cyber warfare tactics being deployed by Iran (and Israel) are escalating in intensity and sophistication.
“While their primary goals are strategic disruption, deterrence, and retaliation, they carry numerous indirect or unintended consequences – many of which can spill far beyond their borders,” he said.
Unintended spill-over into other countries, specifically impacting civilian infrastructure, is a real threat you can’t always control, the former Colonel says, citing the deployment of wiper malware and/or ransomware on critical entities.
“Because of the global interconnectedness of our software supply chain, these destructive attacks may propagate beyond intended targets, affecting global networks or multinational subsidiaries,” he explains.
One example would be a that an Iranian cyberattack on a logistics company in Israel could unintentionally impact global shipping operations or foreign suppliers, Parnes describes.
Building on the Russia-Ukraine conflict
Finally, Parnes warns about the convergence of cyber and physical warfare, a new cyber front the world has begun to see play out in the war between Russian and Ukraine.
If that blueprint is copied, Parnes believes the Israel-Iran war could quickly escalate with unimaginable unintended consequences.
“Escalation may lead to cyberattacks being paired with kinetic strikes, for example, drone swarms plus Industrial Control System (ICS) sabotage while simultaneously deploying aerial assets and kinetic munitions,” Parnes says.
Parnes says APT33 and APT35 have previously conducted operations using similar tactics, such as those seen in the 2020 cyberattack on Israel's water infrastructure, coincidentally, in which the hackers were said to have used American servers to carry out the attack.
A malicious cyber campaign targeting US water and wastewater facilities was carried out by Iranian hackers in 2023, including at the water authority of two Pennsylvania townships – all by exploiting Israeli-manufactured Unitronics programmable logic controllers (PLCs).
The Israeli-made Unitronics PLCs are widely used across the US in dozens of industrial automation systems, including automotive manufacturing, food processing plants, and the petrochemical industry.
Now, whether an Iranian “cyber-focused and kinetic military operations” could take place on American soil is a whole other facet of cyberwarfare that has not, up until now, even been considered realistic.
But, with the DHS warning of Iran possibly activating terror sleeper cells inside the US and the prevalence of recent drone sightings across the Northeast this past year, Iran and its proxies’ capabilities may be worth reevaluating.
Your email address will not be published. Required fields are markedmarked