Israel-Iran Cyber Warfare: Threats, Hacktivism, Disinformation, and Implications on US Companies

The cyber domain has emerged as a pivotal battlefield in the intensifying confrontation between Israel and Iran. No longer confined to silent cyber-espionage, this conflict now spans precision cyber strikes, infrastructure sabotage, psychological operations, and narrative warfare driven by AI-generated disinformation. From the takedown of critical banking systems to symbolic defacements and cross-border cyber leaks, both state actors and hacktivist groups are actively shaping a volatile threat landscape.

But the cyber fallout is not isolated to the Middle East. The United States, due to its strategic alliances, critical infrastructure, and role in global cyber governance, is increasingly in the crosshairs. U.S. federal agencies, defense systems, utilities, and corporate networks face growing risks from Iranian-linked threat actors, either as direct retaliation or through collateral damage from supply chain exposures and shared cloud infrastructure.

Recent advisories from CISA and DHS underscore the concern: Iranian APTs and ideologically motivated hacktivists are probing for weaknesses, weaponizing psychological operations, and exploiting unpatched systems. Disinformation campaigns, some of which are generated by AI, are targeting the U.S. public and media, aiming to manipulate narratives and erode trust during geopolitical flashpoints.

As cyber operations become more autonomous, scalable, and integrated with kinetic warfare, the U.S. must reckon with a multipolar threat environment. This report analyzes the technical, strategic, and operational dynamics of the Israel–Iran cyber war, examines the trajectories of hacktivist and disinformation activity, and outlines the clear and present implications for U.S. national security, critical infrastructure, and private sector resilience.

### Israel-Iran ceasefire June 24 update ###

While diplomatic channels have successfully negotiated a ceasefire between Israel and Iran in the physical domain, the cyber battlefield shows no signs of de-escalation. Unlike conventional military operations that can be halted by diplomatic agreements, cyber operations persist in the shadows: unacknowledged, deniable, and continuing at full intensity. Intelligence sources indicate that both state-sponsored APT groups and ideologically motivated hacktivist collectives view the ceasefire as irrelevant to their operations. 

In fact, some analysts suggest cyber activities may intensify as both nations seek to gain strategic advantages while constrained from kinetic action. The nature of hacktivist groups and their future, as we expect it, will be escalated actions even as missiles remain grounded. For US companies, this creates a paradoxical situation: while headlines may suggest reduced tensions, the cyber threat level remains at critical, with Iranian-affiliated actors redirecting resources from physical to digital operations. 

National Terrorism Advisory System Bulletin 

DHS issued this “heightened threat” NTAS bulletin in response to escalating Israel–Iran hostilities, including U.S. airstrikes targeting Iranian nuclear sites. This alert, valid through September 22, 2025, outlines risks to the homeland. We can see ongoing attack attempts and the need to pull off a successful cyberattack.

Key U.S. threat components

• Pro-Iranian hacktivists are likely to launch low-level cyberattacks against U.S. networks.
• Iranian government-affiliated actors may conduct more sophisticated cyber intrusions.
• U.S. officials previously linked to the killing of Iranian commanders (e.g., January 2020 drone strike) remain potential targets.
• Religious edicts or “fatwas” from Iranian leadership could spur lone actors to violence.
• Anti‑Semitic and anti‑Israel ideology could fuel hate crimes, particularly against Jewish communities or pro-Israel targets.
• FTOs like Hamas, Hezbollah, Houthis, and PFLP have publicly called for attacks onthe  U.S. 

DHS Issues National Terrorism Advisory System Bulletin Amid Israel-Iran Conflict

Advisory & mitigation measures

• The bulletin notes no credible, specific threats to U.S. territory yet
• DHS encourages reporting suspicious behavior through networks like CISA, NSI, local law enforcement, the FBI, and the Fusion Centers
• CISA provides updated cybersecurity practices to secure U.S. government and private sector networks.
• Citizens urged to use “If You See Something, Say Something®” to report online or physical threats.

National Terrorism Advisory by DHS:  National Terrorism Advisory System Bulletin – Issued June 22, 2025

Threat Landscape Observation

Our Cyber Threat Intelligence (CTI) team is actively monitoring the evolving cyber threat landscape resulting from the Israel–Iran conflict, with a particular focus on its implications for U.S. companies. This ongoing analysis is focused on identifying potential risks and impacts to Guardz customers and partners.

June 2025 Update: Hacktivist Activity Escalation

The ongoing geopolitical conflict has triggered a significant uptick in cyber operations, particularly from ideologically motivated hacktivist groups. As of June 2025, we have identified over 120 active hacktivist groups engaged in cyber campaigns linked to the Israel–Iran war.

Notably, nine pro-Russian hacktivist groups have aligned themselves in support of Iran. Among them, Noname057(16) has taken a leading role, conducting coordinated DDoS attacks against Israeli infrastructure and digital services.

Despite the rise in activity, internal disputes among hacktivist factions and regional internet disruptions, particularly in parts of Iran, are contributing to temporary fluctuations in attack volume and consistency.

Geopolitical Spillover: Cross-Border Targeting Patterns

The impact of this cyber conflict has extended well beyond Israel and Iran, affecting multiple countries through targeted campaigns:

Note: The following groups are only part of the complete list. 

United States

Targets include:

• Arabian Ghosts
• Unknowns Cyber Team
• DieNet
• Elite Squad
• Mr Hamza
• Moroccan Black Cyber Army
• Mysterious Team Bangladesh

Following the United States military strikes on Iran, a few more hacktivist groups have openly declared intent to target U.S. digital infrastructure. These declarations mark a strategic escalation, signaling that the cyber retaliation phase is no longer limited to Israeli assets.

These actors, previously active in attacks on Israeli and European systems, are now pivoting toward American entities. Their known capabilities include:

• Coordinated DDoS campaigns against government and financial services
• Credential stuffing and data leaks against public sector platforms
• Disinformation operations through social engineering and Telegram-based leaks

These groups operate with ideological alignment to Iran’s cyber doctrine, and some share toolkits and IOCs with APT-affiliated operations.

Guardz ITDR in Action

Since the beginning of June, our Cyber Threat Intelligence (CTI) has significantly intensified its monitoring operations in response to rising geopolitical tensions and the corresponding increase in coordinated threat actor activity. This surge, fueled by the Israel–Iran conflict, has broadened its scope beyond regional interests, introducing new risks to U.S.-based organizations and infrastructure.

This enhanced monitoring is layered on top of our existing telemetry-driven detection framework, which continuously profiles customer environments to identify deviations from established baselines. Behavioral anomalies, irregular authentication patterns, unusual process executions, and suspicious external communications are flagged in real time and correlated against threat intelligence feeds, IOCs, and TTPs from both open-source and classified sources.

Our approach ensures we maintain visibility not only into direct attacks but also into emerging threats that may impact customer environments indirectly via shared cloud services, vendor infrastructure, or third-party software dependencies. This posture allows us to respond with high agility to any indication of adversarial activity, whether it originates from APT groups, coordinated hacktivist collectives, or opportunistic cybercriminals attempting to exploit the geopolitical chaos.

To date, we have observed a high volume of attempted access originating from known malicious sources. However, no successful compromises or unauthorized access have been identified.

Below are some of the attempts, Iran’s infrastructure, and the results. 

• 180+ coordinated attack attempts from Iranian infrastructure
• Hundreds of unique Iranian malicious IPs with AbuseIPDB scores of 30 and higher
• Primary focus on the US, but also European and Australian entities

US TARGETS – Primary Focus

Status: Critical Threat Confirmed 

• 163 total distinct attack attempts against US entities
• 49 unique US organizations targeted
• Target Sectors:

• US Commercial
• US Organizations
• US Networks
• US Education

Canadian Target – Secondary Focus

• 11 total distinct attack attempts against Canadian entities
• 8 unique Canadian organizations targeted
• Targeted Canadian Entities: Pinnacle Networks, Pinnacle Office, Benefits Alliance

Europe Targets – Threat Activity 

• 117 total distinct attack attempts against EU entities
• 42 unique EU organizations targeted
• 71 distinct Iranian attack IPs deployed

Australian Targets – Threat Activity 

• 173 total distinct attack attempts against AU entities
• 71 unique AU organizations targeted
• 126 distinct Iranian attack IPs deployed

Tactical Analysis

The observed threat activity reflects a structured and persistent credential abuse campaign, with indicators suggesting links to Iranian-aligned threat actors or proxy groups operating infrastructure in support of state objectives.

The frequent appearance of locked accounts indicates a deliberate account lockout strategy, likely designed to perform user enumeration by provoking lockout conditions across known or guessed usernames. This technique allows threat actors to validate the existence of accounts and map tenant user surfaces with high confidence.

The presence of incorrect credentials further supports a pattern of password spraying and brute-force testing. The attackers appear to rotate between usernames and low-complexity passwords, triggering both invalid credential responses and smart lockouts, which suggests automation is behind the attempts.

Moreover, the recurrence of the same IP addresses across a 20+ day window is often linked to multiple account targets. It demonstrates persistent infrastructure reuse, strongly implying coordinated campaigns rather than opportunistic scanning. This level of consistency indicates that adversaries are leveraging stable, likely compromised, or proxy-based infrastructure to maintain access and continuously probe identity surfaces without detection.

This behavior aligns with TTPs commonly observed in pre-breach recon and access phases used by APTs and credential-focused threat groups targeting cloud identity systems.

Summary

The cyber conflict between Iran and Israel has intensified into a sustained campaign of offensive operations that extend far beyond traditional espionage. What began as targeted cyber intrusions has evolved into massive attempts on critical infrastructure, coordinated disinformation campaigns, and widespread hacktivism involving over 120 groups, many of which are ideologically or politically aligned with Iranian interests. 

Following U.S. military actions and its continued alliance with Israel, several pro-Iranian hacktivist groups have declared the United States a legitimate target. These groups are launching cyber campaigns against U.S. government networks, private sector organizations, and critical infrastructure operators. Attacks range from denial-of-service operations and defacements to data exfiltration and social engineering, all intended to create disruption, instill fear, and demonstrate cyber reach.

Compounding the threat is the use of AI-generated content to fuel psychological operations and disinformation across social media platforms. These influence campaigns aim to manipulate public perception, amplify divisions, and erode trust in institutions during periods of geopolitical crisis.

The risks are not limited to direct attacks. U.S. organizations with supply chain dependencies, cloud hosted services, or partnerships with Israeli entities may experience collateral impact or become vectors for exploitation. The DHS and CISA have issued multiple advisories urging enhanced vigilance, accelerated patching, and proactive monitoring. As the cyber and kinetic dimensions of this conflict continue to converge, the United States faces a persistent and evolving threat landscape shaped by state actors, hacktivist coalitions, and information warfare tactics.