Hacktivists aligned with Iran launched a wave of distributed denial-of-service (DDoS) attacks
against 15 U.S. organizations and 19 websites within the first 24 hours following the U.S. airstrikes on Iranian nuclear facilities on June 21, according to a new report from Cyble threat intelligence researchers.
In a blog post, Cyble stated that the targeted entities included U.S. Air Force websites, aerospace and defense companies, financial institutions, and one unconfirmed claim involving Truth Social, the social media platform associated with former President Donald Trump.
Compared to the intense cyber activity surrounding the Israel-Iran conflict that began on June 13, the cyber response to the U.S. strikes has so far been more limited. However, the attacks came just as the U.S. Department of Homeland Security issued a warning on June 22, noting that low-level cyberattacks from pro-Iranian groups are likely and that state-affiliated actors from Iran might also conduct operations against American networks.
Four hacktivist groups, Mr Hamza, Team 313, Keymous+, and Cyber Jihad were identified as the main actors behind the early attacks. The credibility of their claims varies, Cyble said.
Mr Hamza claimed responsibility for targeting several U.S. Air Force and defense-related websites, sharing evidence such as check-host.net reports indicating that the sites experienced downtime for up to 10 hours on June 22. Keymous+ claimed to have disrupted financial service websites, also supported by online monitoring links that showed brief outages. Team 313 claimed an attack on Truth Social, though Cyble found the proof lacking. The Cyber Jihad Movement announced its intent to target U.S. systems between June 23 and June 27.
While the number of attacks on U.S. targets remains relatively small, Cyble emphasized the much larger scope of cyber operations across the Middle East. Researchers have recorded activities from 88 groups, 81 of which are aligned with Iran. The types of attacks range from DDoS and data leaks to website defacement, unauthorized access, and significant breaches, particularly involving Iranian banks and cryptocurrency platforms. Predatory Sparrow, a group linked to Israel, has been responsible for several of the more impactful incidents.
Other reports have also mentioned cyber disruptions to commercial ship navigation systems in the region.
Cyble noted that the Handala hacktivist group has been among the most active and effective, with 15 confirmed ransomware or extortion operations, all targeting organizations based in Israel.
In one incident, a user on the cybercrime forum Darkforums offered unauthorized SSH access and VPN login credentials for three user accounts belonging to the Israeli Defense Forces’ VPN portal, asking for 2 Bitcoin in return.
Russian groups have largely stayed out of the conflict, with a few exceptions. Z-Pentest claimed to have breached an industrial control system used by an Israeli utility provider, and NoName057(16) said it carried out a DDoS attack on Israeli transportation infrastructure.
Targets have also included countries like Jordan, Egypt, the UAE, and Saudi Arabia, which Cyble said are viewed by Iran-aligned groups as being overly neutral in the conflict.
Cyble advised at-risk organizations to strengthen their defenses against DDoS attacks, data breaches, website defacements, and the growing threat of ransomware and attacks on critical infrastructure.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
