Escalating Cyber Conflict in the Middle East as Israel-Iran Tensions Fuel Hacktivist Surge
The June 13 Israeli strikes on Iranian nuclear and military targets have triggered a sharp escalation in cyber warfare across the Middle East, with hacktivist groups launching a wave of attacks targeting Israel and regional allies. Between June 13 and 17, threat intelligence firm Cyble documented cyber operations by 74 hacktivist groups, over 90% of which are pro-Iran, focusing primarily on Israeli infrastructure while also striking entities in Egypt, Jordan, the UAE, Pakistan, and Saudi Arabia.
Targets and Tactics
Israel bore the brunt of the attacks, with government, defense, media, telecom, finance, education, and emergency services sectors hit by DDoS attacks, website defacements, unauthorized access, data breaches, and ransomware/wiper malware campaigns. Notable incidents included:
- Five ransomware/extortion attacks by Handala Group against Israeli media, telecom, construction, education, and chemical/energy organizations, with data samples leaked in two cases.
- A ransomware/wiper executable ("encryption.exe") attributed to the previously unknown Anon-g Fox, which checks for Israel Standard Time (IST) and Hebrew language settings before executing—terminating if conditions aren’t met.
- A banking malware campaign (IRATA) targeting 50+ Iranian financial and crypto apps, impersonating government entities like the Judicial System of Iran and the Ministry of Economic Affairs. The malware steals credentials, account balances, and card data while remotely controlling infected devices.
Other documented attacks included 34 DDoS incidents, five defacements, two data breaches, and four credential leaks, with groups like Anonymous Guys, Arabian Ghosts, and GhostSec actively participating. Hashtags such as #OpIsrael, #FreePalestine, and #SupportIran dominated the campaigns, reflecting ideological alignment with pro-Palestinian and pro-Iranian narratives.
Information Warfare and Psychological Tactics
Beyond technical attacks, hacktivist groups leveraged Telegram channels to amplify geopolitical messaging, reposting claims from allied collectives to project decentralized coordination. Content streams featured pro-Iranian and pro-Palestinian propaganda, including missile strike footage and graphic images of Iranian casualties, blurring the line between cyber operations and psychological warfare.
Regional Spillover and Broader Implications
The conflict’s cyber dimension has extended beyond Israel and Iran, with Egypt, Jordan, Saudi Arabia, and the UAE facing collateral attacks. The U.S. had previously linked CyberAv3ngers (Mr. Soul), an IRGC-affiliated threat actor, to critical infrastructure attacks, underscoring the global reach of state-aligned hacktivism.
As hacktivist groups exploit geopolitical tensions to advance ideological agendas, the surge in ransomware, wipers, and banking malware signals a shift toward more disruptive and financially motivated tactics in the region’s cyber landscape.
Source: https://thecyberexpress.com/israel-iran-conflict-hacktivism/
Ministry of Energy of I.R.IRAN - وزارت نیرو cybersecurity rating report: https://www.rankiteo.com/company/iran-energy-ministry
"id": "IRA1767601584",
"linkid": "iran-energy-ministry",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Government',
'Defense',
'Media',
'Telecommunications',
'Finance',
'Education',
'Energy'],
'location': 'Israel',
'name': 'Multiple Israeli organizations',
'type': ['Government',
'Defense',
'Media',
'Telecom',
'Finance',
'Education',
'Chemical/Energy']},
{'industry': 'Finance',
'location': 'Iran',
'name': 'Nobitex',
'type': 'Cryptocurrency exchange'},
{'location': 'Jordan',
'name': 'Jordanian organizations'},
{'location': 'Egypt', 'name': 'Egyptian organizations'},
{'location': 'UAE', 'name': 'UAE organizations'},
{'location': 'Pakistan',
'name': 'Pakistani organizations'},
{'location': 'Saudi Arabia',
'name': 'Saudi Arabian organizations'},
{'industry': ['Government', 'Finance'],
'location': 'Iran',
'name': 'Iranian organizations',
'type': ['Government', 'Banking']}],
'attack_vector': ['Internet-facing systems',
'Accessibility service abuse (Android malware)',
'Geopolitically targeted malware'],
'data_breach': {'data_encryption': 'Yes (ransomware/wiper malware)',
'data_exfiltration': 'Yes (claimed by Handala Group)',
'personally_identifiable_information': 'Yes (bank account '
'numbers, balances, '
'card data)',
'sensitivity_of_data': 'High (financial, PII, '
'government-related)',
'type_of_data_compromised': ['Banking data',
'Cryptocurrency data',
'Personally identifiable '
'information',
'Credentials',
'Card data']},
'date_detected': '2024-06-13',
'date_publicly_disclosed': '2024-06-17',
'description': 'The Israel-Iran conflict that began with Israeli attacks on '
'Iranian nuclear and military targets on June 13 has sparked a '
'wider cyber conflict in the region, including the launch of '
'new malware campaigns. Cyble threat intelligence researchers '
'documented cyberattacks by 74 hacktivist groups in the Middle '
'East region between June 13 and 17, with over 90% being '
'pro-Iran. The attacks targeted Israeli organizations and '
'spilled over into Egypt, Jordan, UAE, Pakistan, and Saudi '
'Arabia, involving DDoS attacks, website defacements, '
'unauthorized access, data breaches, ransomware/wiper, and '
'banking malware campaigns.',
'impact': {'brand_reputation_impact': 'Significant (defacements, data leaks, '
'ransomware claims)',
'data_compromised': 'Banking and cryptocurrency data, personally '
'identifiable information, credentials',
'identity_theft_risk': 'High (banking data, PII exposed)',
'operational_impact': 'Disruption of services, unauthorized '
'access, data exfiltration',
'payment_information_risk': 'High (card data, bank account details '
'harvested)',
'systems_affected': ['Government',
'Defense',
'Media',
'Telecom',
'Finance',
'Education',
'Emergency services',
'Cryptocurrency exchanges',
'Chemical/Energy']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Hacktivist groups are leveraging geopolitical conflicts '
'to amplify cyberattacks, combining digital operations '
'with information warfare. Organizations in conflict zones '
'or allied nations are at heightened risk of DDoS, '
'defacement, data breaches, and ransomware attacks.',
'motivation': ['Geopolitical',
'Pro-Palestinian',
'Pro-Iranian',
'Anti-Western',
'Ideological'],
'post_incident_analysis': {'root_causes': 'Geopolitical conflict escalation, '
'ideologically motivated hacktivist '
'groups, exploitation of regional '
'tensions'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (claimed by Handala Group)',
'ransomware_strain': ['encryption.exe (Anon-g Fox)',
'Handala Group ransomware']},
'recommendations': ['Invest in DDoS protections',
'Enhance data breach prevention measures',
'Monitor for website defacements',
'Prepare for ransomware attacks',
'Implement geopolitical threat intelligence',
'Secure banking and cryptocurrency applications against '
'malware',
'Abuse prevention for Accessibility services on Android'],
'references': [{'date_accessed': '2024-06-17',
'source': 'Cyble Threat Intelligence Advisory'}],
'response': {'communication_strategy': 'Hacktivist groups using Telegram '
'channels to amplify narratives and '
'claims'},
'stakeholder_advisories': 'Organizations in the Middle East and allied '
'nations advised to bolster cybersecurity defenses '
'due to heightened hacktivist activity.',
'threat_actor': ['Handala Group',
'Anonymous Guys',
'Arabian Ghosts',
'Server Killers',
'RipperSec',
'Dienet',
'LulzSec Black',
'Cyber Ghost Team',
'Keymous+',
'GhostSec',
'Dark Storm Team',
'Yemen Cyber Army',
'Anonymous Syria Hackers',
'Red Eagle',
'Mysterios Team',
'Tunisian Maskers',
'Unit Nine',
'Islamic Hacker Army',
'Cyber Islamic Resistance',
'Nation of Saviors',
'Unknown Cybers Team',
'Mr Hamza',
'EvilByte',
'Digital Ghost',
'Cyber Fattah Team',
'Predatory Sparrow',
'Anon-g Fox'],
'title': 'Cyber Conflict Escalation in Middle East: Israel-Iran Hacktivism '
'Surge',
'type': ['DDoS',
'Website Defacement',
'Unauthorized Access',
'Data Breach',
'Ransomware',
'Wiper Malware',
'Banking Malware']}