iscover
A civilisational apocalypse in Iran may have been averted for now, but despite the ceasefire now in place, hacktivists and state-linked hackers are expected to continue targeting the country’s perceived enemies.
“The current environment reflects a fragmented ceasefire. Hostilities are continuing across key theatres, particularly in Lebanon and across Gulf energy infrastructure,” Kathryn Raines, Cyber Threat Intelligence Team Lead for the National Security Solutions team at Flashpoint, said in an overnight threat summary.
“That fragmentation introduces additional uncertainty. When activity continues despite formal agreements, it becomes more difficult to anticipate escalation pathways, which increases operational risk for organisations with regional exposure.”
And cyber-attacks, by their non-kinetic nature, are a particularly open pathway to continue hostilities, according to Raines.
“A military ceasefire does not translate to a cyber pause. What we’re seeing is continuity in activity, with threat actors maintaining tempo while adjusting targeting and messaging,” Raines said.
“For organisations, that means risk remains elevated. Critical infrastructure, particularly in energy and water systems, continues to be actively targeted, and the use of the ceasefire as cover creates additional uncertainty around what comes next.”
War by any other means
Ceasefires are, in effect, agreements between more or less sovereign powers. Hacktivist groups, such as Handala, do not feel bound by any such concessions. Despite one of its websites being taken down recently by the US authorities, the group has said it is prepared to fight on.
“The cyber war did not begin with the military conflict, and it will not end with any military ceasefire,” Handala said in an April 8 blog post.
“Our cyber jihad is the extension of our martyrs’ blood, and it will go on until full vengeance is achieved.”
That said, the group has agreed to postpone “overt confrontation with the United States,” but has also promised more activity is to come.
“The hack of the FBI director was just a glimpse of our power; For us, no land is too distant and no network is truly secure,” Handala added.
“Rest assured: when the time comes, the darkest of nights will have only just begun for America and all its supporters.”
As of April 8, here’s just a sample of cyber incidents linked to the fighting in Iran:
A group calling itself the Cyber Islamic Resistance said it was expressing solidarity with Russian hacking group Team Kilnet, a sign of a possible alliance between groups with extreme anti-Western beliefs.
Pro-Islam group Conquerors Electronic Army said it had launched a distributed denial-of-service attack on several Israeli entities, including a pair of volunteer associations, Beit Cham and All Volunteer Force.
Australia, though far from the conflict, is not immune either. A group calling itself The 313 Team claimed to have launched a large-scale attack on an Australian government portal.
Meanwhile, US authorities distributed an advisory warning of Iran-linked threat actors targeting critical infrastructure entities via internet-facing hardware in the water and energy sectors.
Critical threat
In that latter case, the hackers are targeting hardware that was traditionally not internet-connected – programmable logic controllers – which presents a unique problem for defenders.
“The threat actors here are assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). They accessed CompactLogix and Micro850 devices using Rockwell Automation's Studio 5000 Logix Designer,” Nozomi Networks’ CISO Markus Mueller said.
“The traffic looks like a regular remote engineering session because that's exactly what it was. The difference is who was sitting at the keyboard.”
According to Mueller, such malicious activity is an unavoidable byproduct of geopolitical tension.
“That correlation isn't new – Iranian-affiliated OT activity has tracked with periods of kinetic escalation consistently over the past several years,” Mueller said.
“That doesn't mean your threat level should spike with every news cycle, but when the regional picture gets more volatile, it's a reasonable prompt to re-verify your exposure, refresh your indicators of compromise (IOC) hunts, and confirm your monitoring coverage is actually running the way you think it is.
“In critical infrastructure, geopolitical context is a legitimate input to threat posture.”
Addressing the scale of any future cyber threat Iran may represent, Andrew Chipman, GRC Manager at cyber security and compliance firm ProCircular, was particularly blunt in his assessments.
"The threat of cyber-attack from Iran is real. At this time, we expect to see that threat realized through proxies, hacktivists, and other allies to the Iranian regime,” Chipman told Cyber Daily.
“If Iran is able to build back its regime, we may see direct retaliation from Iran in the form of cyber-attacks against highly visible targets. History teaches us that hospitals and medical service providers are prime targets for the regime and its supporters.
Iran, Chipman contends, may not be in a position to wage large-scale cyber warfare against the US and its allies at this point, but the country has other options.
“Hacktivists and proxy attackers are plentiful – expect attacks to come and prepare appropriately."
Want to see more stories from trusted news sources?
Make Defence Connect a preferred news source on Google.
Click here to add Defence Connect as a preferred news source.
