Iran’s state APTs and aligned hacktivist coalitions are using the cover of Operation Epic Fury to wage a sustained, globally scoped cyber campaign that blends espionage, disruption, and information operations, with increasing focus on ICS/OT and cloud environments.

Overview

Escalating geopolitical conflict between the U.S., Israel, and Iran following Operation Epic Fury has opened a sustained second front in cyberspace, with direct implications for global organizations and especially entities tied to Israel, the U.S., and Gulf states. Iranian state-aligned APTs and a rapidly mobilizing hacktivist ecosystem are conducting and coordinating DDoS, ransomware, ICS/OT intrusions, and hack‑and‑leak operations, with critical infrastructure and government-adjacent networks now clearly in scope.

Key Points:

• Threat level is elevated globally, with priority focus on Israel, the U.S., and Gulf states hosting or supporting U.S./Israeli operations, including Bahrain, Qatar, Kuwait, Saudi Arabia, and the UAE.
• Iran-linked APTs (e.g., APT33, APT34/OilRig, MuddyWater, APT42, CyberAv3ngers) and coordinated hacktivist alliances (e.g., Cyber Islamic Resistance, DieNet, 313 Team, Nation of Saviors) are simultaneously active.
• DDoS, credential theft, ransomware, ICS/OT manipulation, and website defacements are the primary attack vectors, supported by aggressive information operations and exaggerated breach claims.
• Confirmed or claimed access to ICS/OT environments and energy-related PLCs in the region significantly raises the risk of disruptive or destructive impacts on critical services.
• Immediate hardening of identity, perimeter, DDoS defenses, and incident response readiness is required.

1.0 Threats

The current threat landscape is characterized by a blend of sophisticated state-backed activity and noisy yet impactful hacktivism, all synchronized with kinetic events. Cyber operations have already targeted Iranian infrastructure during the opening phase of Operation Epic Fury, with connectivity inside Iran reportedly dropping to as low as 4% of normal levels as media, government, and security communications were disrupted to blind leadership and degrade command-and-control.

1.1 Organizations globally should anticipate the following threat types:

• Advanced Persistent Threats (APTs): Long-term espionage, access maintenance, and potential wiper or destructive activity against government, defense, energy, telecom, and strategic private sector entities.
• DDoS campaigns: High‑volume, ideologically motivated attacks against government portals, airports, finance, and utilities, frequently advertised with third‑party uptime screenshots; DieNet and allied nodes provide DDoS‑as‑a‑service tooling to many small groups.
• Ransomware and extortion: Political or hybrid political‑financial ransomware campaigns, including exfiltration of sensitive design, contract, or operational data, as seen in recent INC Ransomware claims against Israeli-linked firms.
• ICS/OT intrusions: Claims of access to PLCs, energy monitoring dashboards, and power plant controls, including alleged manipulation of electricity output in Jordan and indications of targeting across regional utilities.
• Hack‑and‑leak / disinformation: Doxxing of military‑linked entities, publication of large “netblock” scan files against U.S. IP space, and overstated breach claims intended to create psychological and political pressure.

1.2 Threat Actors*

Iran views cyber power as an integral tool of statecraft and asymmetric warfare, operating through IRGC and Ministry of Intelligence structures with distinct, but sometimes overlapping, APT clusters. Key actors include:

• APT33 (Elfin/Refined Kitten): Focuses on aerospace, energy, and defense, using spearphishing, custom malware, and wipers; historically active against U.S. and Gulf industrial firms.
• APT34 (OilRig/Helix Kitten): Targets Middle East governments, telecom, and finance via credential harvesting, DNS hijacking, and custom backdoors; aligned with IRGC intelligence priorities and often reuses infrastructure across campaigns.
• APT35 / APT42 (Charming Kitten/Mint Sandstorm): Targets journalists, academics, NGOs, healthcare, and civil society with social engineering and cloud credential theft, operating heavily in Microsoft 365/Google environments.
• APT39 (Chafer) and related clusters: Focus on telecom, travel, and IT providers for surveillance and mass data exfiltration across the region.
• MuddyWater (Static Kitten/Seedworm): Government, transport, industrial targeting, leveraging PowerShell, RMM tooling, and destructive malware; believed to operate under MOIS direction and to blend espionage with faux hacktivist personas.
• Tortoiseshell, Fox Kitten, CyberAv3ngers: Focus on defense contractors and supply chains, VPN and edge device exploitation, and OT device defacement/PLC abuse, respectively, particularly against water and other utilities.

*Reference Annex A for Threat Actor Breakdown

1.3 Hacktivist and proxy ecosystems:

• Cyber Islamic Resistance / “Electronic Operations Room”: Umbrella collective unifying multiple teams (e.g., RipperSec, Cyb3rDrag0nzz, 313 Team), claiming access to Israeli industrial networks and PLCs, and coordinating defacements and DDoS.
• DieNet Network: DDoS‑as‑a‑service‑driven hacktivist infrastructure claiming dozens of DDoS attacks on critical infrastructure globally; provides tooling to smaller collectives and is currently focused on government, airport, financial, telecom, and utility targets across the Gulf and now Cyprus.
• 313 Team, Nation of Saviors, Moroccan Black Cyber Army, AnonGhost, Team Fearless, Handala, others: Conduct government portal DDoS, telecom‑layer disruption, data leaks, doxxing, and defacements across Israel, Jordan, Gulf states, and U.S.-linked entities, often amplifying or mirroring state objectives.

1.4 Campaigns

Recent days have seen a transition from primarily symbolic web disruptions to sustained campaigns against critical infrastructure and high‑value targets.

• Critical Infrastructure & ICS/OT: Cyber Islamic Resistance and affiliates have shared screenshots allegedly from PLC controller interfaces (including named PLC platforms) and energy production dashboards, claiming parameter manipulation and prolonged pre‑disclosure access within energy facilities.
• Regional Power and Utilities: “APT IRAN” claims month‑long access to Jordanian critical infrastructure, including manipulation of power plant control systems with reported 75% output reductions; DieNet‑linked lists enumerate ministries, airports, banks, and electricity and water authorities in Qatar, Bahrain, UAE, Kuwait, and Saudi Arabia as DDoS and disruption targets.
• Ransomware and Politically Framed Extortion: INC Ransomware has listed at least one Israeli-linked organization as a target of large‑scale data exfiltration, labeling the intrusion “political” rather than purely financial, indicating convergence between financially motivated and geopolitically aligned ransomware operations.
• Defacements and Coordinated Branding: Cyber Islamic Resistance and Cyb3r Drag0nz have claimed multiple defacements of Israeli sites, deploying common coalition branding referencing 313 Team, Moroccan Black Cyber Army, and others, reinforcing a unified “electronic front” narrative.
• Reconnaissance and Netblock Scanning: AnonGhost and allied channels advertise scanning of large U.S. netblocks (e.g., 120K_USA_NetBlock lists) as a prelude to future operations and as propaganda.
• Geographic Expansion: DieNet messaging has explicitly called out Cyprus as a target due to British military bases, in parallel with kinetic incidents, indicating a widening scope beyond Israel and the Gulf.

2.0 Risk & Impact

Risk is driven by a combination of geography, sector, perceived alignment, and existing exposure surface. An illustrative case is the prior wave of Iranian DDoS against over 50 U.S. banks in earlier escalations, showing Iran’s willingness to target civilian financial infrastructure far from the kinetic frontline.

• Geopolitical Exposure: Organizations in or strongly linked to Israel, the U.S., Jordan, Saudi Arabia, UAE, Bahrain, Qatar, Kuwait, and now Cyprus are at heightened risk of both direct and collateral targeting, regardless of sector.
• Sectoral Risk: Government, defense, energy, finance, telecom, transportation, media, and critical infrastructure are primary targets, with NGOs, academic institutions, healthcare, and civil society also explicitly targeted by APT42 and related actors for intelligence collection.
• Operational Impact Potential:
  • DDoS can degrade or deny public web services, citizen portals, and B2B interfaces, causing reputational damage and operational disruption.
  • ICS/OT intrusions can affect power, water, and logistics operations, with real-world safety implications.
  • Ransomware and hack‑and‑leak activity can cause data loss, business interruption, and regulatory exposure, particularly around sensitive contracts and operational blueprints.
• Information and Psychological Impact: Fabricated or exaggerated breach claims may force premature public responses, erode trust, and distract defenders, especially when amplified via Telegram and social media.

3.0 Recommendations / Mitigations

The following actions translate the threat picture into concrete defensive measures aligned with current Iranian and hacktivist TTPs. By implementing these measures and maintaining heightened monitoring for anomalous network traffic and credential activity, your organization will be better positioned to withstand the likely wave of APT and hacktivist operations associated with this phase of the conflict.

3.1 Access & Identity

• Enforce MFA on all accounts, prioritizing privileged, VPN, and cloud admin accounts; disable legacy/less secure auth methods where possible.
• Conduct an immediate credential and session audit; rotate passwords for admin and service accounts on a regular cadence, revoke all active session tokens for high-risk accounts, and invalidate long lived OAuth tokens.
• Remove or tightly constrain RMM tools across your environment; MuddyWater and related actors routinely abuse legitimate RMM for persistence.

3.2 Network, Perimeter, and ICS/OT

• Patch all internet‑facing devices, especially VPN appliances, firewalls, load balancers, and edge gateways; Fox Kitten‑style operations focus on unpatched perimeter infrastructure.
• Validate and, if necessary, urgently scale DDoS mitigation for all critical external services (customer portals, VPN gateways, APIs, DNS); pre‑onboard key assets with your DDoS provider and test playbooks.
• Review and monitor DNS logs for anomalies such as unusual TXT queries or suspicious domains, given OilRig’s use of DNS tunneling and hijacking for exfiltration and C2.
• Segment ICS/OT networks from corporate IT, enforce one‑way gateways or tightly controlled jump hosts, and ensure no direct exposure of PLCs or HMIs to the internet; treat all OT remote access as high risk.

3.3 Detection, Response, and Communications

• Deploy or Tune Detection Rules:
  • PowerShell‑based loaders, LOLBins, and script abuse common to MuddyWater and related groups.
  • RMM abuse, unusual remote desktop usage, and anomalous cloud admin actions.
  • Inbound phishing consistent with APT35/APT42 tradecraft (conference invites, journalist outreach, document review lures).
• Review, update, and Test Incident Response Plans:
  • DDoS playbooks and failover procedures.
  • Ransomware containment and decision‑making processes.
  • ICS/OT incident runbooks, including safe shutdown options and manual override procedures.
• Establish a protocol for evaluating and responding to public breach or defacement claims on Telegram and social media, including rapid internal triage, authoritative external messaging, and coordination with national cyber authorities as needed.

3.4 Staff Awareness and Targeted Training

• Issue Immediate, Conflict‑Specific Awareness Guidance:
  • Spearphishing and social engineering as primary vectors.
  • Verification of any unsolicited outreach from journalists, researchers, conference organizers, or “partners.”
  • Strict avoidance of entering credentials into links received over email, WhatsApp, or Telegram.
• Identify staff engaged in Iran‑ or Middle East‑related policy, research, diplomacy, or activism and provide tailored guidance, given their elevated targeting profile.

3.5 Cloud & Collaboration Environments

• Perform tenant‑wide security reviews for Microsoft 365, Google Workspace, and other SaaS platforms:
  • Enable sign‑in risk and impossible‑travel alerts.
  • Review privileged roles and third‑party app consents.
  • Restrict external sharing on sensitive document libraries.
• Monitor for anomalous access to shared drives and collaboration spaces; APT42-style campaigns often operate almost entirely within cloud workloads post‑compromise.

3.6 Sector‑Specific Considerations

• Energy, Finance, Transport, and Maritime:
  • Prioritize patching and hardening of DNS, routing, and industrial network infrastructure.
  • Treat port systems, logistics platforms, and aviation systems as in‑scope targets and rehearse contingencies for partial outages.
• Diplomatic Missions, NGOs, Media, Academia:
  • Apply maximum rigor to spearphishing defenses and verification procedures, and coordinate closely with national CSIRTs and CTI partners for IoC and TTP updates.

4.0 Hunter Insights

Iran’s cyber apparatus is exploiting the momentum of Operation Epic Fury to run a synchronized, multi‑vector campaign in parallel with kinetic activity, blending mature APT tradecraft with noisy but operationally meaningful hacktivist activity against governments, critical infrastructure, and organizations perceived as aligned with U.S. or Israeli interests. This convergence of state-directed APTs and DDoS-as-a-service hacktivist coalitions increases the likelihood of real-world disruption in energy, utilities, transport, and finance, while persistent credential theft and cloud-focused espionage raise long-term risks of strategic data exposure and pre-positioned access for future operations.Looking ahead, expect cyber pressure to intensify and geographically expand: Iranian APTs are likely to deepen cloud and edge‑device intrusions for espionage and potential wiper deployments, while hacktivist umbrellas continue to advertise netblock scans, ICS/OT screenshots, and exaggerated breach claims to amplify psychological and political impact. As the conflict evolves, organizations with even indirect ties to regional policy or logistics, especially in energy, finance, telecom, transport, and diplomatic/NGO sectors, should anticipate spikes in ideologically framed ransomware, targeted spearphishing against policy and media figures, and time‑synchronized ICS/OT disruption attempts around key kinetic or diplomatic milestones, making proactive hardening of identity, perimeter, DDoS, and incident‑response capabilities a near‑term imperative.

Annex A