New analysis from Intel 471 found that military strikes by the U.S. and Israel against Iran triggered a sharp surge in hacktivist activity across cyber threat landscape. Researchers observed numerous ideologically aligned groups launching campaigns in response to the escalation, with many cyber adversaries claiming DDoS (distributed-denial-of-service) attacks, website defacements, and other disruptive operations against government, corporate, and regional targets. The activity highlights how geopolitical events increasingly spill into cyberspace, where loosely organized hacktivist collectives and state-aligned proxies use cyber operations to signal support, amplify propaganda, and retaliate against perceived adversaries.
According to the report, these campaigns often involve a mix of pro-Iranian and regional hacktivist groups coordinating attacks or amplifying claims through social media and messaging platforms. While many operations remain low-level or largely symbolic, the surge in activity illustrates how modern conflicts rapidly trigger waves of cyber retaliation that can target government systems, private companies, and potentially critical infrastructure in countries linked to the dispute.
“In the week of Feb. 27, 2026, to March 6, 2026, Israel was by far the most impacted region, followed by Kuwait and Jordan,” Intel 471 identified. “Additionally, Bahrain, Qatar and the UAE also landed in the top ten most impacted regions for the week. Moreover, the top three most impacted industries were national government, aerospace and defense, and technology.”
Pro-Iranian and Iran-aligned actors rapidly positioned themselves within the broader retaliation narrative following the strikes, launching a wave of hacktivist activity largely targeting the U.S., Israel, and neighboring countries. According to analysis from Intel 471, these operations primarily involved claims of data breaches and DDoS attacks against government, military, and corporate targets.
Members of the Iranian Handala Hack claimed to have compromised multiple oil and gas organizations across Israel, Jordan, and Saudi Arabia, and also alleged a breach of an Israel-based research institute. Another Iranian group, WeAreUst, said it collaborated with Anonymous Sana’a to target an Israel-based defense and security technology company. The Iranian UniT 313 also claimed responsibility for DDoS attacks against military and government entities in Bahrain and Saudi Arabia.
Other groups reported operations against communications and infrastructure targets. The Cyber Islamic Resistance claimed to have compromised home routers linked to an Israeli fiber-optic communications provider and a control systems manufacturer, and also said it launched a denial-of-service attack against a U.S. military online directory.
Meanwhile, the Iraqi FAD Team claimed attacks against supervisory control and data acquisition systems affecting Israel and allied countries, while the North African Keymous reportedly carried out denial-of-service attacks against several Israeli telecommunications companies.
Additional activity included denial-of-service attacks by the DieNet targeting Kuwaiti government websites. An Iranian actor known as Mr. Soul, previously linked to the Cyber Av3ngers, threatened independent cyber operations against Israel and later claimed access to Israeli power transmission infrastructure, alleging it had targeted and disabled warning sirens. The Cyber Isnaad Front also claimed attacks against Israeli government and military communications systems.
Earlier this month, pro-Russian hacktivist group NoName057(16) declared solidarity with Iran and announced distributed denial-of-service attacks against Israeli targets under the #OpIsrael banner. The group claimed to target websites linked to political parties, local authorities, and telecommunications providers in Israel. According to analysis from Intel 471, several other pro-Russian collectives soon signaled support for the campaign or threatened related attacks.
The Hider_Nex joined the #Op_Israel_USA campaign and claimed to have disrupted the services of an Israeli telecommunications company. The PalachPro publicly stated its intention to assist Iranian hackers in targeting Israeli and U.S. organizations.
Meanwhile, the Z-Pentest Alliance alleged it had gained full control of a pump control and water supply management system in Israel, while the RuskiNet Group claimed a denial-of-service attack that temporarily disrupted the website of KPMG Israel.
Additional activity included claims by the Dark Storm Team, which said it launched DDoS attacks against several Israeli banks. The Cardinal and Russian Legion groups also jointly claimed attacks on Israeli military systems, including alleged breaches of the Iron Dome radar and interception infrastructure.
Intel 471 observed a smaller number of anti-Iranian hacktivist claims. These incidents were significantly lower in volume and appeared aimed primarily at creating psychological or political pressure within Iran rather than causing large-scale disruption.
Members of the Anonymous – אַנונִימִי group shared what they said was personally identifiable information belonging to members of the Islamic Revolutionary Guard Corps and other Iranian military operatives. The group also claimed responsibility for a distributed denial-of-service attack targeting Iranian regime-affiliated news agencies.
Separately, the Anonymous Syria Hackers announced a campaign against Iran and claimed to have breached the database of an e-commerce platform, leaking personally identifiable information, login credentials, and PayPal account details.
As part of its assessment outlook, Intel 471 noted that the recent surge in pro-Iranian hacktivist activity is currently providing the Iranian regime with a greater ability to project perceived power in a time when domestic connectivity is highly constrained. These groups almost certainly are attempting to distract regional adversaries, mainly Israel and their western allies, by employing DDoS attacks and other disruptive cyber tactics. While the actual damage was likely negligible, the aim of the attacks was likely to serve as a show of resistance.
“Meanwhile, pro-Russian groups almost certainly are seizing the opportunity to expand their influence by collaborating with pro-Iran and pro-Palestinian collectives. This behavior is not new, as these groups often supported one another in the past following geopolitical flare-ups,” it added. “These collaborations can be mutually beneficial since groups often re-post activity to their followers, amplifying the effect of their actions. Furthermore, for pro-Russian groups, participating in hacktivist activity in support of Iran allows them to extend their reach into the Middle East, maintain their anti-Western geopolitical alignment, and promote themselves as high-profile actors and/or groups in the hacktivist ecosystem by continuing to target critical infrastructure and government entities.”
The analysis emphasizes that while the surge in DDoS attacks, website defacements and other disruptive cybercrime is real, these groups frequently exaggerate the actual impact and/or depth of their activity in an attempt to maximize psychological impact and media attention.
“Looking ahead in the near term, we expect regional tensions to persist, resulting in continued attacks from both pro-Iranian and pro-Russian collectives against the U.S., Israel and other Gulf nations,” Intel 471 detailed. “These likely will remain in the form of varying disruptive actions, including DDoS attacks and claims of data breaches, focused on entities in industries such as banking, government, oil and gas, telecommunications and other critical national infrastructure. In the medium to long term, we typically see a reduction in attacks as actor interest wanes but devout and state-associated adversaries likely will persist in their activity.”
Commenting on the cybersecurity implications of the ongoing Middle East conflict, Mike Maddison, CEO of NCC Group, wrote in an emailed statement that the current conflict in the Middle East is proof that cyber operations have become fully integrated with military strategy. “Israel and the US have combined cyber attacks with physical strikes to contribute to Iran’s communications blackout. Overall, the majority of cyber activity tied to the Israel–Iran conflict consists of DDoS attacks, website defacements, exaggerated breach claims, and widespread AI‑driven misinformation. This activity is high in volume but low in impact, rather than being materially disruptive.”
He highlighted that “The breadth of global supply chains means that while Iran’s cyber capabilities are focused on Israel, the US and the Gulf-region, global companies still need to be vigilant. Supply chains and widely connected digital infrastructure face a realistic risk of disruption or being caught in an information war.”
“The use of GPS jamming in the Middle East is a timely reminder of the fragility of our reliance on satellite navigation systems,” Maddison said. “All Global Navigation Satellite System (GNSS) platforms share a critical vulnerability – their signals are inherently weak and susceptible to targeted jamming. This situation underscores the urgent need for robust security investment to safeguard critical national infrastructure.”
Maddison warned that “The maritime sector remains a high-value target due to the scale of disruption a successful attack can cause. As threats evolve, the industry must shift from reactive defence to proactive resilience strategies. Alternative technologies like Long Range Navigation (LORAN) or emerging quantum-based systems offer promise, but neither has yet been delivered at scale. Until then, resilience must come from layered defences and strategic foresight.”
