Iranian hackers were more coordinated, aligned during Israel conflict than it seemed

The apparently disjointed response from Iranian hackers to the 12-day conflict with Israel in June actually demonstrated a significant degree of alignment and coordination, according to research published Tuesday.

SecurityScorecard’s STRIKE Team analyzed 250,000 messages from Iranian proxies and hacktivists from more than 178 groups whose activity ranged from pushing propaganda to stealing data to defacing websites to launching cyberattacks.

“Our analysis reveals a detailed map of operations that were fast, targeted, and ideologically charged,” its report states. “In many cases, the threat groups appear to have coordinated their operations with agility and deep alignment.”

Separately Monday, the Middle East Institute published an analysis that arrived at similar conclusions.

“Iran’s conduct in cyberspace during the 12-day war marked a turning point in its cyber strategy, reflecting greater coordination, clearer strategic intent, and the integration of digital tools across military, political, and psychological domains,” Nima Khorrami, an analyst at NSSG Global and a research associate at the Arctic Institute, wrote for the think tank.

The cyber fallout from the 12-day conflict led to a warning from the U.S. government about potential spillover. But some have questioned how effective any of the cyber operations between Iran and Israel were.

“It can be easy to conflate the volume of cyber activity in the Israel-Iran war with decisive impact,” Nikita Shah, a senior resident fellow at the Atlantic Council’s Cyber Statecraft Initiative, wrote last week. “But the value of cyber attacks for each state came from them serving as a means of shaping and augmenting the information environment, rather than bringing the conflict to a conclusive end. While these incidents may have caused harm or disruption in the short-term, they failed to provide any decisive military advantage. Instead, the impact was disproportionately felt by ordinary Iranian and Israeli citizens.”

SecurityScorecard highlighted how one group, the Iranian government-connected group known as Imperial Kitten or Tortoiseshell, changed tactics as the fighting grew more intense. It began using conflict-themed phishing lures and built infrastructure for the campaign almost immediately after the onset of physical battles.

That suggested the group “has planning or tasking cycles that respond quickly to conflict flashpoints,” SecurityScorecard said.

Further Iranian hacking activity included conducting reconnaissance, recruiting on the Telegram messaging app and advertising vulnerabilities, the company observed.