U.S. DDoS Attacks Launched By Pro-Iran Hacktivists

Iran-aligned hacktivists launched DDoS attacks against 15 U.S. organizations and 19 websites in the first 24 hours after the U.S. bombed Iranian nuclear targets on June 21, Cyble threat intelligence researchers reported today.

The Cyble blog post said the cyberattack targets have included U.S. Air Force websites, Aerospace & Defense companies, financial services organizations, and an unverified claim of an attack on Truth Social, the social media platform of U.S. President Donald Trump.

The U.S. entry into the Israel-Iran conflict was met with less intensive cyber activity than the hacktivism and cyberwarfare that have engulfed the Middle East since the conflict began on June 13 with Israeli attacks on Iranian nuclear and military targets. The U.S. DDoS attacks coincided with a June 22 Department of Homeland Security warning that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.”

U.S. DDoS Attacks Launched by Iran-linked Hacktivists

Cyble said four hacktivist groups were predominantly responsible for the initial U.S. DDoS attacks: Mr Hamza, Team 313, Keymous+ and Cyber Jihad. The groups’ claims range from “credible to questionable,” the researchers wrote.

Mr Hamza claimed that it targeted several websites belonging to the U.S. Air Force and Aerospace & Defense companies. The group posted its exploits using the hashtag #Op_Usa and included check-host.net reports that indicated downtime of the websites over a 10-hour period on June 22 (screenshot below).

Keymous+ claimed to have targeted U.S. financial organizations and included check-host.net links showing website disruptions over a one-hour period on June 22.

Team 313 claimed to have targeted Truth Social “but the group did not offer sufficient proof to deem the claim credible,” Cyble said.

Cyber Jihad Movement said it was planning to launch cyberattacks against U.S. targets between June 23 and June 27.

U.S. Hacktivist Activity Small Compared to Middle East

Cyble said the initial volume of hacktivist attacks on U.S. targets “has been small compared to the large number of attacks and threat groups that have been active in the Middle East,” where the threat intelligence researchers have recorded attacks by 88 groups, 81 of which are aligned with Iran (image below).

Middle East cyberattacks have included “DDoS attacks, data and credential leaks, website defacements, unauthorized access, and major breaches of Iranian banking and cryptocurrency targets by Israel-linked Predatory Sparrow,” Cyble said. Interference with commercial ship navigation systems in the region has also been reported.

The Handala hacktivist group “appears to have been one of the more effective attackers,” Cyble said, with 15 claims of mostly well documented ransomware/extortion incidents. The group’s victims have all been based in Israel.

In one noteworthy incident, a threat actor on the cybercrime forum Darkforums claimed to be offering unauthorized SSH access and VPN credentials of three user accounts for the VPN portal of the Israel Defense Forces (IDF) for the asking price of 2 BTC.

Russian groups have been largely absent from the Middle East cyber conflict, Cyble said, with two notable exceptions: Z-Pentest claimed that it compromised an industrial control system (ICS) belonging to an Israeli energy and utilities organization, while NoName057(16) claimed a DDoS attack on an Israeli transportation entity.

Attacks have also been aimed at Jordan, Egypt, the UAE and Saudi Arabia, “which appear to have been perceived as too neutral by Iran-aligned groups,” Cyble said.

Cyble urged organizations that could become a target of hacktivists to protect themselves against DDoS attacks, data breaches, website defacements, “and increasingly, ransomware and critical infrastructure attacks.”

Related