Cyber Retaliation Surges After US-Israel Strikes on Iran

What Hacktivism Actually Is, and Why It Surges After Military Events

What Intel 471's analysis makes clear is that the US-Israel strikes against Iran functioned as a massive activation signal for ideologically aligned groups who had been waiting for exactly this kind of trigger. The result was not a single coordinated attack from one organization, but a distributed mobilization: multiple groups with loosely overlapping goals, acting independently but in the same direction, at the same time.

"Cyber operations have become fully integrated with military strategy," said Mike Maddison, CEO of NCC Group.

Mike Maddison, CEO, NCC Group

That integration matters because it means the digital dimension of a conflict does not wait for a ceasefire. It runs continuously, in parallel with kinetic military action, and it draws in actors far beyond the borders of the countries actually exchanging fire.

The Pro-Iranian Groups and What They Claimed

Intel 471's analysis catalogued multiple pro-Iranian hacktivist groups that became active during the surge period. Understanding what each group claimed (and how those claims should be read) requires a short note on the nature of hacktivist reporting. Groups in this space routinely overclaim. Data breach announcements may involve stolen credentials of limited operational value. DDoS attacks disrupt access temporarily but rarely cause lasting damage. Treating every claim as a verified catastrophe would be a mistake. That said, dismissed entirely, these claims also represent real capability probing, real infrastructure stress, and real intelligence gathering that can precede more serious operations later.

Iranian Handala Hack, one of the most active groups in the surge, claimed to have compromised oil and gas organizations across Israel, Jordan, and Saudi Arabia. Oil and gas infrastructure is a perennial hacktivist target because it sits at the overlap of economic significance and symbolic value, attacking it signals both capability and intent in a way that defacing a government ministry website does not.

WeAreUst collaborated with a group called Anonymous Sana'a to target an Israeli defense technology company. The collaboration is notable because it shows cross-group coordination, a pattern that makes hacktivist activity harder to attribute and more unpredictable to defend against. When two groups with overlapping but distinct networks pool resources against a single target, the combined attack surface they can generate is larger than either could produce alone.

Iranian UniT 313 conducted DDoS attacks against military and government entities in Bahrain and Saudi Arabia, two Gulf states that maintain formal or informal alignment with Israel and the United States on regional security architecture. Their inclusion as targets signals that the hacktivist response was not solely focused on Israel itself but on the broader network of states that the groups consider complicit in the strikes.

A group called Cyber Islamic Resistance claimed a more technically specific operation: compromising routers belonging to an Israeli fiber-optic provider and separately attacking a US military directory. Router-level access is meaningfully different from a standard DDoS attack. Think of the difference between standing outside a building and shouting versus getting inside and rearranging the filing room. If verified, router compromise represents access to network infrastructure that could enable traffic monitoring, redirection, or disruption of communications at a level deeper than surface-level service availability.

The Iraqi FAD Team directed attacks at SCADA systems affecting Israel and its allies. SCADA is the category of software that controls physical industrial processes (the systems that tell a water treatment plant how much chlorine to add, or instruct an electrical substation to route power on a particular circuit). Think of SCADA as the interface layer between a computer network and the physical world. Attacks against it carry potential consequences that extend well beyond website outages: disrupting SCADA at a power plant or water facility creates effects that are measured not in server downtime but in service interruptions for civilian populations.

Among the most serious claims came from a threat actor called Mr. Soul, which Intel 471 linked to Cyber Av3ngers, a group with a documented history of targeting operational technology in the United States and Israel. Mr. Soul threatened further operations against Israel, claimed access to power transmission infrastructure, and allegedly disabled warning sirens. Warning siren systems exist to alert civilian populations to incoming missile strikes. If that claim is accurate (and Intel 471's analysis flagged the link between Mr. Soul and Cyber Av3ngers as a significant escalation indicator) it represents a category of attack where the harm is not data loss or service disruption but civilian safety.

Pro-Russian Groups Enter the Picture Under #OpIsrael

One of the more analytically interesting aspects of Intel 471's report was the documentation of pro-Russian hacktivist groups declaring solidarity with Iran and joining the campaign against Israeli targets. This is not geopolitically surprising (Russia and Iran have maintained an alignment of mutual convenience on multiple regional and strategic issues) but it represents a meaningful amplification of the overall attack volume and a broadening of the technical capabilities deployed.

NoName057(16), the most established and prolific pro-Russian DDoS group currently operating, declared solidarity with Iran and launched DDoS attacks against Israeli targets under the hashtag campaign #OpIsrael. NoName057(16) has a documented track record of conducting high-volume DDoS operations against NATO-aligned countries, and their entry into this particular campaign brought both operational capacity and propaganda amplification that smaller groups lack.

A group called Z-Pentest Alliance claimed full control of pump control and water supply systems in Israel. Pump control systems are the SCADA-adjacent infrastructure that manages water distribution (pressure management, flow control, the physical mechanics of getting water from treatment facilities to homes and hospitals). A claim of full control, if verified, would be among the most serious operational achievements in this entire wave of activity. Intel 471's framing of such claims appropriately distinguishes between what groups assert and what can be independently confirmed, but the assertion alone represents threat intelligence that defensive teams cannot ignore.

RuskiNet, a smaller pro-Russian group, conducted DDoS attacks against KPMG Israel. The targeting of a major professional services firm is somewhat unusual in a conflict-adjacent campaign (KPMG is not military infrastructure) but it reflects the broader hacktivist pattern of targeting any organization associated with a country under operation, regardless of its operational significance.

Dark Storm Team launched DDoS attacks against Israeli banks. Banking infrastructure is a frequent hacktivist target because it creates visible civilian disruption (ATMs go offline, digital payments fail) without requiring the technical depth needed to attack hardened military systems. The psychological effect on civilian populations is disproportionate to the actual operational damage, which is precisely why banking systems attract this kind of attention during conflict-linked campaigns.

Perhaps the most symbolically loaded claim of the entire surge came from the pairing of Cardinal and Russian Legion, who asserted attacks on Iron Dome radar systems. Iron Dome is Israel's missile defense architecture, the system that intercepts incoming rockets before they reach populated areas. A credible attack on its radar components would be significant far beyond the hacktivist context. Intel 471's analysis treated this claim with appropriate skepticism, noting that verified compromise of Iron Dome radar systems would represent a capability level substantially beyond what most hacktivist groups can credibly deploy. But the fact that groups are willing to target and claim attacks on active missile defense systems reflects the escalation in symbolic ambition even when technical reality may not match the rhetoric.

The Anti-Iranian Response, and What "High Volume, Low Impact" Actually Means

The surge was not entirely one-directional. An anonymous group operating under the Anonymous umbrella published leaked information about members of the IRGC. This kind of doxxing operation (releasing personally identifying information about individuals associated with a state security apparatus) represents a different threat model from DDoS attacks. The volume is lower, the target is narrower, and the potential for downstream harm to individuals is direct rather than infrastructural.

Stepping back from the specifics, Mike Maddison offered a calibrating observation about the overall picture:

"The majority of cyber activity is high in volume but low in impact," said Mike Maddison, CEO of NCC Group.

Mike Maddison, CEO, NCC Group

That is an important frame for reading everything in this report. The number of groups claiming attacks, the number of targets named, and the number of operations announced are all impressive on a raw count basis. What those numbers do not automatically tell you is how much actual damage was done.

DDoS attacks are a useful illustration. Think of a DDoS attack as the digital equivalent of every car in a city trying to drive down the same street at the same time. The street becomes impassable, but once the cars disperse, the street is functional again. No pavement is torn up, no infrastructure is permanently altered. The disruption is real (websites go down, services become unavailable, organizations spend operational resources defending against the attack) but it is inherently temporary. For most of the DDoS attacks documented in Intel 471's analysis, that is the correct frame: they cost the targets time, money, and attention, but they did not permanently degrade capability.

The reason "high volume, low impact" still matters, however, is threefold. First, volume itself consumes defensive resources. Security teams that spend the week of February 27 defending against dozens of DDoS attacks are not spending that week on other priorities (patching vulnerabilities, building detection capabilities, conducting red-team exercises). Second, not every attack in a high-volume campaign is low-impact. Among a hundred DDoS events, one router compromise or one SCADA system access attempt may be the operation that actually matters. Volume provides cover. Third, hacktivist campaigns function as intelligence probes. Each attack attempt, successful or not, reveals something about defensive posture, response times, and infrastructure configuration that more sophisticated actors (state intelligence services with deeper pockets and longer time horizons) can use later. This same dynamic is visible in the TeamPCP supply chain attack on Checkmarx, where quiet access to CI/CD pipelines proved far more valuable than any single noisy intrusion.

GPS Jamming and the GNSS Vulnerability No One Is Talking About Enough

Intel 471's report also flagged a dimension of the Middle East conflict that sits outside the purely cyber domain but is deeply relevant to it: GPS jamming and the broader vulnerability of GNSS in the region.

GNSS is the umbrella term for satellite-based positioning systems (GPS is the American version, GLONASS is Russian, Galileo is European). These systems are the backbone of a remarkable range of infrastructure that most people do not think about: commercial aviation navigation, shipping logistics, precision agriculture, financial system timestamping, telecommunications network synchronization, and the timing infrastructure that underlies modern power grids. When GNSS signals are jammed (intentionally flooded with interfering radio frequencies) the downstream effects reach well beyond navigation.

Think of GNSS jamming as cutting the clock in a building where every room depends on synchronized timekeeping. Individually, a clock in one room stopping is an inconvenience. But if the building's fire suppression system, its elevator controls, and its security access points all depend on that synchronized clock, the consequences cascade in ways that are not immediately obvious from the act of stopping the clock itself.

In the Middle East conflict context, GPS jamming has been documented by commercial aviation crews and civilian shipping operators in the region. The vulnerability is not hypothetical: it is actively being exploited as a component of the broader conflict ecosystem. For the civilian infrastructure of countries in the region, and for the international aircraft and vessels transiting through it, this represents a persistent operational risk that does not generate the same headlines as a claimed SCADA compromise but may have equally real operational consequences.

What Intel 471 Expects Next

"Regional tensions to persist, resulting in continued attacks... in banking, government, oil and gas, telecommunications and critical infrastructure," according to Intel 471's forward-looking assessment.

Intel 471 Threat Intelligence Analysis, March 2026

The five sectors named in that outlook (banking, government, oil and gas, telecommunications, and critical infrastructure) are not chosen at random. They represent the target categories that have attracted the most consistent attention throughout the surge period and that carry the highest potential for civilian impact if attacks escalate beyond the current "high volume, low impact" baseline.

The banking sector is especially significant. Financial system disruption creates civilian panic that is disproportionate to technical impact. A few hours of ATM outages generate far more public anxiety than an equivalent disruption to a government website. Groups that want to generate pressure on civilian populations (rather than genuine military capability degradation) have strong incentives to focus on banking infrastructure, and the participation of Dark Storm Team and other groups in that space during the surge period suggests they understand this. The same defense-sector pressure is driving unprecedented investment in AI-enabled defense systems, as documented in Shield AI's $2 billion funding round.

Oil and gas infrastructure carries a different threat profile. Unlike banking disruptions, which are temporary and recoverable, sustained compromise of oil and gas operational technology can create physical consequences (spills, pressure failures, production shutdowns) that have environmental and economic effects that persist long after the attack itself ends. The claims from Iranian Handala Hack about oil and gas compromises across Israel, Jordan, and Saudi Arabia will require careful tracking to understand whether they represented genuine operational access or the kind of overclaiming that is common in hacktivist campaigns.

The telecommunications sector's presence on Intel 471's watch list reflects a strategic logic that is worth making explicit. Telecommunications infrastructure is the network through which all other digital attacks are coordinated and defended. Disrupting the communications layer of a country under attack is not just an end in itself: it degrades the target's ability to coordinate its own cyber defenses. Groups sophisticated enough to combine telecommunications attacks with concurrent SCADA or banking operations could create a compounding effect that is considerably more damaging than any single-vector approach. For insight into how AI model development intersects with national security cyber concerns, see Anthropic's Claude Mythos leak and what it revealed about AI security practices.

What the Intel 471 analysis ultimately describes is a conflict space where the line between military operations, state-sponsored cyber activity, and decentralized hacktivist campaigns has become genuinely difficult to draw. Pro-Iranian groups, pro-Russian groups declaring solidarity, anonymous operations releasing IRGC member data, and GNSS jamming affecting civilian aviation are all running concurrently, drawing on overlapping infrastructure, and operating in ways that complicate attribution and response. Mike Maddison's framing (that cyber operations are now fully integrated with military strategy) is the correct lens. The question for the governments and critical infrastructure operators in the region is whether their defensive integration has kept pace with the offensive one.

Sources

• Intel 471: Cyber Activity Surge Following US-Israel Strikes Against Iran, March 2026
• Industrial Cyber: Middle East Cyber Conflict Analysis, 2026
• NCC Group Research: Cyber Conflict and Military Integration Analysis