Thought Leadership
Following the joint US-Israel military strikes against Iran on February 28, 2026, the cyber front is escalating rapidly.
Researchers at Unit 42 are tracking a wave of hacktivist attacks, while state-sponsored Iranian groups appear weakened for now. The launch of Operation Epic Fury (US) and Operation Roaring Lion (Israel) has had consequences well beyond the physical domain. A coordinated cyber countercampaign has been underway since February 28, as documented by Palo Alto Networks’ research team Unit 42 in a newly published threat brief.
Iran’s internet connectivity drops to one to four percent
Since the morning of February 28, Iran’s available internet connectivity has collapsed to between one and four percent. Unit 42 considers this a temporary brake on state-controlled hacker groups operating from within Iran itself. However, Iranian proxies based outside the country may be acting with considerable autonomy, and state-aligned cyber units operating in isolation could deviate from previously established patterns.
60 active hacktivist groups
Unit 42 is currently tracking around 60 active hacktivist groups involved in the conflict, many of them coordinating through the “Electronic Operations Room” formed on February 28. The most prominent is Handala Hack, a persona attributed to Iran’s Ministry of Intelligence and Security (MOIS), which combines data exfiltration with targeted operations against Israeli defense and energy organizations. The group has also sent death threats by email to an Iranian-American and an Iranian-Canadian influencer, claiming to have passed their home addresses to physical operatives.
DDoS, Data Leaks, and Attacks on Critical Infrastructure
Other active groups in the current wave:
- APT Iran and The Cyber Islamic Resistance claim attacks on Jordanian infrastructure, an Israeli drone defense system, and Israeli payment infrastructure.
- FAD Team claims access to SCADA systems in Israel and other countries, meaning industrial control systems whose compromise can have real-world physical consequences.
- DieNet claims attacks on airports in Bahrain and the UAE, along with several banks across the region.
- NoName057(16) and Russian Legion are targeting Israeli municipalities, telecoms, and defense entities from the pro-Russian side. Russian Legion goes as far as claiming access to Israel’s Iron Dome missile defense system.
Opportunistic criminals are also active: in the UAE, attackers are calling citizens while posing as Ministry of Interior staff, using a fake security alert as a pretext to steal Emirates ID numbers. The ransomware group Tarnished Scorpius has listed an Israeli industrial company on its leak site, replacing the firm’s logo with a swastika.
What Organizations Should Do Now
Unit 42 recommends keeping critical data backed up offline, patching internet-facing systems promptly, verifying incoming requests through separate trusted channels, and training staff to recognize phishing attempts. One important caveat: hacktivist groups routinely exaggerate their successes. A quick internal review of breach claims can prevent unnecessary panic.
