State-Sponsored and Hacktivist Cyber Campaigns During the Middle East Conflict

On February 28, 2026, a joint U.S.-Israeli military offensive codenamed Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel), triggered a major multi-vector cyber retaliatory campaign from Iran. Parallel to the kinetic strikes, Israel launched the largest cyberattack in history against Iran, causing a near-total internet blackout with connectivity dropping to between 1% and 4% of normal levels.

This demonstrates that cyber operations are increasingly used as the first phase of geopolitical conflict, often preceding or accompanying military actions.

Severity: High

Threat Actor Landscape

The conflict has activated a diverse range of state-aligned and hacktivist entities, often coordinated through the newly established “Electronic Operations Room” (formed Feb 28, 2026).

Iranian State-Aligned Actors (APT Groups):

• MuddyWater (Mango Sandstorm): Executing Operation Olalampo, a structured offensive targeting the Middle East and North Africa (MENA) region.
• APT35 (Charming Kitten/Mint Sandstorm): Using WhatsApp for spear-phishing and spoofed websites to harvest credentials from defense personnel.
• APT42 (Charming Cypress): Utilizing TameCat, a modular PowerShell-based backdoor targeting senior government and defense officials.
• VoidManticore: Exploiting government mailboxes (e.g., in Oman) to deliver malicious documents to critical infrastructure targets.
• APT34 (OilRig) / Dark Scepter: Using Cloudflare to obscure Command and Control (C2) infrastructure.

Specialized & Hacktivist Groups:

• Handala Hack: Linked to Iran’s MOIS; conducts data exfiltration and destructive operations.
• DieNet: Pro-Iran group targeting airports and banking infrastructure in Saudi Arabia, Bahrain, and the UAE.
• Sicarii Ransomware: A destructive group using flawed encryption that makes data recovery impossible regardless of ransom payment.

Primary Targets And Geographic Scope

• Critical Infrastructure: Energy companies (Israel), fuel systems (Jordan), and airport infrastructure (Bahrain, Sharjah, and UAE).
• Cloud Services: Significant retaliatory strikes have been observed against AWS data centers, impacting global cloud services.
• Financial & Government: Saudi bank websites, Israeli political establishments, and regional telecommunications providers.
• Secondary Spillover (India): India is identified as a “second-order affected country” facing elevated risks in its energy supply chain (due to Hormuz Strait exposure) and IT/ITES delivery hubs.

Key Vulnerabilities Being Exploited

Threat actors are actively exploiting widely deployed technologies, including:

• CVE-2018-13379 – Fortinet VPN
• CVE-2021-26855 (ProxyLogon) – Microsoft Exchange
• CVE-2024-4577 – PHP-CGI RCE
• CVE-2024-5910 – Palo Alto Expedition
• SSH Terrapin vulnerability (CVE-2023-48795)
• VPN and edge device backdoors (Fortinet, Citrix, F5, Pulse)

These vulnerabilities provide attackers initial access and lateral movement capabilities.

Key Attack Techniques Observed

• Convergence of State and Criminal Activity: Iranian state actors are increasingly using cybercriminal tactics, such as ransomware, to monetize access while maintaining plausible deniability.
• Infrastructure Obfuscation: Heavy use of Cloudflare fronting and ASN clustering (e.g., Hosterdaddy Private Limited) to hide C2 servers.
• Advanced Delivery: AI-enhanced spear-phishing, weaponized document files (.xlam, .ppam), and the use of Telegram or Ethereum-based infrastructure for C2 communications.
• Operational Isolation: Due to the 1-4% internet connectivity in Iran, state-aligned cells outside the country may be acting with tactical autonomy, leading to deviations from historical patterns.
• Use of Sliver C2 frameworks, PowerShell droppers, and custom UDP C2 servers.

Recommendations

1. Do not rely on a single AWS region or data center. Deploy workloads across multiple AWS regions. Use active-active or active-passive failover architectures. Replicate critical services across geographically separated regions. Configure AWS Disaster Recovery (DR) strategies. Store backups in separate AWS regions.
2. Enforce least-privilege IAM policies. Enable AWS CloudTrail and GuardDuty monitoring. Use security groups and network ACLs to restrict access.
3. Implement strict “Block Macros” policies for files ending in .xlam and .ppam.
4. Enforce MFA across all external access points (VPN, cloud admin portals, SSH, RDP).
5. Implement accelerated patching cycles for internet-facing systems. Prioritize patching for critical vulnerabilities affecting VPN appliances, Microsoft Exchange, Web servers, Firewall management platforms.
6. Air-gap or strictly segment OT/ICS networks from corporate IT. Power grid, water utilities, and manufacturing must harden SCADA interfaces. Deploy industrial DMZs and unidirectional security gateways.
7. Conduct security assessments for vendors with Middle East exposure.
8. Conduct immediate training on social engineering attacks themed around the Iran conflict, oil prices, government alerts, and national security.
9. Enable DDoS protection services from cloud providers or ISPs. Deploy traffic scrubbing and rate limiting. Implement content delivery networks (CDN) to absorb attack traffic. Prepare incident response plans specifically for DDoS events.

Indicators of Compromise

Source:

• https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
• https://www.halcyon.ai/ransomware-alerts/iranian-use-of-cybercriminal-tactics-in-destructive-cyber-attacks-2026-updates
• https://www.dsci.in/files/content/advisory/2026/cyber_threat_advisory-middle_east_conflict.pdf
• https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.