The Sophos X-Ops Counter Threat Unit (CTU) has issued a cyber advisory warning of increased cybersecurity risks as the US-Israel-Iran conflict continues and escalates.
Historically, periods of direct military escalation in the Middle East have correlated with increased concern about cyber activity from state-aligned and ideologically motivated threat actors, the organisations warns.
“During heightened tensions, Iran-linked actors have shown a willingness to conduct disruptive and psychologically-oriented operations,” it continues. “Organisations should review detection, incident response, and resiliency measures accordingly.”
So far, the Sophos X-Ops CTU has observed a surge in hacktivist activity, but not an escalation in risk, across Telegram, X and underground forums following the 28 February strikes, primarily from pro-Iran personas including Handala Hack team and APTIran.
Activity has largely consisted of distributed denial-of-service (DDoS) attacks, website defacements, and unverified claims of compromises involving Israeli infrastructure.
Many of the alleged compromises shared via social media remain unverified.
Emerging and reactivated groups, including Cyber Toufan, Cyber Support Front, Iranian Avenger, and Cyb3r Drag0nz, are primarily engaging in unsophisticated tactics, broad and embellished claims, and amplifying retaliatory messaging, while the BaqiyatLock ransomware-as-a-service group has publicly offered free affiliate access to actors targeting Israeli interests.
Rafe Pilling, director of threat intelligence at Sophos X-Ops CTU, comments: “Sophos X-Ops CTU has tracked Iran‑aligned hacktivism for nearly 15 years. While many genuinely pro‑Iranian hacktivist groups exist, their activity typically generates noise with limited real‑world impact; it is the state‑linked personas that warrant closer scrutiny.
“Iran has spent more than a decade refining the use of hacktivist personas as cyber proxies, allowing the state to signal intent, amplify disruption, and maintain plausible deniability,” he adds.
“Reflecting its broader reliance on regional proxy forces, Iran has developed a portfolio of hacktivist and cybercrime personas used to claim, front, and amplify operations conducted by state‑sponsored groups.
“These activities have primarily targeted Israel, but have also affected Gulf states including the UAE, Saudi Arabia and Bahrain, with surges in hacktivist activity consistently aligning with periods of regional escalation but also quite common in between as retaliatory signals of defiance and resolve.”
Pilling cautions organisations with operations in the GCC states to remain vigilant, as hacktivists often conduct actions in support of or in perceived alignment with their cause. “It would not be surprising to see such activity expand to additional countries in the region,” he says.
“Iran has a well-established history of using disruptive cyberattacks as retaliatory signals of defiance and resolve. These operations aim to impose costs and create uncertainty, as Iran rarely announces or openly claims responsibility, instead sometimes hinting at attribution through imagery or messaging used by affiliated front personas.
“We are observing a rise in rhetoric from both established and emerging hacktivist actors, though their historical impact has been limited,” Pilling adds. “While the situation remains fluid, state-sponsored groups may currently be disrupted by leadership instability and a military focus on kinetic operations.
“As these groups reorganise, there is a possibility of more coordinated and effective cyber activity emerging over the coming days.”