The Israel–Iran war has moved at a rapid pace in terms of kinetic warfare.
What is also a new development is the speed at which this conflict rapidly expanded beyond traditional warfare, evolving into a complex cyber conflict, writes Dr Carl Windsor, chief information security officer at Fortinet.
Both nations — and their proxy or hacktivist groups — are targeting critical infrastructure, finance, healthcare, telecoms, and public trust.
While Israel and Iran have been long-time cyber adversaries, the FortiRecon Dark Web Intelligence team had picked up an increase in chatter before the start of the physical conflict. Within hours of the start of the conflict, there was a major change in activity, which is a clear indicator that preparations for a cyber battle were already underway.
The team observed multiple hacktivist groups affiliated with both countries actively collaborating via Telegram channels and darknet forums to launch coordinated cyberattacks against government and private sector targets in the opposing countries.
These groups were amplifying their campaigns by sharing targets and attack details. On June 21, the team was monitoring chatter between teams related to the downing of an Israeli drone and attacks on energy companies in the wider region, along with more mundane website defacements.
(Cyber) Generals Gather in Their Masses
There has been a continuous stream of cyber activity linked to APT groups tied to Iran in recent months. However, over the last few weeks, the FortiGuard Threat Research team has observed several preparatory attacks from both sides of the conflict, indicating that both nations were on alert for what was to come.
When the US bombed Iran on 22 June 2025 targeting three nuclear facilities as part of an operation called Midnight Hammer, the strikes aimed to significantly disrupt Iran’s nuclear program. This is when a significant uptick in activity began.
I See Bad Times Today… Hope You Got Your Things Together
In this article, we will examine some of the tactics we have observed in the lead-up to and during this conflict thus far. It is important to be aware of this activity, as regardless of the direction from which an attack took place, we can expect the other side to employ similar techniques in response.
We also highlight the threats that all organisations, regardless of location, need to consider during times of heightened concern, including what you can do to better protect your organisation.
Trading Cyber Blows
In times of conflict, threat actors aligned with opposing sides often trade cyber blows in digital retaliation. FortiGuard Threat Intelligence has identified several groups that have been particularly active during this period, primarily conducting website defacements and distributed denial-of-service (DDoS) attacks as part of ongoing cyber hostilities.
These groups include those that are pro-Israel (Anonymous Italia, BlackWolves, Team-Network-Nine and Keymous+) and those that are pro-Iran (MadCap, Z-BLACK-H4t, Moroccan Cyber Forces, Al Ahad, Arabian Ghosts, Fedayeen, Cyber Islamic Resistance, Islamic Hacker Army and MTB).
Destructive Attacks on Financial Institutions
An anti-Iranian group, known as Predatory Sparrow, claimed a successful attack on Nobitex, one of Iran’s largest cryptocurrency exchanges, that wiped out $90-million in cryptocurrency and disabled online banking and ATMs.
This came after the same group claimed to have destroyed data at Iran’s state-owned Bank Sepah, amid the increasing hostilities earlier in the week.
These kinds of crippling financial attacks demonstrate a shift in tactics aimed at harming both public infrastructure and confidence.
Infrastructure Sabotage and Industrial Warfare
Iranian cyber groups like CyberAv3ngers, a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC), and affiliate groups such as Iran’s Ministry of Intelligence and Security’s (MOIS) MuddyWater, have long been targeting water, energy, and industrial control systems in the US, Israel, and beyond.
Cyber Av3ngers claimed in a social media post on October 30, 2024, to have hacked 10 water treatment stations in Israel through an attack on misconfigured Unitronics devices (with default passwords and internet access).
However, it has not been publicly disclosed whether any equipment was impacted.
Pro-Palestine ransomware group Handala (named after a character created by Palestinian newspaper cartoonist Naji al-Ali, representative of the Palestinian resistance has targeted numerous victims from Israel, including petroleum conglomerate the Delek Group and its Delkol subsidiary, Argentinian drone maker AeroDreams, Israeli construction firm Y.G. New Idan, and ISP 099 Primo Telecommunications.
In the past, the group has been observed to attack Israeli organisations with destructive wiper malware. However, in the cases of AeroDreams, Y.G. New Idan, and Delkol, the objective appeared to be disruptive data leaking.
Threat actors stated to Delkol: “Your fuel systems are exposed. and so are your secrets. Over two terabytes of classified data are no longer in your hands. Your fuel stations are vulnerable. If you’re smart, you’ll act now. Fuel up immediately, before you’re left with nothing but empty roads and silent jets.”
Infrastructure attacks against Iran have also been documented on numerous occasions. Notable examples include the 2021 cyberattack on the Iranian railway system, attributed to the previously unknown Meteor wiper deployed by an unidentified threat actor. Earlier incidents include the sabotage of centrifuges at the Natanz nuclear facility and the widely-known Stuxnet attack, which marked a significant milestone in the history of cyber warfare.
These operations carry tangible, real-world consequences. Disruptions to pumping systems and damage to physical facilities risk escalating from digital intrusions to full-scale critical infrastructure failures, posing threats to both safety and stability.
The shift in Handala’s tactics suggests a broader intent: beyond immediate disruption, the psychological impact on the population and the financial fallout from leaked data may also be key objectives, diverging from the purely destructive goals typically associated with wiper malware.
Human-Based Methods
Iranian APTs, including MuddyWater, APT33, APT34/OilRig and Rocket Kitten, continue to target a range of government and private organisations across sectors, including telecommunications, local government, defense, and oil and natural gas organisations in the Middle East, Asia, Africa, Europe, and North America.
These APTs target diplomats, defense officials, and academics in Israel and allied nations. Fortinet has observed the use of techniques including highly targeted spear-phishing, and the use of spear-phishing emails, with phishing links and PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing platforms, spoofed companies, and even deepfakes.
These techniques are used to obtain initial access to networks for onward attacks.
Collateral Damage and Risks to Global Systems
US, European, and regional organisations, particularly those connected via Israeli supply chains, face potential collateral damage from misdirected or opportunistic attacks.
On 22 June 2025, the threat actors associated with the “Cyber Fattah” movement, coordinating via their official Telegram channel, leaked thousands of records containing information about visitors and athletes from past Saudi Games, one of the major sports events in the kingdom, and re-posted them on the English-language cybercrime forum DarkForums.
Another Iran-aligned hacking group, 313 Team, claimed responsibility for taking the Trump family’s TruthSocial social media platform offline with a DDoS attack.
Prior to the war, Fortinet’s FortiGuard Incident Response team identified intrusions into critical national infrastructure belonging to a Middle Eastern country perpetrated by Iranian actors. It is expected that such attacks will continue, even after cessation of fighting, particularly those targeted at countries which may be perceived as having been directly involved in the war (Israel, US).
Multiple organisations, including the IT-ISAC and Food and Ag-ISAC, have issued warnings urging US organisations to prepare for retaliatory actions originating from Iran. These concerns center on the growing risk of destructive malware deployment and supply chain compromise, as Iranian cyber operations extend beyond the initial conflict zones.
The evolving threat landscape suggests this conflict is poised to spill far beyond traditional geopolitical boundaries.
Disinformation and Psychological Warfare
Disinformation is not something new in politics and warfare, from Octavian’s trolling of Mark Anthony by calling him out as a drunk and womaniser on coins in 44BC to Lord Haw Haw broadcasting Nazi propaganda to the British from Germany in World War II.
Cyber operations and the use of digital propaganda now go hand in hand — false missile alerts, manipulated content, and the leaking of sensitive information to intimidate civilians and shape public perception. AI is making this even harder to identify, but that isn’t always successful, as these attempts at creating images of a downed American B-2 plane show.
From issues with scale, the lack of crash marks, and the fact that the images show an intact plane after apparently being shot out of the sky, such efforts are easy for most to identify, but not for everyone. As AI imaging and video generation tools continue to automate and improve, it will become increasingly difficult to distinguish between AI-generated content and reality. We are already there with voice after all.
Civilian IoT and Surveillance System Exploitation
Movies and TV shows, such as Enemy of the State and The Blacklist, have long depicted the (mis)use of cameras to track people’s movements.
It is believed that both Iran and Hamas have been using this technique for several years, according to Gaby Portnoy of the Israel National Cyber Directorate.
But the reality is not as highly technical as is portrayed. It is primarily happening because people are not changing the default passwords set on their devices, leaving them open to hijacking and abuse.
Such attacks highlight the dangers of unsecured IoT devices becoming backdoors, providing reconnaissance intelligence into civilian environments.
Digital Censorship and Information Blackouts
Control of information flow during a war is vital, and one way to make sure the enemy is not using information against you is to cut off the flow. Iran imposed a near-total internet blackout mid-June (up to 97% usage drop) in response to strikes, triggering massive spikes in VPN usage (95% increase) by citizens seeking access to uncensored information.
This is not just limited to countries at war, as can be seen from the data posted by NetBlocks. Such information blackouts are also used for other purposes, such as suppressing strikes and union protests.
Regimes use such disruptions to isolate populations. However, such actions can also impede both civilian and military communications.
How to Prepare for a Cyber Conflict
The Israel–Iran war exemplifies how digital warfare is now inseparable from kinetic conflict. It targets not only military systems but also civilian, corporate, and cross-border networks, thereby amplifying risks worldwide.
Defenders need a new approach, one that considers the impact a once-distant conflict can now have on our own doorstep — this is no longer just an issue in the Middle East, as today’s cyber battlefield has no borders.
- Geopolitical situational awareness: Understand who’s targeting whom, with what tools, and why. Stay on top of what is happening through your industry’s Information Sharing and Analysis Centers (ISAC) or by subscribing to the Dark Web Intelligence Service from FortiRecon Adversary Centric Intelligence (ACI).
- Prioritise cybersecurity training: With proper training, your staff can better protect your organisation and become the first line of defense against cyberthreats. Create a cyber-aware workforce with low-cost or no-cost training. Check out Fortinet’s NSE training, which is available free of charge. You can also augment training with real-life phishing simulations to assess and improve your organisation’s readiness.
- Enable multi-factor authentication (MFA): Even if a username or password is compromised, whether accidentally or intentionally, that user’s overall security is still maintained because actors cannot gain access to the second factor, such as tokens or biometric data, that is also required to gain access.
- Set up automated patching and updating: Despite years of guidance, this remains one of the top threats to network security and integrity. Regularly patching vulnerabilities is a fundamental measure to prevent exploitation by cybercriminals. It is imperative that you keep all software, operating systems, and applications up to date with the latest security patches. Start by establishing a patch-management process to streamline updates and ensure timely implementation. Look to leverage AI and other systems to automate tedious patching tasks. While many legacy systems cannot be patched due to their continuous operation of critical processes, they can be shielded from vulnerabilities using compensating controls, such as targeted IPS signatures, to protect them from exploits. With Fortinet’s OT Security Platform, you can perform such virtual patching using its integrated management system.
- Manage passwords: Use password management tools and MFA to ensure passwords meet essential guidelines. These forms of security hardening will prevent compromised passwords from leading to compromised systems. Services that monitor online forums on the dark web that sell stolen credentials can also help ensure passwords are updated before they are exploited. Additionally, ensure that IoT devices, such as cameras, are patched and that default passwords are changed.
- Understand and reduce your attack surface: The first step to reducing your attack surface is to understand what you’ve got. Start by performing systems audits to find out what applications, hardware, and IoT devices are in your internal environment, and do not forget to look outside your organisation. And it’s always helpful to get an outsider’s POV on your network to assist with auditing your systems, identifying what’s there, and determining who has access to what. For example, a Continuous Threat Exposure Management (CTEM) service can provide an outside-the-network view of the risks posed to your organisation.
- Build defense in depth: Assume compromise will happen and build security resilience and rapid detection capability at every level. Segment your network to ensure that the impact of a breach is limited in scope, aiding in the rapid recovery of your network while maintaining business resiliency. Threat actors can often remain undetected in a network for months. Network detection and response in FortiNDR, deception techniques provided by FortiDeceptor, and rich analytics from FortiAnalyzer can speed up and simplify the detection and remediation of threats. These and similar solutions can reduce the mean time to detection from many days to a few minutes. Log all activity to a centralised SIEM solution and build an automated detection capability.
- Back up your data: Implement a robust data backup and recovery strategy to ensure data integrity and security. Regularly back up critical data and ensure that backups are stored in secure, isolated environments off-network. Just as important is to test the recovery of your data to ensure that, in the event of a ransomware attack or data loss, your organisation can quickly recover essential information.
- Develop and test an incident response plan: Create a comprehensive incident response plan and related playbooks that outline the steps to take in the event of a cybersecurity incident. However, a plan sitting in a drawer is of little value. You also need to regularly test and update your plans to ensure their effectiveness. This includes conducting simulated exercises, such as tabletop drills, to enable your key stakeholders to practice and refine their responses to various types of cyberthreats.
- Build trust and partnerships: CISOs and IT teams must recognise that cybersecurity is a shared responsibility, and no single organisation has all the answers. One of the most critical components of a strong security posture is building global partnerships and actively sharing threat intelligence. This includes engaging with trusted vendors and participating in sector-specific Information Sharing and Analysis Centers (ISACs).
- Report incidents promptly: Timely reporting is essential. Organisations should immediately notify their designated Computer Emergency Response Team (CERT) and local law enforcement in the event of a cyber incident.