The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.

Several hacktivist groups have claimed DDoS attacks against U.S. targets in the wake of U.S. airstrikes on Iranian nuclear sites on June 21.

The attacks—most notably from hacktivist groups Mr Hamza, Team 313, Cyber Jihad, and Keymous+—targeted U.S. Air Force domains, major U.S. Aerospace and defense companies, and several banks and financial services companies.

The cyberattacks follow a broader campaign against Israeli targets that began after Israel launched attacks on Iranian nuclear and military targets on June 13. Israel and Iran have exchanged missile and drone strikes since the conflict began, and Iran also launched missiles at a U.S. military base in Qatar on June 23.

The accompanying cyber warfare has included DDoS attacks, data and credential leaks, website defacements, unauthorized access, and significant breaches of Iranian banking and cryptocurrency targets by Israel-linked Predatory Sparrow. Electronic interference with commercial ship navigation systems has also been reported in the Strait of Hormuz and the Persian Gulf.

U.S. Involvement Draws Hacktivist Attacks

The U.S. entry into the conflict has drawn retaliation from hacktivist groups, with attack claims ranging from credible to questionable. In the wake of the U.S. involvement, the Department of Homeland Security (DHS) warned on June 22 that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.”

Hacktivists and Iranian government-affiliated actors “routinely target poorly secured US networks and Internet-connected devices for disruptive cyber attacks,” DHS warned.

DHS also warned of the potential for violent reprisals, particularly “if Iranian leadership issued a religious ruling calling for retaliatory violence against targets in the Homeland.”

Cyble dark web researchers have observed several hacktivist groups aligned with Iran claiming DDoS attacks against U.S. targets since the June 21 bombings.

Mr Hamza claimed that it targeted several domains of the U.S. Air Force and U.S. Aerospace & Defense companies, using the hashtag #Op_Usa, and supported those claims with check-host.net reports indicating downtime of the websites in question over a 10-hour period on June 22 (screenshot below).

Keymous+ claimed to have targeted several U.S. financial entities and published check-host.net links showcasing website disruption over a one-hour period on June 22.

Team 313 claimed to have targeted Truth Social, the social media platform of U.S. President Donald Trump, but the group did not offer sufficient proof to deem the claim credible.

Cyber Jihad Movement claimed that it will begin cyberattacks against U.S. entities, using the hashtag #OpUSA (image below).

In all, Cyble observed attack claims by Iran-aligned hacktivist groups against 15 U.S. organizations and 19 websites.

U.S. Hacktivist Activity Small Compared to Middle East

So far, the volume of hacktivist attacks aimed at U.S. targets has been small compared to the large number of attacks and threat groups that have been active in the Middle East.

Of 88 hacktivist groups observed by Cyble to be active in the Middle East region since hostilities began on June 13, 81 are considered to be aligned with Iran (image below).

Of the scores of active groups and cyberattacks documented by Cyble researchers, Handala appears to have been one of the more effective attackers, with 15 claims of ransomware/extortion incidents, and data samples offered as evidence in most of those alleged attacks. All of the group’s victims have been based in Israel.

Another recent noteworthy claim was made by a threat actor (TA) on the cybercrime forum Darkforums. The TA offered unauthorized SSH access and VPN credentials of three user accounts for the alleged VPN portal of the Israel Defense Forces (IDF), asking for a price of 2 BTC. The TA also offered to provide a port knocking script and claimed that an impacted user account had sudo privileges.

Russia-linked groups have been mainly absent from the cyber conflict, with two notable exceptions: Z-Pentest claimed to have compromised an industrial control system (ICS) at an Israeli energy and utilities target, and NoName057(16) claimed a DDoS attack on an Israeli transportation organization.

Hashtags used in the hacktivist campaigns have included:

• #SalomZionist
• #OpIsrael
• #OneUmmah
• #FreePalestine
• #SupportIran
• #HackForHumanity
• #OpJordan
• #Allaliance
• #Allhacktivist
• #OpZionists
• #OpRedEclipse
• #ZionistExposure

Other targets in the cyber campaigns have included Jordan, Egypt, the UAE, and Saudi Arabia, which appear to have been perceived as too neutral by Iran-aligned groups.

Conclusion

The widening conflict in the Middle East means that organizations in a growing number of countries may be targets of hacktivists.

Organizations that could be vulnerable to hacktivism are advised to invest in DDoS protection and to take steps to ensure against data breaches, website defacements, and increasingly, ransomware and critical infrastructure attacks. That means hardening and segmenting critical and web-exposed assets; a risk-based vulnerability management program; Zero-Trust access principles; ransomware-resistant backups; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures, prioritizing fixes, and monitoring for leaked credentials and other early warning signs of major cyberattacks.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.