By Dr. Carl Windsor, Fortinet Chief Information Security Officer (CISO)
The Israel–Iran war has moved at a rapid pace in terms of kinetic warfare. What is also a new development is the speed at which this conflict rapidly expanded beyond traditional warfare, evolving into a complex cyber conflict. Both nations—and their proxy or hacktivist groups—are targeting critical infrastructure, finance, healthcare, telecoms, and public trust.
While Israel and Iran have been long-time cyber adversaries, the FortiRecon Dark Web Intelligence team had picked up an increase in chatter before the start of the physical conflict. The team observed multiple hacktivist groups affiliated with both countries actively collaborating via Telegram channels and darknet forums to launch coordinated cyberattacks against government and private sector targets in the opposing countries.
Trading Cyber Blows
The FortiGuard Threat Research team has observed several preparatory attacks from both sides of the conflict. When the United States bombed Iran on June 22, 2025, targeting three nuclear facilities as part of an operation called Midnight Hammer, the strikes aimed to significantly disrupt Iran’s nuclear program. This is when a significant uptick in activity began.
FortiGuard Threat Intelligence has identified several groups that have been particularly active during this period, primarily conducting website defacements and distributed denial-of-service (DDoS) attacks as part of ongoing cyber hostilities. These groups include:
| Pro Israel | Pro Iran |
| Anonymous Italia BlackWolves | تیم سایبری Team-Network-Nine Keymous + |
MadCap Z-BL4CX-H4T Moroccan Cyber Forces Al Ahad | ٱلْ أَحَد Arabian Ghosts Fedayeen Cyber Islamic Resistance Islamic Hacker Army MTB |
Destructive Attacks on Financial Institutions
An anti-Iranian group, known as Predatory Sparrow, claimed a successful attack on Nobitex, one of Iran’s largest cryptocurrency exchanges, that wiped out $90 million in cryptocurrency and disabled online banking and ATMs. This came after the same group claimed to have destroyed data at Iran’s state-owned Bank Sepah.
Infrastructure Sabotage and Industrial Warfare
Iranian cyber groups like CyberAv3ngers and affiliate groups such as Iran’s Ministry of Intelligence and Security’s (MOIS) MuddyWater, have long been targeting water, energy, and industrial control systems in the U.S., Israel, and beyond. Cyber Av3ngers claimed in a social media post on October 30, 2024, to have hacked ten water treatment stations in Israel through an attack on misconfigured Unitronics devices.
Figure 1: The control panel for a pump used by the Aliquippa Municipal Water Authority (photo via Aliquippa Water Authority, November 2023)
Pro-Palestine ransomware group Handala has targeted numerous victims from Israel, including petroleum conglomerate the Delek Group and its Delkol subsidiary, Argentinian drone maker AeroDreams, Israeli construction firm Y.G. New Idan, and ISP 099 Primo Telecommunications.
In the past, the group has been observed to attack Israeli organizations with destructive wiper malware. However, in the cases of AeroDreams, Y.G. New Idan, and Delkol, the objective appeared to be disruptive data leaking. Threat actors stated to Delkol:
| “Your fuel systems are exposed. and so are your secrets
Over two terabytes of classified data are no longer in your hands. Your fuel stations are vulnerable. If you’re smart, you’ll act now. Fuel up immediately, before you’re left with nothing but empty roads and silent jets.” |
Human-Based Methods
Iranian APTs, including MuddyWater, APT33, APT34/OilRig, and Rocket Kitten, continue to target a range of government and private organizations. Fortinet has observed the use of techniques including highly targeted spear-phishing, and the use of spear-phishing emails, with phishing links and PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing platforms, spoofed companies, and even deepfakes.
Collateral Damage and Risks to Global Systems
U.S., European, and regional organizations, particularly those connected via Israeli supply chains, face potential collateral damage from misdirected or opportunistic attacks.
On June 22, 2025, the threat actors associated with the “Cyber Fattah” movement, coordinating via their official Telegram channel, leaked thousands of records containing information about visitors and athletes from past Saudi Games, one of the major sports events in the Kingdom, and re-posted them on the English-language cybercrime forum DarkForums.
Figure 2: Saudi Games leak as posted on the Cyber Fattah official Telegram channel
Another Iran-aligned hacking group, 313 Team, claimed responsibility for taking the Trump family’s TruthSocial social media platform offline with a DDoS attack.
Multiple organizations, including the IT-ISAC and Food and Ag-ISAC, have issued warnings urging U.S. organizations to prepare for retaliatory actions originating from Iran.
Disinformation and Psychological Warfare
Cyber operations and the use of digital propaganda now go hand in hand—false missile alerts, manipulated content, and the leaking of sensitive information to intimidate civilians and shape public perception. AI is making this even harder to identify, but that isn’t always successful, as these attempts at creating images of a downed American B-2 plane show. From issues with scale, the lack of crash marks, and the fact that the images show an intact plane after apparently being shot out of the sky, such efforts are easy for most to identify, but not for everyone.
Figure 3: AI-generated images falsely depicting a downed US B-2 bomber, circulated by an Iran-aligned threat group as part of a disinformation campaign
Civilian IoT and Surveillance System Exploitation
Movies and TV shows, such as Enemy of the State and The Blacklist, have long depicted the (mis)use of cameras to track people’s movements. It is believed that both Iran and Hamas have been using this technique for several years, according to Gaby Portnoy of the Israel National Cyber Directorate. It is primarily happening because people are not changing the default passwords set on their devices.
Digital Censorship and Information Blackouts
Iran imposed a near-total internet blackout mid-June (up to 97% usage drop) in response to strikes, triggering massive spikes in VPN usage (95% increase) by citizens seeking access to uncensored information. This is not just limited to countries at war, as can be seen from the data posted by NetBlocks, such information blackouts are also used for other purposes, such as suppressing strikes and union protests.
Figure 4: Netblocks postings of Internet outages in Panama and Iran
How to Prepare for a Cyber Conflict
The Israel–Iran war exemplifies how digital warfare is now inseparable from kinetic conflict. It targets not only military systems but also civilian, corporate, and cross-border networks.
- Geopolitical situational awareness: Understand who’s targeting whom, with what tools, and why.
- Prioritize cybersecurity training: With proper training, your staff can better protect your organization and become the first line of defense against cyberthreats. Check out Fortinet’s NSE training, which is available free of charge.
- Enable multi-factor authentication (MFA): Even if a username or password is compromised, actors cannot gain access to the second factor, such as tokensor biometric data, that is also required to gain access.
- Set up automated patching and updating: Regularly patching vulnerabilities is a fundamental measure to prevent exploitation by cybercriminals.
- Manage passwords: Use password management tools and MFA to ensure passwords meet essential guidelines.
- Understand and reduce your attack surface: Start by performing systems audits to find out what applications, hardware, and IoT devices are in your internal environment, and do not forget to look outside your organization.
- Build defense in depth: Assume compromise will happen and build security resilience and rapid detection capability at every level.
- Back up your data: Implement a robust data backup and recovery strategy to ensure data integrity and security.
- Develop and test an incident response plan:Create a comprehensive incident response plan and related playbooks that outline the steps to take in the event of a cybersecurity incident.
- Build trust and partnerships:CISOs and IT teams must recognize that cybersecurity is a shared responsibility, and no single organization has all the answers.
- Report incidents promptly:Organizations should immediately notify their designated Computer Emergency Response Team (CERT) and local law enforcement in the event of a cyber incident.