Cyber Retaliation Escalates: Iranian Hacktivists Target Critical Infrastructure Following Military Strikes
Ddos 
Sophos X-Ops Counter Threat Unit (CTU) researchers have observed a surge in Iranian hacktivist activity across Telegram, X, and underground forums in the wake of coordinated U.S. and Israeli military strikes on February 28. The operations, designated Operation Epic Fury and Operation Roaring Lion, have triggered a wave of cyber retaliation focusing on website defacement, distributed denial of service (DDoS), and targeted doxxing.
A central figure in this escalation is the Handala Hack Team, a persona operated by the group COBALT MYSTIQUE. On March 1, the group launched a “RedWanted” site, a hit list of individuals and organizations supporting Israel. In a defiant public statement, the group warned that they have “infiltrated [Israel’s] most secure databases, and extracted the personal information of millions who thought they were untouchable”.
The group also claims to be actively sabotaging the energy sector, stating on social media that “the cyber infrastructure of the Zionist regime’s oil and gas sector is being destroyed”.
Beyond energy, the group APTIran has shared unverified claims of infiltrating Israeli water control systems. The threat actors asserted they have direct access to the operational technology (OT) layer, stating: “The control logic has been taken out of the execution cycle, the runtime has stopped, and the system is deliberately kept in Boot state”.
Further complicating the landscape, the BaqiyatLock (BQTlock) ransomware-as-a-service (RaaS) group has begun offering free affiliate memberships to any hacktivists capable of targeting “the Zionist entity”.
While much of the current activity targets Israeli interests, CTU researchers warn that the U.S. role in the recent strikes increases the risk of retaliatory attacks against American organizations. Groups like the Troll Hacker Team have already begun counter-operations, claiming to have successfully taken the Handala official website offline.
To mitigate these risks, CTU recommends that organizations adopt a heightened defensive posture:
- Prioritize Patching: Iranian groups frequently target known, publicly disclosed vulnerabilities rather than zero-days.
- Monitor for Phishing: Stay vigilant against topical phishing campaigns and password-spraying activity.
- Minimize Exposure: Reduce the available attack surface by minimizing internet-facing services.
- Review Continuity Plans: Ensure business continuity and restoration processes are ready to handle potential ransomware or wiper malware attacks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
