Sophos X‑Ops CTU researchers have observed a surge in Iranian hacktivist operations—Operation Epic Fury and Operation Roaring Lion—focused on website defacement, DDoS, and doxxing after coordinated U.S. and Israeli strikes on February 28. Key actors including the Handala Hack Team (linked to COBALT MYSTIQUE), APTIran, and the BaqiyatLock RaaS are claiming intrusions into energy and water systems and are recruiting affiliates, raising the threat to Israeli and potentially U.S. organizations. #Handala #BaqiyatLock
Keypoints
- CTU noted increased Iranian hacktivist activity across Telegram, X, and underground forums after Feb 28 strikes.
- The Handala Hack Team (COBALT MYSTIQUE) launched a RedWanted hit list and claims large-scale data exfiltration.
- APTIran alleges OT-level access to Israeli water control systems, claiming control interruptions.
- BaqiyatLock (BQTlock) RaaS is offering free affiliate memberships to attackers targeting Israel.
- CTU advises prioritizing patching, monitoring for phishing, minimizing internet-facing services, and reviewing continuity plans.