Threat Research

Part 1: The Iran-Israel Cyber Standoff – The Hacktivist Front

CloudSek
Part 1: The Iran-Israel Cyber Standoff – The Hacktivist Front

Between June 12-18, 2025, over 35 pro-Iranian hacktivist groups launched coordinated cyberattacks against Israeli infrastructure, primarily using DDoS, website defacements, and data breaches. Despite a high volume of attacks, the methods remained unsophisticated and often involved exaggerated claims to gain media attention. #DDoS #HackYourMom #APT_IRAN

Keypoints

  • More than 35 pro-Iranian hacktivist groups coordinated cyberattacks against Israeli government, military, and critical infrastructure in mid-June 2025.
  • The attacks mainly employed DDoS assaults, website defacements, and data breaches with limited technical sophistication.
  • Pro-Israel groups were fewer (4-5) and focused on targeted infrastructure attacks against Iranian nuclear and military sites.
  • Pro-Iranian attacks spanned multiple countries including Iran, Palestine, Lebanon, Indonesia, and Yemen.
  • Common tactics include information warfare, service disruptions, and ICS attacks, alongside data theft and ransomware deployment by groups like APT IRAN.
  • Hacktivist groups frequently exaggerated the scope and impact of their attacks, reusing old data leaks and claiming unrelated outages.
  • Recommendations include enhanced DDoS protection, credential security, threat intelligence monitoring, incident response protocols, and public communication strategies.

MITRE Techniques

  • [T1499] Endpoint Denial of Service – Pro-Iranian groups conducted DDoS attacks to disrupt Israeli government and military websites (“DDoS assaults, website defacements”).
  • [T1078] Valid Accounts – Use of credential leaks and account hijacking, as seen with RootSec hijacking Israeli Instagram accounts (“Account hijacking Israeli Instagram accounts”).
  • [T1566] Phishing – Data breaches frequently involved compromised credentials and misconfigured systems (“Data usually sourced from compromised credentials or misconfigured systems”).
  • [T1587] Threat Intelligence – Monitoring hacktivist Telegram channels for early warning (“Establish threat intelligence monitoring of hacktivist Telegram channels and social media platforms”).
  • [T1486] Data Encrypted for Impact – Use of ransomware by APT IRAN against Israeli academic and government systems (“APT IRAN Data exfiltration, Ransomware Israeli academic/government systems”).
  • [T1490] Inhibit System Recovery – Service disruptions aimed at critical infrastructure and alert systems (“Service disruption Israeli military systems, Tzofar Red Alert app”).

Indicators of Compromise

  • [File Names] Targets of data breaches and service disruptions – examples include aurion-hosting.co.il (REVOLUSI HIME666 breach), Tzofar Red Alert app attacks, and Israeli government websites.
  • [Group Names] Pro-Iranian and pro-Israel hacktivist groups active during the campaign – HackYourMom, Liwa Muhammad ﷺ, APT IRAN, Syrian Electronic Army, Anonymous OpIran.
  • [Targeted Entities] Compromised systems included Israeli Ministry of Defense, Unit 8200, Nevatim Airbase, Iranian nuclear sites, and Palestinian solidarity groups.

Read more: https://www.cloudsek.com/blog/part-1-the-iran-israel-cyber-standoff—the-hacktivist-front

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint