The United States and Israel launched coordinated strikes on Iran (Operation Epic Fury / Operation Lion’s Roar) that killed Supreme Leader Ali Khamenei and senior commanders, triggering widespread Iranian missile and drone retaliation across the region and significant commercial disruption such as a 90% decline in Strait of Hormuz transits and Qatar declaring force majeure. Cyber and influence operations are already active and expected to escalate, with identified Iranian-aligned hacktivist and IO networks (e.g., Handala Hack Team, Storm-2035) likely to employ scanning, brute forcing, password spraying, DDoS, and targeted influence campaigns. #HandalaHackTeam #APT34
Keypoints
- Coordinated US-Israeli air campaign on 28 February 2026 (Operation Epic Fury / Operation Lion’s Roar) conducted ~900 strikes in the first 12 hours, killing Supreme Leader Ali Khamenei and numerous senior IRGC and defense officials.
- Iran launched immediate, broad retaliation (Operation Truthful Promise 4) with missile and drone strikes across at least nine countries, causing military and civilian casualties and closing or disrupting regional maritime and energy operations.
- Major commercial impact: Strait of Hormuz transits dropped ~90%, Qatar declared force majeure on gas exports, and regional energy and shipping sectors face sustained volatility and insurance costs.
- Cyber threat landscape: Iranian state-aligned and pro-Iran hacktivist groups (Handala Hack Team, Cyber Islamic Resistance, Storm-2035, ION-79, etc.) are active; early cyber indicators to watch include scanning, brute forcing, password spraying, probing, and DDoS.
- Influence operations are layered and already underway in three phases (strategic narrative shaping, covert network surge, psychological deterrence), with networks pivoting inauthentic accounts and AI-generated media to shape perceptions.
- Insikt Group outlines three scenarios (regional war/energy shock; regime fracture/militia foothold; prolonged stalemate) with corresponding operational, commercial, and cyber resilience questions for organizations.
MITRE Techniques
- [T1595 ] Active Scanning – Used as an early re‑operationalization indicator: (‘scanning, brute forcing, password spraying, and probing against your networks as early signals of Iranian cyber forces re-operationalizing.’)
- [T1110 ] Brute Force – Cited as a likely early tactic for access attempts: (‘scanning, brute forcing, password spraying, and probing against your networks as early signals…’)
- [T1110.003 ] Password Spraying – Specifically named as an expected access technique: (‘scanning, brute forcing, password spraying, and probing against your networks as early signals…’)
- [T1498 ] Network Denial of Service – DDoS activity noted as an early signal and likely hacktivist tool: (‘DDoS campaigns may also be an early signal.’)
- [T1078 ] Valid Accounts (Initial Access) – Initial access concerns and collaborations to gain network access were highlighted as part of Iranian opportunistic approaches: (‘Iranian APT groups are known to be opportunistic, acquiring exploits and collaborating with ransomware groups to gain network access, and the threshold for retaliation…’)
- [T1021 ] Remote Services (Lateral Movement) – Lateral movement was explicitly referenced as a post-access activity to watch: (‘Watch for each major group’s distinct TTPs: Peach Sandstorm, APT34, MuddyWater, Cotton Sandstorm, and APT42 each have established patterns for initial access and lateral movement.’)
Indicators of Compromise
- [Threat actor names ] Named actors and fronts linked to operations – Handala Hack Team, Storm-2035, and other tracked groups such as ION-79, Peach Sandstorm, APT34 (and several additional Iran-aligned hacktivist/APT groups).
- [Affected sites / organizations ] Targets and claimed compromises – Natanz nuclear facility, the Minzadehei compound (alleged underground complex), and a claimed compromise of an Israeli oil and gas company.
- [Media / content artifacts ] Influence artifacts used in campaigns – an AI-generated image tied to false claims about USS Abraham Lincoln strikes (reported to have reached millions of views) and viral social posts from sock-puppet accounts.
- [Operational indicators ] Commercial and operational disruption signals – Strait of Hormuz transit decline (~90% drop) and Qatar’s force majeure on gas exports as contextual indicators of kinetic and economic impact.
Read more: https://www.recordedfuture.com/blog/the-iran-war-what-you-need-to-know