Iran’s Pro-Regime Hackers Cannot Back Up Their Claims of Successful Cyber Attacks

As the United States and Israel continue to pummel the clerical regime in Iran, its hackers are threatening to join the fray.

The Cyber Isnaad Front, a regime proxy, warned at the outset of the operation that it stood prepared to attack U.S. and Israeli critical infrastructure. While this and other pro-regime groups likely lack prepositioned, strategic capabilities to cause significant disruptions, their threats and boasts of success are an attempt to strike fear regardless of their technical acumen. 

As the fog of war in cyberspace is especially dense, vigilance can mitigate the risk of falling victim to cyberattacks of opportunity or disinformation.

Iran Poses a Cyber Threat

Within hours of the start of the war, private cybersecurity companies issued alerts reminding clients of Iran’s history of malicious cyber activity. The Islamic Republic is a “mature, well-resourced cyberthreat,” cautioned SentinelOne, emphasizing that Iran has in the past conducted disruptive and destructive attacks on critical infrastructure. Often hitting targets of opportunity, Iranian hackers “routinely exploit unpatched systems, default credentials, and exposed remote access services,” explained Matt Hartman, former senior official with the Cybersecurity and Infrastructure Security Agency.

As the war has progressed, numerous groups have issued unverified claims of successful attacks. Handala Hack — likely affiliated with Iran’s Ministry of Intelligence and Security — claimed to have hacked an Israeli oil and gas exploration company. Pro-regime hacker collective DarkStorm boasted of conducting distributed denial of service (DDoS) attacks on Israeli banks. Another pro-regime umbrella group, the Cyber Islamic Resistance, claimed to have disrupted payment systems and drone detection systems.

Multiple groups also asserted that they compromised Jordanian infrastructure and fuel stations. Jordan’s National Cybersecurity Center confirmed it thwarted an Iranian attack on the nation’s wheat silo management system.

To date, most of the claims of successful hacks are likely false or overblown.

Hackers Across the World Are Getting Involved

In fact, some cybersecurity firms have observed a drop in malicious cyber activity originating from Iran since the start of the war. CloudFlare CEO Matthew Prince hypothesized that the reduction is likely because “operators are sheltering” during the military strikes. The regime-imposed internet blackout may also be limiting hackers’ abilities, forcing hackers to recycle old operations and personas to appear more active.

Hackers from outside the country are stepping into the void. Cybersecurity firm Palo Alto warned of escalating attacks from outside Iran. An Australia-based threat analyst known on X as “CyberKnow” has identified 60 hacktivist groups, including pro-Russian groups, who have entered the fray. Pro-Russian hackers NoName057(16) — mostly known for cyberattacks on Ukraine and NATO targets — claimed to have disrupted Israeli government, telecommunications, and defense-systems. DieNet, a pro-Palestinian group, meanwhile asserted that it took down Qatari and Bahraini government websites. “At this stage, much of the activity being publicized appears to be claim-driven rather than evidence-backed,” cautioned Adam Meyers of cybersecurity firm CrowdStrike. “It’s common during periods of geopolitical escalation to see an increase in opportunistic hacktivism and low-level disruptive activity designed to generate attention.”

Critical Infrastructure Should Patch and Prepare

In response to escalating threats in cyberspace, federal agencies and industry associations including Information Sharing and Analysis Centers (ISACs) are warning companies to be on alert. Health-ISAC CEO Errol Weiss, for example, urged members to “harden internet-facing systems, validate DDoS protections with their service providers, and rehearse downtime and incident-response procedures.” Meanwhile, Politico reported on March 3 that the Transportation Security Administration is advising energy companies to bolster their cyber and physical security.

Private companies should heed these warnings. Iranian hackers have in the past successfully compromised critical components of essential services because utilities misconfigured systems, did not change default passwords, or failed to install software patches to fix known vulnerabilities. As the FBI Cyber Division Assistant Director Brett Leatherman explained in a LinkedIn post, Iranian hackers target “the simplest gaps in the most consequential environments.” But patching systems, disconnecting critical components, and strengthening passwords can close the gaps, leaving pro-regime hackers with nothing but empty assertions of supposed successes.

Ari Ben Am is an adjunct fellow at the Center on Cyber and Technology Innovation(CCTI) at the Foundation for Defense of Democracies (FDD), focusing on emerging threats, influence and information operations, cyber operations, and hybrid warfare. Nino Baramia is an intern at CCTI. For more analysis from the authors and FDD, please subscribe HERE. Follow FDD on X @FDD, @FDD_CCTI, and @FDD_Iran. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.