Full Report
Hacking groups supporting Iran claimed new hits against critical infrastructure sectors, with some saying they had manipulated control systems and the earliest attacker of this conflict declaring that details they had swiped about a commercial complex were released to make a physical attack easier. Hider Nex, a pro-Palestinian Tunisian hacking group that emerged in mid-2025,…
Analysis Summary
# Incident Report: Pro-Iranian Multi-Sector Cyber Campaign
## Executive Summary
In early 2026, multiple pro-Iranian and pro-Palestinian hacking groups launched a coordinated cyber campaign targeting critical infrastructure in Israel and Jordan. The attacks involved the manipulation of Operational Technology (OT) and Industrial Control Systems (ICS), data exfiltration to support physical targeting, and widespread disruption of essential services. The primary goal appeared to be a mix of psychological warfare, economic sabotage, and providing intelligence for kinetic military strikes.
## Incident Details
- **Discovery Date:** February 28, 2026
- **Incident Date:** February 28 – March 7, 2026
- **Affected Organizations:** Azrieli Group, Bank al Etihad, Bezeq, Prima Park Hotel, ISAR Engineering, Technion, and various Israeli medical/energy entities.
- **Sector:** Critical Infrastructure (Energy, Water, Finance, Healthcare, Telecommunications, Agriculture)
- **Geography:** Israel, Jordan, and Azerbaijan
## Timeline of Events
### Initial Access
- **Date/Time:** February 28, 2026
- **Vector:** Exploitation of outdated software and third-party management systems.
- **Details:** Hider Nex launched the first retaliatory DDoS against telecommunications provider Bezeq. APT IRAN later exploited an outdated version of "FileManager" at an energy project.
### Lateral Movement
- **Details:** Attackers moved from compromised file management systems and third-party contractor backdoors to central servers and ICS/SCADA interfaces controlling lighting, water, and power.
### Data Exfiltration/Impact
- **March 3-7, 2026:**
- **Data Exfiltration:** Sensitive building plans for the Azrieli Business Park were stolen and published to facilitate physical bombing. Sensitive customer data was withdrawn from the Prima Park Hotel.
- **Operational Impact:** Attackers claimed to have cut water and electricity to hotel districts, manipulated wheat stockpile control systems (Jordan), and compromised Haifa’s main power station lighting networks.
### Detection & Response
- **Detection:** Discovered via Telegram/X (Twitter) announcements by threat actors and monitoring by cybersecurity firms like Radware and Orange Cyberdefense.
- **Response actions:** Jordanian government intervention regarding strategic wheat stockpiles; security audits of third-party contractor systems.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerable web-facing software (FileManager) and supply chain backdoors provided by contractors.
- **Persistence:** Implementation of "unwanted backdoors" in bank technical infrastructure.
- **Discovery:** Reconnaissance of camera systems and internal document servers.
- **Lateral Movement:** Pivoting from IT management systems to OT/Control systems.
- **Exfiltration:** Use of Telegram channels to leak exfiltrated sensitive blueprints and PII.
- **Impact:** Distributed Denial of Service (DDoS), ICS manipulation, and "doxxing" of physical infrastructure for kinetic targeting.
## Impact Assessment
- **Financial:** Potential disruption of ATM and payment systems at Bank al Etihad; risk to Jordanian strategic wheat reserves.
- **Data Breach:** Building schematics, embassy locations, medical clinic records, and hospitality customer data.
- **Operational:** Disruption of lighting, water, and power in Haifa and surrounding areas; potential spoilage of agricultural goods.
- **Reputational:** High-profile public claims by "Cyber Islamic Resistance" and "Hider Nex" to undermine public trust in infrastructure safety.
## Indicators of Compromise
- **Network Indicators:** Traffic associated with DDoS attacks against Bezeq (Israel).
- **File Indicators:** Use of outdated "FileManager" software versions on central servers.
- **Behavioral Indicators:** Unauthorized access to SCADA/ICS interfaces; unusual data outbound patterns from hotel and medical servers.
## Response Actions
- **Containment:** Disconnection of compromised third-party management systems.
- **Eradication:** Patching of vulnerable file management software and removal of contractor-created backdoors.
- **Recovery:** Restoration of power/water services and auditing of strategic grain storage sensors.
## Lessons Learned
- **Supply Chain Risk:** Third-party contractors implementing management systems can introduce "permanent" backdoors if not audited.
- **IT/OT Convergence:** Vulnerabilities in simple web utilities (like file managers) can lead to direct control over physical infrastructure (solar projects/power grids).
- **Cyber-Physical Link:** Cyber exfiltration of building plans is now being explicitly marketed as "targeting packages" for physical strikes.
## Recommendations
- **Zero Trust Architecture:** Implement strict segmentation between IT networks and ICS/OT environments.
- **Vulnerability Management:** Immediate patching of all web-facing file management and administrative utilities.
- **Vendor Risk Management:** Conduct rigorous security audits of all third-party systems and "management backdoors" installed by contractors.
- **Physical Security Guarding:** Increase physical security at sites where digital blueprints have been leaked.