Full Report
Hacktivists use proxy services from Russia, China for 'billions of designed-for-abuse connection attempts' Cybercrime has skyrocketed since the start of the Iran war, according to Akamai, which reports a 245 percent increase in everything from credential harvesting attempts to automated reconnaissance traffic aimed at banks and other critical businesses.…
Analysis Summary
# Incident Report: Surge in Geopolitical Hacktivism and Infrastructure Reconnaissance (2026)
## Executive Summary
Following the onset of the Iran war, global cybercrime and hacktivist activity have surged by 245%, characterized by massive volumes of automated reconnaissance and credential harvesting. While the conflict is centered in the Middle East, the majority of malicious traffic originates from proxy services in Russia and China. Impact has been widespread across critical sectors, notably including a destructive breach of Stryker, a major US medical technology firm.
## Incident Details
- **Discovery Date:** February 28, 2026 (Initial spike observed)
- **Incident Date:** February 2026 – Ongoing
- **Affected Organization:** Multiple (Specifically named: Stryker; Unnamed US Financial Services Co.)
- **Sector:** Banking/Fintech (40%), E-commerce (25%), Medical Tech, and Infrastructure.
- **Geography:** Global (Sources: Russia 35%, China 28%, Iran 14%)
## Timeline of Events
### Initial Access
- **Date/Time:** February 9, 2026 (Pre-strike activity)
- **Vector:** Automated scanning and Infrastructure probing.
- **Details:** Massive traffic floods (exceeding 2 million packets in a single instance) targeted US financial systems as a precursor to physical military engagements.
### Lateral Movement
- **Details:** Reports indicate the use of high-disruption tactics typically reserved for NATO/European interests; group Handala utilized MOIS-linked techniques to navigate internal networks post-compromise.
### Data Exfiltration/Impact
- **Details:** Destructive attacks against Stryker resulted in operational disruptions. Aggressive credential harvesting and infrastructure scanning (up 52%) were used to collect access data for various critical sectors.
### Detection & Response
- **How it was discovered:** Akamai observed a 245% increase in malicious connection attempts via their global CDN.
- **Response actions:** Implementation of geo-blocking; US financial firms blocked over 13 million packets originating from Iranian IP space over a 90-day period.
## Attack Methodology
- **Initial Access:** Vulnerability scanning of exposed services and infrastructure.
- **Persistence:** Not explicitly detailed, though hacktivist groups maintain presence via proxy networks.
- **Privilege Escalation:** Use of "designed-for-abuse" connection attempts to brute-force or bypass controls.
- **Defense Evasion:** Use of proxies in Russia and China to mask the true origin of Iranian-aligned actors.
- **Credential Access:** Credential harvesting attempts (increased by 45%).
- **Discovery:** Botnet-driven discovery traffic (up 70%) and automated reconnaissance (up 65%).
- **Lateral Movement:** Professional-grade disruption tactics mirrored after state-sponsored (MOIS) playbooks.
- **Collection:** Automated scanning of exposed infrastructure.
- **Exfiltration:** Not specified in the current telemetry summary.
- **Impact:** Distributed Denial of Service (DDoS) and destructive data wipes (e.g., Handala crew).
## Impact Assessment
- **Financial:** Significant mitigation costs; high risk to fintech and e-commerce sectors (65% of combined traffic).
- **Data Breach:** Volume of harvested credentials remains unknown but is listed as a primary attack goal.
- **Operational:** Destructive attacks on healthcare (Stryker) and localized disruptions in the banking sector.
- **Reputational:** High-profile claims by hacktivist groups like Handala to demonstrate technical superiority.
## Indicators of Compromise
- **Network indicators:**
- High-volume traffic from IP ranges located in Russia (35%) and China (28%).
- Packet floods arriving from Iranian space: `[defanged_IP_range_Iran]`
- **Behavioral indicators:**
- Rapid-fire 2M+ packet spikes on non-standard ports.
- Large-scale automated infrastructure scanning.
## Response Actions
- **Containment:** Real-time blocking of 13+ million malicious packets by banking security firewalls.
- **Eradication:** Removal of exposed services identified during infrastructure scans.
- **Recovery:** Ongoing monitoring of "designed-for-abuse" proxy exit nodes.
## Lessons Learned
- **Geopolitics as a Leading Indicator:** Military movements are now consistently preceded by "digital reconnaissance" phases.
- **Proxy Reliance:** Threat actors effectively leverage the lack of cyber-cooperation in Russia and China to mask attribution.
- **Sector Targeting:** Critical infrastructure (Banks/Health) remains the primary target for asymmetric warfare.
## Recommendations
- **Geo-Fencing:** Organizations with no legitimate business in high-risk regions should "deny all" traffic from those geographies.
- **Infrastructure Hardening:** Prioritize patching of all internet-facing services to mitigate the 52% increase in infrastructure scanning.
- **Anti-Bot Tooling:** Deploy advanced bot-management solutions to filter the 70% increase in discovery traffic.