Full Report
Iran-aligned hacktivists launched DDoS attacks against 15 U.S. organizations and 19 websites in the first 24 hours after the U.S. bombed Iranian nuclear targets on June 21, Cyble threat intelligence researchers reported today. The Cyble blog post said the cyberattack targets have included U.S. Air Force websites, Aerospace & Defense companies, financial services organizations, and an unverified claim of an attack on Truth Social, the social media platform of U.S. President Donald Trump. The U.S. entry into the Israel-Iran conflict was met with less intensive cyber activity than the hacktivism and cyberwarfare that have engulfed the Middle East since the conflict began on June 13 with Israeli attacks on Iranian nuclear and military targets. The U.S. DDoS attacks coincided with a June 22 Department of Homeland Security warning that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.” U.S. DDoS Attacks Launched by Iran-linked Hacktivists Cyble said four hacktivist groups were predominantly responsible for the initial U.S. DDoS attacks: Mr Hamza, Team 313, Keymous+ and Cyber Jihad. The groups’ claims range from “credible to questionable,” the researchers wrote. Mr Hamza claimed that it targeted several websites belonging to the U.S. Air Force and Aerospace & Defense companies. The group posted its exploits using the hashtag #Op_Usa and included check-host.net reports that indicated downtime of the websites over a 10-hour period on June 22 (screenshot below). [caption id="attachment_103347" align="aligncenter" width="366"] Hacktivist group Mr Hamza claims U.S. DDoS attacks (Cyble)[/caption] Keymous+ claimed to have targeted U.S. financial organizations and included check-host.net links showing website disruptions over a one-hour period on June 22. Team 313 claimed to have targeted Truth Social “but the group did not offer sufficient proof to deem the claim credible,” Cyble said. Cyber Jihad Movement said it was planning to launch cyberattacks against U.S. targets between June 23 and June 27. U.S. Hacktivist Activity Small Compared to Middle East Cyble said the initial volume of hacktivist attacks on U.S. targets “has been small compared to the large number of attacks and threat groups that have been active in the Middle East,” where the threat intelligence researchers have recorded attacks by 88 groups, 81 of which are aligned with Iran (image below). [caption id="attachment_103349" align="aligncenter" width="725"] Hacktivist groups active in Israel-Iran conflict (Cyble)[/caption] Middle East cyberattacks have included "DDoS attacks, data and credential leaks, website defacements, unauthorized access, and major breaches of Iranian banking and cryptocurrency targets by Israel-linked Predatory Sparrow,” Cyble said. Interference with commercial ship navigation systems in the region has also been reported. The Handala hacktivist group “appears to have been one of the more effective attackers,” Cyble said, with 15 claims of mostly well documented ransomware/extortion incidents. The group’s victims have all been based in Israel. In one noteworthy incident, a threat actor on the cybercrime forum Darkforums claimed to be offering unauthorized SSH access and VPN credentials of three user accounts for the VPN portal of the Israel Defense Forces (IDF) for the asking price of 2 BTC. Russian groups have been largely absent from the Middle East cyber conflict, Cyble said, with two notable exceptions: Z-Pentest claimed that it compromised an industrial control system (ICS) belonging to an Israeli energy and utilities organization, while NoName057(16) claimed a DDoS attack on an Israeli transportation entity. Attacks have also been aimed at Jordan, Egypt, the UAE and Saudi Arabia, “which appear to have been perceived as too neutral by Iran-aligned groups,” Cyble said. Cyble urged organizations that could become a target of hacktivists to protect themselves against DDoS attacks, data breaches, website defacements, “and increasingly, ransomware and critical infrastructure attacks.”
Analysis Summary
# Incident Report: Pro-Iran Hacktivist DDoS Attacks Against US Entities
## Executive Summary
Pro-Iran hacktivist groups initiated a wave of cyberattacks, primarily distributed denial of service (DDoS) attacks, against U.S. entities following recent geopolitical incidents. These attacks, documented by Cyble, are part of a broader increase in Middle East-focused cyber conflict that also includes data leaks, website defacements, and ransomware activity targeting Israel and perceived neutral regional states. The primary impact highlighted is service disruption via volumetric attacks.
## Incident Details
- Discovery Date: Not explicitly stated; analysis by Cyble tracking ongoing activity.
- Incident Date: Tuesday, June 24, 2025 (Date of publication referencing current events).
- Affected Organization: Various U.S. entities targeted by DDoS. (Specific entity names not detailed in summary, focus is on national targeting).
- Sector: Various (Implied targets include public-facing services susceptible to DDoS).
- Geography: United States (Primary focus of the reported DDoS campaign).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing activity leading up to June 24, 2025.
- Vector: DDoS attacks are the defining vector mentioned for the reported U.S. targeting. (Other vectors like unauthorized SSH/VPN access were noted against Israeli targets).
- Details: Attacks launched by hacktivist groups aligned with Iran in response to geopolitical events.
### Lateral Movement
- Not applicable to volumetric DDoS incidents described for the U.S. targets. (Note: Other actors mentioned in the article, like Handala, used ransomware/extortion, implying network intrusion for those specific incidents).
### Data Exfiltration/Impact
- Primary Impact: Service disruption due to sustained DDoS attacks against U.S. entities.
- Secondary Impacts (Observed regionally): Data/credential leaks, website defacements, ransomware/extortion (specifically against Israeli targets).
### Detection & Response
- Detection: Activity monitored and reported by threat intelligence firm Cyble.
- Response actions taken: Not explicitly detailed for U.S. victims. Cyble urged organizations to protect against DDoS, defacements, and ransomware.
## Attack Methodology
- Initial Access: DDoS via hacktivist coordinated campaigns.
- Persistence: N/A (DDoS is typically a smash-and-grab attack).
- Privilege Escalation: N/A for DDoS. (Note: Unauthorized SSH/VPN credential sales noted against Israeli Defense Forces users).
- Defense Evasion: Leveraging high-volume traffic to saturate defenses.
- Credential Access: Credential leaks and sales were a tactic used against other regional targets.
- Discovery: N/A (Focused on disruption rather than reconnaissance for DDoS).
- Lateral Movement: N/A for DDoS incidents.
- Collection: Data and credential leaks reported against other regional targets.
- Exfiltration: Data/credential leakage reported regionally.
- Impact: Denial of Service, service unavailability.
## Impact Assessment
- Financial: Not quantified for U.S. DDoS victims. (Note: Handala claimed extortion incidents against Israeli victims).
- Data Breach: Data and credential leaks reported regionally, but scope for U.S. DDoS victims is generally service-based disruption.
- Operational: Service unavailability and operational disruption due to DDoS saturation.
- Reputational: Potential reputational damage for targeted organizations facing public service outages.
## Indicators of Compromise
- Network indicators: (No specific IP addresses or domains listed for U.S. targets; typically high volume traffic signatures for DDoS).
- File indicators: None specified for the U.S. DDoS campaign.
- Behavioral indicators: Coordinated large-scale application-layer or volumetric traffic spikes directed at public-facing services, often preceded or accompanied by public claims from hacktivist groups.
## Response Actions
- Containment measures: Organizations urged to implement robust DDoS mitigation strategies (e.g., cloud scrubbing services).
- Eradication steps: N/A for DDoS termination other than traffic mitigation.
- Recovery actions: Restoration of online services post-DDoS attack mitigation.
## Lessons Learned
- **Geopolitical Escalation:** Cyberattacks, particularly DDoS, are frequently used as a form of immediate retaliation or proxy conflict action in response to real-world geopolitical events.
- **Target Diversity:** Hacktivist campaigns exhibit a tactical shift, now including ransomware and potential critical infrastructure targeting alongside traditional DDoS and defacement.
- **Regional Focus:** While U.S. services were hit with DDoS, the most sophisticated intrusions (SSH access sales, data leaks) were heavily concentrated against Israeli targets, with regional states perceived as neutral also facing secondary attacks.
## Recommendations
- **Strengthen DDoS Defenses:** Ensure comprehensive, always-on DDoS mitigation solutions are in place, capable of handling high volumetric attacks.
- **Monitor Hacktivist Chatter:** Implement threat intelligence feeds focused on hacktivist forums and dark web chatter related to regional conflicts to anticipate potential targeting waves.
- **Critical Infrastructure Review:** Organizations dealing with ICS or essential services should review security posture, given the reported targeting of Israeli energy systems by related groups.