Do Ceasefires Slow Cyberattacks? History Suggests Not

CYBERSECURITY ANALYTICS VULNERABILITIES & THREATS CYBER RISK THREAT INTELLIGENCE NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Do Ceasefires Slow Cyberattacks? History Suggests Not The cybersecurity community is waiting with bated breath to see if Iranian hackers will honor a ceasefire that doesn't actually name or directly involve them. Nate Nelson,Contributing Writer April 9, 2026 5 Min Read SOURCE: KAREN HOVSEPYAN VIA ALAMY STOCK PHOTO With the US and Iran having reached a fragile ceasefire this week, security researchers and executives are left wondering whether there will be a commensurate pause in the cyberwarfare that has ramped up around the war. The day after the temporary truce was announced, Iran's most high-profile false-flag hacktivist operation, Handala, offered that it would participate in a temporary pause in hostilities. But even if one takes that group at its word, history suggests that ceasefires rarely stop or slow cyberactivity surrounding kinetic wars. In fact, in the absence of more effective ways of fighting, cyberattacks tend to flare significantly. "Historical data and recent intelligence analysis indicate that a military ceasefire rarely equates to a 'digital stand-down,'" warns Austin Warnick, director of Flashpoint’s National Security Intelligence Team. Instead, he tells Dark Reading, "Cyber operations often remain steady or even flare up as an asymmetric pressure valve while kinetic hostilities are paused." Related:More Than 40% of South Africans Were Scammed in 2025 Iran's Handala Cyberactivity Ceasefire On April 8, Handala posted a typically flowery, but in some ways candid, notice to its Telegram channel. It conceded that "according to the orders from the highest leadership" in Iran, it has postponed its cyber activity against the United States.  Source: Check Point Research This is significant, as Handala has unquestionably been the most widely publicized threat actor in the war. It claimed responsibility both for the ransomware-ish attack against Stryker — the biggest cyber fish of the war so far, for Iran — and the compromise of FBI director Kash Patel's personal email account, which is the most symbolically significant incident so far. Handala did qualify its cyber ceasefire, though, by noting that "The cyber war did not begin with the military conflict, and it will not end with any military ceasefire." Eventually the attacks will resume, and in the meantime, the group will still be directing all of its cannons at Israel. For Sergey Shykevich, threat intelligence group manager at Israel-based Check Point Research, it's too early to tell whether Handala — or Iranian advanced persistent threats (APTs) more generally — will stop or slow down any attacks. Promises aside, he says, "I would not be surprised if, at some point over the next two weeks, they resume cyberattacks as another means of applying pressure against the US." How Cyber Threat Actors Respond to Geopolitics Real and fake hacktivist operations, and similarly loud threat actors, might gain something by glomming onto ceasefire deals. They might hope to earn some legitimacy and status by pulling up a chair at the big boy table, and participating in a major geopolitical event. Whether their promises actually mean anything, though, varies from conflict to conflict. Related:Retail, Services Industries Under Fire in Oceania Following the Oct. 7 massacres in Israel, and Israel's invasion of Gaza thereafter, the two sides reached a temporary ceasefire in late November 2023. At that time, one of Handala's closest equivalents, Cyber Toufan — also a false-flag hacktivist operation, and also part of Iran's "Resistance Axis" — indicated that it was pausing operations until the war resumed. It's unclear whether Cyber Toufan slowed its activity at all, because between November and December 2023 it had claimed more than 100 Israeli victims on its leak site. Source: Telegram, via the Reichman University's International Institute for Counter-Terrorism (ICT) More often than not, ceasefires stoke cyberattacks, as warring sides take to this alternative method of hurting their enemy and gaining leverage for future negotiations. One Hamas-aligned threat actor used a 2021 ceasefire with Israel as its excuse to rev up a fresh phishing campaign across the Middle East, for example. And when Ukraine and Russia agreed to a Black Sea ceasefire last year, both sides simply used the downtime to carry out major cyberattacks, including some against the very same kinds of energy infrastructure that the ceasefire was meant to protect. Related:Mideast, African Hackers Target Gov'ts, Banks, Small Retailers Going even further back, Markus Mueller, field chief information security officer (CISO) for Nozomi Networks, explains, "The major cyberattacks in Ukraine took place during a time when, at least on the Russian side, the war wasn't active. It was right after Russia annexed Crimea. They hadn't really done the big push — what some folks call the second Ukraine war. That in-between period is when we saw a lot of the larger attacks." Do Ceasefires Pause Cyberwars, or Inflame Them? In general, FlashPoint's Warnick says, "Threat actors treat diplomatic pauses as technicalities, using the time to pivot toward secondary targets or allies to maintain pressure without technically violating military agreements. Current evidence further supports this, as low-level and nuisance-level cyber activity from [Iran-aligned] groups like the 313 Team and Conquerors Electronic Army has continued without pause."  On April 8, 313 Team claimed responsibility for an attack on an Australian government authentication portal, and Conquerors Electronic Army claimed distributed denial-of-service (DDoS) attacks against Israeli targets, plus the US-based freelancer website Upwork. Mueller agrees with Warnick's assessment, as it pertains to the current situation in Iran. "I think there will be a change in cyber activity both in scope and scale," he says. "The majority of activity we've seen around this conflict so far is regionalized. We foresee — based on what we've seen with other conflicts both within the region, but also with Ukraine — that it's going to grow a little more broad, and we're going to have more activity in North America, more activity in Europe, or any country that was seen as supporting the conflict." Though most ceasefires don't cease cyberattacks, there is one ironic example to the contrary — a temporary peace deal which caused a substantial slowdown in malicious online activity. In the leadup to negotiations for the 2015 Iran nuclear deal, analysts observed the Islamic Republic probing US critical infrastructure for vulnerabilities that might facilitate serious attacks. But during the negotiating period, malicious cyberactivity went from high-volume to zero. According to The New York Times at the time, security researchers found not one single instance of a malicious phishing email, or critical infrastructure probe, aimed by Iran at the US during that period. Malicious activity resumed a couple of weeks after the negotiations ended, but at a slower rate, and didn't reach pre-negotiation levels until Donald Trump tore up the deal. Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars You May Also Like CYBERSECURITY ANALYTICS In Cybersecurity, Claude Leaves Other LLMs in the Dust by Nate Nelson, Contributing Writer DEC 17, 2025 CYBERSECURITY ANALYTICS Mideast, African Hackers Target Gov'ts, Banks, Small Retailers by Nate Nelson, Contributing Writer OCT 23, 2025 CYBERSECURITY ANALYTICS Commentary Section Launches New, More Opinionated Era by Becky Bracken OCT 10, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS HEALTHCARE SECURITY WEBINAR Protecting Patient Data and Clinical Operations SECURE YOUR SEAT GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE