Iran Hacktivists Make Noise but Have Little Impact on War - Dark Reading

THREAT INTELLIGENCE CYBER RISK CYBERATTACKS & DATA BREACHES CYBERSECURITY ANALYTICS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Iran Hacktivists Make Noise but Have Little Impact on War Iran-aligned groups are trying to make their mark in the Gulf, but the results have fallen short of remarkable. Nate Nelson,Contributing Writer March 25, 2026 6 Min Read SOURCE: SKORZEWIAK VIA ALAMY STOCK PHOTO Since the onset of war, there's been scant hard evidence that Iran-aligned hacktivists have had a significant impact in the Gulf region, despite their widely publicized claims. Whenever a major national or geopolitical event occurs, both cybercriminals and the cybersecurity community activate. Malicious cyber activity always follows major headlines, so researchers and reporters look out for rising threats with each news cycle. Those researchers and reporters then track that activity, fueling a lesser, secondary news cycle. The Iran war is one of these classic cases. New data from Bitdefender indicates that since Feb. 28 — the day the ayatollah was assassinated — the rate of malicious emails targeting Gulf countries has risen an average of 130%. The data surged immediately, stayed elevated, and at peak reached almost four times its pre-war rate. In other words: the activity increase is there. Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets A rise in activity, however, does not necessarily equate to a commensurate rise in impact. In general terms, researchers disagree on how dangerous Iran-aligned hacktivist and cybercriminal groups are. When it comes to hard evidence, though, they've found, at best, a modest impact from this latest, much anticipated surge. Case Study: Nasir Security There's a chasm between what many Iran-aligned groups have been claiming and what they've been accomplishing. Consider "Nasir Security," a group that can be considered Iran-aligned, despite its frequent identity crises (in recent months it has aligned with Hezbollah, as well as the Alawite ethnic group in Syria). After appearing and then disappearing in the wild in October 2025, it seemingly returned to action in support of Iran's war effort on March 10.  In the two weeks that followed, the group announced that it had compromised three Middle Eastern oil and gas companies: the United Arab Emirates' (UAE) Dubai Petroleum, Oman's CC Energy, and Al Safi, a smaller company that operates gas stations in Saudi Arabia and the wider region. On first glance, this might seem like a big deal. While Iran attacks Middle East oil facilities from the skies, Nasir Security is carrying out data leaks against those same sorts of organizations in cyberspace, combining to cause real trouble for Iran's enemies, and havoc in global oil markets. To the surprise of nobody, though, this hacktivist group vastly overstated its achievements. Rather than the companies they claim to have breached, "The group is attacking [related] supply chain vendors involved in engineering, safety, and construction," explains Resecurity COO Shawn Loveland. Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now The logic is simple, he says: "Contractors' digital identity information is a typical 'low-hanging fruit,' making them an easy target for business email compromise (BEC) and account takeover (ATO). The actors target contractors, as they may store various engineering documentation and internal files during collaboration with energy companies on their projects. That data is used as a 'shiny object' to claim a breach of the energy company itself." Nasir has stolen and leaked legitimate documents. In the case of Dubai Petroleum, for instance, Resecurity says that while it lied about having exfiltrated more than 413GB from the company, it did steal a few legitimate internal reports, maps, and schemes from the contractor. The real documents theoretically could be utilized in later spear-phishing attacks, but mostly they helped the threat actor sell the legitimacy of the leak on its website. The point of these attacks is more about feelings than facts. "The actors attempted to capitalize on the authentic documents (stolen from a third party) and the complexity of investigating the point of compromise, which can be time-consuming, leaving the audience in uncertainty. Such tactics are widely used by threat actors to plant misleading narratives," Loveland says. Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers High-Profile Attacks Have Holes Not all hacktivist groups leave behind easily scrutinized evidence, such as downloadable data leaks. Part of the reason why cybersecurity analysts have struggled to verify most of the hacktivist activity being reported online is because lower-level threat actors are naturally attracted to the kinds of cyberattacks that either can't be easily disproven, or are subject to creative interpretation. For instance, it's easy to claim a denial-of-service (DoS) attack against a website that blocks the ability for researchers to check its uptime. And as Pascal Geenens, vice president of cyber threat intelligence at Radware, explains, "'Defacement' can mean anything from a full website compromise to posting a picture in a comment section and sharing the direct link. System compromise claims similarly run the gamut, from genuinely sensitive intrusions to publicly exposed cameras or unprotected IoT dashboards." One example of an Iran-aligned group taking advantage of this confusion is the "313 Team." Its biggest recent claims include DoS shutdowns of Bahrain and Kuwait government and military services. According to public reporting, both governments experienced minor disruptions, but the attacks either failed to have the impact that 313 claimed, or were subsequently attributed to groups other than 313. Dark Reading cannot independently confirm what happened in these cases. "It's important to note that with hacktivist activity, the claim is part of the attack itself," says Justin Moore, senior manager of threat intelligence for Palo Alto Networks' Unit 42. When the Iran war started, Unit 42 tracked a surge of cyberattack claims that didn't all have backing in evidence, but seemed to have an impact merely for having been uttered.  "The narrative that they are operating everywhere is critical to the psychological aspect of their activity, keeping the looming potential threat of attack by them in the news cycle," Moore says. "For an organization, the challenge is managing the reputational fog of war that these groups intentionally create the moment they post on Telegram.” As a rule of thumb, Geenens says, "groups believed to be proxies for or closely aligned with a nation-state carry more weight in their claims than self-proclaimed anonymous channels." For example, the Iranian hacktivist operation most widely believed to have carried out concrete, meaningful cyber activity in March is Handala. Handala isn't actually the hacktivist operation it claims to be; it's a false flag for Iran's Ministry of Intelligence and Security (MOIS). Is the Threat from Iran-Aligned Hacktivists Significant? Researchers disagree on the seriousness of the threat these groups pose. "While many hacktivist actions are indeed noisy and designed for psychological effect, we have observed a significant shift toward destructive and high-consequence operations," argues Matt Hull, vice president of cyber intelligence and response at NCC Group. He notes that some groups are actively targeting critical infrastructure and deploying wipers — which they've long been known to do — and attributes major significance to Iran's rumored "Electronic Operations Room" for coordinating cyber activity across its proxies.  "The establishment of the Electronic Operations Room (EOR) has synchronized hacktivist groups, allowing them to act as a force multiplier for state objectives," Hull says. "Even if an individual attack seems minor, the cumulative effect creates a massive drain on defensive resources and provides a smoke screen for more sophisticated state-sponsored actors to move undetected." For Loveland, this interpretation of events is too generous. "In fact, none of the Iran-linked, pro-Iranian groups (including Handala) or state-sponsored groups are making any meaningful impact on the Iran conflict, as confirmed by numerous independent assessments and our threat analysis," he argues. "Iran and its proxies are orchestrating such campaigns on behalf of groups like 'Nasir Security' to sow uncertainty and create the optics of cyberattacks." Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBER RISK 20-Year-Old Malware Rewrites History of Cyber Sabotage byJai Vijayan APR 27, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS