Iran actors’ claims raise questions about larger cyber threat to US, allies - Cybersecurity Dive

Iran actors’ claims raise questions about larger cyber threat to US, allies Questions are being raised about the veracity and tactics of Iran-linked actors, amid claims that a large trove of Lockheed Martin data is on the market. Published March 31, 2026 • Updated 2 hours ago David Jones Reporter Share License Add us on Google The flag of Iran is seen in front of the building of the International Atomic Energy Agency (IAEA) headquarters on May 24, 2021, in Vienna, Austria. Iran-linked actors have stepped up malicious attacks in March 2026 in connection with the most recent U.S. and Israeli bombing campaign. Michael Gruber via Getty Images Iran-nexus threat actors have placed what they claim is a large trove of data from defense contractor Lockheed Martin for sale on the underground market.  The placement comes more than a week after the alleged hack and more than a month after the U.S. and Israel launched a coordinated bombing campaign against Iran, mainly from aircraft and naval ships.  A threat group tracked as APT Iran claims to be offering a cache of exfiltrated Lockheed Martin data for more than $598 million, according to researchers at Flashpoint. The hackers claim the data includes blueprints for the F-35 fighter jet and Pentagon contracts.  A state-linked group tracked as Handala or Handala Hack has allegedly doxxed Lockheed Martin engineers via SMS and threatened them to leave Israel within 48 hours, according to Flashpoint.  The Deparment of War “does not comment on the status of our networks and systems," as a matter of policy, an official told Cybersecurity Dive.  Handala is the group that claimed credit for the cyberattack against medical technology giant Stryker and the breach of FBI Director Kash Patel’s personal email. Just prior to the Patel hack, the Department of Justice announced the disruption of domains linked to Handala and other Iran-linked actors.  The FBI confirmed to Cybersecurity Dive that Patel’s email was targeted by Iran-linked hackers and said it has taken all necessary steps to mitigate potential risks from the attack. The FBI said the data was “historical” in nature and contained no government information.  The FBI said a $10 million reward is being offered through the State Department for information leading up to the identification of Handala hackers.  Security researchers, analysts and government officials have long been concerned about the threat of asymmetric threat activity from Iran, due in part to a long history of targeting Israeli and U.S. critical infrastructure and intimidating political dissidents with cyber.  However, they caution that Iran has a history of mixing legitimate activity with diversionary tactics and disinformation in order to confuse adversaries.  “Iranian actors routinely exaggerate the impact of their intrusions,” Ari Ben Am, an adjunct fellow at the Foundation for Defense of Democracies, told Cybersecurity Dive.  They’ve been known to add information from prior hacks into their claims and also incorporate social media information into a claim under the pretext the information was actually hacked, Ben Am said. In other cases, they have made up claims. Ben Am cautioned that the Lockheed claims could include all three aspects.  A spokesperson for Lockheed Martin earlier this month told Cybersecurity Dive the company was aware of the claims and said it was confident in its defense capabilities.  Still, security researchers and other analysts note that Iran has a proven record of hunting political opponents, stealing data and targeting critical infrastructure providers, including drinking and wastewater in the U.S.  Cynthia Kaiser, senior vice president at Halcyon and a former deputy assistant director at the FBI, said the recent claims related to Lockheed Martin include screenshots and other evidence that raises questions about how much of the claimed data is legitimate. “Interestingly, APT Iran is attempting to sell one set of data for an enormous amount of money, demonstrating how these groups mix financial gain and their political goals,” Kaiser said. “We continue to anticipate Iran and its proxies will increase their targeting of U.S. organizations in the weeks ahead.” Editor’s note: Updates with reaction from the Department of War. Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Strategy, Threats