LevelBlue SpiderLabs Breaks Down the Role of Cyber Operations Taken in the Iran Crisis

As combat operations that began on February 28 with joint US-Israeli strikes on Iran's military and leadership continue, cybersecurity analysts are turning their attention to how this 21st-century conflict is unfolding in the digital domain.

This hybrid battlefield has already spilled beyond Iran's borders, with state-sponsored Iranian APT groups and affiliated actors launching operations against US, Israeli, and allied targets, while pre-positioned cyber capabilities from the US and Israel contributed to the massive Internet blackout and infrastructure disruptions inside Iran.

What has taken place so far includes an initial wave of disruptions as the US and Israel combined to launch massive DDoS attacks and deep intrusions into critical infrastructure like energy and aviation to cause widespread cascading failures. Simultaneously, hackers compromised media outlets and high-reach apps to broadcast psychological operations while jamming communication channels to prevent information flow. This was countered by Iran activating its APT groups.

LevelBlue SpiderLabs is examining the key threat actors involved, detailing their tactics, techniques, and procedures (TTPs), the custom malware and tools they deploy, and their potential strategic objectives. We'll explore how these groups target critical infrastructure and operational technology across sectors like energy, defense, telecommunications, and government, often blending espionage, disruption, and influence operations to gain leverage in the kinetic fight.

Prominent players include well-established Iranian groups such as MuddyWater, Charming Kitten (APT35/APT42), OilRig (APT34), Elfin (APT33), and APT42, many of which showed signs of activation and retooling just before or during the strikes. On the opposing side, US-Israeli cyber efforts have been credited with enabling precision targeting and widespread digital isolation.

LevelBlue SpiderLabs will also highlight examples of attacker communications on encrypted platforms like Telegram, where groups often boast of claimed successes, leak exfiltrated data, or coordinate proxy and hacktivist actions amid the escalating tensions.

Key Findings:

Some of the findings include:

• The massive cyber element of Operation Epic Fury, featuring what experts call the largest cyberattack ever, caused Iran's Internet to drop to ~4% capacity, disrupting state media, apps, and IRGC systems to isolate the regime and fuel unrest.

• Activation and retooling of Iranian APTs (MuddyWater, Charming Kitten/APT35/APT42, OilRig/APT34, Elfin/APT33, and others) just before or during the strikes, with suspected pre-positioning for espionage, credential theft, and disruption.

• Early signs of Iranian cyber retaliation, including reconnaissance, DDoS, wiper attacks on Israeli targets, pre-strikes, and anticipated hits on US/Israeli critical infrastructure (energy, finance, defense, telecom).

• Iranian APT groups primarily target adversaries and perceived threats to the regime, with a strong focus on espionage, influence, and disruption.

Analysis

Operation Epic Fury's Cyber Blitz: Historic Attack Plunges Iran into Digital Darkness

The massive cyber element of Operation Epic Fury, launched on February 28, 2026, by the US and Israel, featured what experts have described as potentially the largest cyberattack in history, integrated with kinetic airstrikes to cripple Iran's digital infrastructure and sow chaos within the regime.

This offensive caused Iran's national Internet connectivity to plummet to around 4% of normal levels starting at about 07:00 UTC, effectively creating a near-total blackout that disrupted state media outlets like IRNA, popular mobile apps, cellular networks, landlines, and even Islamic Revolutionary Guard Corps (IRGC) command-and-control systems.

The disruptions extended to major cities like Tehran, Isfahan, and Tabriz, where explosions and strikes were reported alongside the digital fog, making it nearly impossible for the regime to coordinate responses or communicate with its forces.

Iranian authorities claimed the blackout was a self-imposed measure to counter foreign interference, similar to shutdowns during the 2025 protests and the brief 2025 war with Israel, but independent monitors such as NetBlocks and Cloudflare Radar tracked the sudden flatlining of traffic, suggesting sophisticated external interference that targeted communications infrastructure to hinder military operations and amplify psychological pressure on the population.

By isolating the regime digitally, the attackers aimed to prevent real-time reporting of strikes, suppress coordination among IRGC units, and fuel unrest among civilians already strained by recent protests.

How Was It Done?

• DDoS and Network Overload: Initial disruptions involved DDoS attacks overwhelming routers and servers, flatlining traffic as seen on Cloudflare Radar.

• Deep Intrusions into Critical Infra: Reports suggest hacks into energy grids, aviation systems, and telecom backbones, causing cascading failures.

• App and Media Hacks: Specific intrusions included compromising the BadeSaba prayer app (5M+ users) to send psyop messages like "Help Has Arrived," and taking down news sites like IRNA and Tasnim, blending disruption with influence ops.

Figure 1. Hacked “BadeSaba” Prayer App.

• SMS and Communication Jamming: Bulk SMS systems were hacked for mass messaging, while electronic warfare might have jammed satellite links, preventing circumvention via tools like Starlink (which Iran has spoofed in the past).

Figure 2. Iran Nationwide connectivity collapse.

Hacked Street Cameras Allow Tracking of Iranian Targets

One of the assets used in targeting Iranian officials, including Ali Khamenei, was a network of compromised traffic cameras. According to research from the Financial Times, nearly every traffic camera in Tehran had been compromised for years. Their images were encrypted and transferred to servers in Tel Aviv and southern Israel.

This allowed Israeli and US intelligence agencies to track and monitor the habits and schedules of Iranian leadership and security personnel to time and accurately target them.

Activation and Retooling of Iranian APTs & The Iranian Cyber Retaliation

In the tense hours leading up to and during the February 28, 2026 strikes of Operation Epic Fury, Iranian state-sponsored APT groups demonstrated clear signs of activation and rapid retooling, positioning themselves for retaliatory operations amid the escalating conflict.

Directed by the IRGC and MOIS, major actors including MuddyWater, Charming Kitten, OilRig, Elfin, and Fox Kitten have shown unprecedented coordination, mobilizing simultaneously to launch high-impact, asymmetric strikes against US and Israeli interests.

• MuddyWater (Static Kitten): Utilizing AI-enhanced tools such as GhostFetch and RustyWater, they have pivoted from the "Operation Olalampo" espionage campaign to active disruption of government and telecom infrastructure across the Middle East.

• Elfin (APT33): Acting as the primary destructive arm, they are deploying Tickler and SHAPESHIFT wipers against aerospace and petrochemical targets in the US and Saudi Arabia to paralyze production.

• OilRig (APT34): Leveraging DNS tunneling and supply chain compromises, it maintains "sleeper" access within US and Gulf financial and aviation networks to enable synchronized economic disruption.

• APT42 (Charming Kitten): Employs generative AI in its RedKitten operations to conduct hyper-personalized surveillance and credential theft against policy influencers and NGOs.

• Cyber Av3ngers: A key retaliatory actor targeting water utilities and ICS/OT systems, focusing on the exploitation of industrial controllers to cause physical-world infrastructure failures.

• Fox Kitten (Pioneer Kitten): Functions as the initial "access broker," exploiting unpatched VPNs and edge devices to breach US and Israeli defense contractors.

• Handala: A high-profile hacktivist front that recently breached Israel’s Clalit healthcare network; notably, they use Starlink satellite ranges to bypass Iranian Internet blackouts and maintain offensive operations.

This pre-strike surge, including a 133% increase in attacks on Israel and allies, reflects Iran's asymmetric warfare strategy, where these groups embed in networks for espionage, steal credentials to enable further intrusions, and prepare for disruptions in sectors like energy, defense, and telecommunications, all while blending with hacktivist fronts to obscure attribution and maximize impact in response to the regime's vulnerabilities.

Figure 3. Awakened Cyber Islamic Resistance.

Figure 4. Handala groups claimed to hack Israeli “i24” news site.

In the wake of Operation Epic Fury and Operation Roaring Lion, the Iranian cyber response has undergone a violent metamorphosis, shifting from a posture of quiet, pre-positioned espionage to an aggressive, multi-front asymmetric offensive. This new doctrine is specifically designed to maximize civilian "friction" and economic volatility, turning digital infrastructure into a secondary battlefield where the lines between state actors and hacktivist fronts are intentionally blurred.

Leading this charge is the Handala group, which has emerged as Tehran’s digital vanguard. Handala specializes in "psychological warfare," recently executing a high-profile breach of Israel’s Clalit Health Services to leak thousands of sensitive medical records—a move calculated to incite public panic and strain civilian trust. To ensure their offensive remained operational during the domestic Internet blackouts following Allied strikes, Handala demonstrated a sophisticated technical pivot by routing their traffic through Starlink satellite ranges, effectively bypassing IRGC-controlled gateways and maintaining their "hack-and-leak" campaigns against Israeli infrastructure.

Simultaneously, the regime has mobilized its elite APT clusters to execute a "cost-inflation" strategy. Sophisticated actors such as MuddyWater and Charming Kitten have retooled their arsenals with generative AI, deploying specialized tools such as GhostFetch and RustyWater to automate the most labor-intensive parts of the kill chain: hyper-personalized phishing and rapid lateral movement. This AI-driven surge, which has triggered a 133% increase in targeted attacks on Israel and its allies, allows Tehran to probe for vulnerabilities in government, energy, and telecommunications sectors at an unprecedented scale.

Iran’s strategy aims to bypass conventional kinetic defenses, such as the Iron Dome or Aegis systems, by delivering the consequences of the conflict directly into the daily lives of Western and Israeli citizens. From OilRig’s stealthy persistence within the backends of US and Gulf financial networks to Elfin’s deployment of the Tickler wiper against aerospace and petrochemical facilities, the goal to prove that even as its physical command structures face degradation, Iran’s digital reach remains a potent and destructive instrument of national power.

Figure 5. Iranian APT groups retaliation matrix.

APT33 / Peach Sandstorm / Elfin / Refined Kitten

APT34 / OilRig / Hazel Sandstorm / Helix Kitten

 MuddyWater / Static Kitten / Mercury 

CyberAv3ngers (IRGC-affiliated)

Hacktivist Proxies and Aligned Groups

• 313 Team (Shia hacking group, Iraq-based)– Claimed attacks on Truth Social and Saudi Games data theft
• Kataib Hezbollah– Declared intent to attack American bases; likely cyber support operations
• Fatimion Cyber Team, Cyber Fattah, Cyber Islamic Resistance – Coordinated DDoS, defacement, data theft operations synchronized with military developments
• Handala, Laneh Dark – Active but not yet officially attributed to Iranian government
• "Robert" (IRGC-backed) – Hack-and-leak group claiming 100GB+ of US government data; previously leaked Trump campaign emails

Victimology, Affected Countries and Industries by Iran's Cyberattack Operations

From mid-2025 through March 2026, Iran's cyber operations blended state-sponsored APTs (often linked to the IRGC or MOIS) with a surge in hacktivist activity, escalating sharply in retaliation to geopolitical events—including the June 2025 Iran-Israel conflict and the February 28, 2026 US-Israeli strikes on Iran (Operations Epic Fury and Roaring Lion).

These efforts emphasized asymmetric disruption, espionage, and propaganda via DDoS attacks, wiper malware, ransomware, phishing, and infrastructure intrusions, rather than full-scale destruction to limit escalation risks. Hacktivist involvement grew significantly (up to ~60 groups post-February 2026), often coordinated through proxies for deniability.

Victim selection focused on high-value targets in adversarial nations—primarily government entities, critical infrastructure operators, and strategically important private firms—chosen for symbolic, economic, or military impact. Attacks exploited vulnerabilities opportunistically or via long-term footholds (e.g., supply chains), blurring state and non-state lines while prioritizing disruption over irreversible damage.

Chronological Summary of Key Incidents

• Pre-2025 into Early 2025 — Iranian APTs continued espionage and disruption, using malware (e.g., Shamoon), ransomware, botnet DDoS, and credential theft against Gulf energy firms and US infrastructure. Impacts: data destruction, extortion, and sovereignty violations.

• May–June 2025 — Sharp rise in Iranian-linked attacks amid US-Israeli airstrikes and a 12-day Iran-Israel conflict with hundreds of cyberattacks (GPS spoofing, info ops). Surge targeted Israeli power grids, hospitals, and apps. Groups: APT33, APT34 (OilRig), MuddyWater. Impacts: infrastructure damage and elevated alerts.

• July-Sep 2025 — Iranian responses to pro-Israeli hacks (e.g., on Bank Sepah) hit Kuwait and Jordan via regional server intrusions amid proxy losses.

• Early 2026 (Jan–Feb) — AI-enhanced attacks on UAE government and finance (many foiled); long-term APT access in Middle East critical infrastructure via VPN exploits. Impacts: defense probing and risks to banking/administration.

• Feb 27–28, 2026 — Retaliation to major Israeli cyber offensive (causing ~4% Iranian internet blackout); propaganda via hacked prayer app; over 150 hacktivist incidents launched via coordinated operations room.

• Feb 28–Mar 1, 2026 — Post-strike surge: Handala Hack breached Israeli healthcare and Jordan fuel; DieNet DDoS on GCC airports/banks; Sylhet Gang hit Saudi ministries; phishing via fake Israeli RedAlert app. Impacts: widespread disruptions, data leaks, global supply-chain spillover.

• March 2026 (Ongoing) — Anticipated rise in wipers, DDoS, and intrusions amid declining Iranian connectivity; potential spillover alerts (e.g., for Indian IT firms).

Figure 6. Timeline of key events.

Affected Countries

Figure 7. A list of affected countries and the cyberattacks waged against them.

Affected Sectors

Figure 8. A list of affected sectors and key examples of cyberattacks waged against them.

Mitigations and Monitoring

• Disconnect all OT/ICS systems from the public internet immediately. Air-gap where possible.

• Audit all PLCs for unauthorized logic changes. Compare current ladder logic against known-good baselines.

• Disable remote access to OT systems.

• Implement network segmentation / micro-segmentation.

• Enforce phishing-resistant MFA on all accounts, especially VPN, email, cloud admin, and remote access.

• Patch immediately: Check Point Security Gateways (CVE-2024-24919), all VPN appliances, and all internet-facing services. Cross-reference CISA Known Exploited Vulnerabilities Catalog.

• Deploy endpoint detection for known wiper indicators. Monitor for RawDisk driver (EldoS) loading, MBR access, mass file deletion patterns, and scheduled tasks set for off-hours/weekends.

• Validate and test offline backups NOW. Ensure immutable, air-gapped backups exist for all critical systems. Test restoration procedures.

• Audit Azure/cloud tenants for unauthorized applications, service principals, and consent grants. APT33 leverages Azure for C2 and uses AzureHound for enumeration.

• Issue emergency phishing awareness alerts to all staff.

• Establish out-of-band communications (satellite phone, encrypted messaging) in case primary communications infrastructure is disrupted.

• Pre-stage incident response retainers and forensic resources. Expect surge demand across the sector.

• Monitor for password spray patterns: high-volume login failures across multiple accounts from single or few source IPs.

• Monitor for Cobalt Strike, Mimikatz, and credential dumping tool execution.

• Track lateral movement via PSExec, WMI, WinRM, and RDP to critical systems.

Conclusion

Iran is operating under existential threat conditions following the killing of Supreme Leader Khamenei and the ongoing destruction of IRGC infrastructure. Former NATO Supreme Allied Commander Admiral Stavridis assessed that Iran is on "death ground" and may escalate to extreme measures, including sustained cyber campaigns against critical infrastructure.

Iranian cyber operations will likely intensify as kinetic options degrade. Cyber represents one of Iran’s most accessible asymmetric tools for retaliation against Gulf states that condemned its attacks and support US operations. The Strait of Hormuz closure signaling adds urgency – cyber disruption of energy infrastructure could amplify physical supply chain disruption.

Key indicators to watch: Iranian proxy group chatter increasing on Telegram and dark web forums; new wiper variant deployment against additional GCC targets; exploitation of satellite/communications disruptions to conduct operations under reduced visibility; potential collaboration between Iranian and Russian cyber actors given geopolitical alignment.

Appendix 1: MITRE ATT&CK Mapping – Iranian Energy Sector TTPs 

Appendix 2: IoCs

IOCONTROL MALWARE IOCs — CyberAv3ngers (IRGC-CEC)

File Indicators

 Network Indicators 

Host Artifacts

Detection Script — Run on all Linux-based OT/IoT devices:

# Check for IOCONTROL persistence

ls -la /usr/bin/iocontrol 2>/dev/null

ls -la /etc/rc3.d/S93InitSystemd.sh 2>/dev/null

ls -la /etc/rc3.d/S99iocontrol 2>/dev/null

ls -la /tmp/iocontrol/ 2>/dev/null

pidof iocontrol 2>/dev/null

env | grep -E '^(0_0|0_1|1|3|4)=' 2>/dev/null

# Check MQTT connections on port 8883

netstat -an | grep 8883

ss -tnp | grep 8883

UNITRONICS PLC TARGETING IOCs — CyberAv3ngers 

IMMEDIATE ACTIONS: 1) Shodan/Censys scan your own IP space for TCP 20256. 2) Change ALL Unitronics passwords from default. 3) Block TCP 20256 inbound at the perimeter. 4) Verify PLC logic against offline backups. 5) Check for renamed devices or rolled-back firmware.

IRANIAN BRUTE FORCE & CREDENTIAL ACCESS IOCs (CISA AA24-290A)

The following IOCs are from FBI investigations of Iranian actors targeting critical infrastructure since October 2023. These actors sell harvested credentials on cybercriminal forums. Many IPs are VPN exit nodes — use for HUNTING, not blanket blocking.

 Malicious File Hashes 

Network Indicators — VPN Exit Nodes (Hunt, Don’t Blanket Block)

Search logs for historical connections to these IPs. If found, correlate with TTPs described. These are primarily Private Internet Access VPN exit nodes used by Iranian operators between Oct 2023 – Feb 2024.

NOTE: Full list of 70+ IPs available in CISA AA24-290A PDF. The above are the highest-confidence, longest-active indicators. Iranian actors rotate IPs frequently — behavioral detection is more reliable than IP blocking alone.

MFA Device Registrations (Threat Actor Devices)

ACTION: Audit ALL MFA registrations in the last 90 days. Flag any Samsung devices matching these models registered from unexpected geolocations. Search for MFA registrations from Iranian IP ranges or unexpected VPN exit nodes.

APT33 / PEACH SANDSTORM MALWARE FAMILY IOCs

APT33 operates on behalf of the IRGC and has specifically targeted UAE energy/defense sectors. Their 2024-2025 campaigns used Azure infrastructure for C2 and password spraying at massive scale.

APT33 Behavioral IOCs

Search for these patterns in your Azure AD / Entra ID / M365 logs:

# Password spray detection (high-volume login failures)

# Look for: Multiple accounts failing auth from same IP in short window

# MFA push bombing: Repeated MFA prompts to single user in minutes

# MFA registration from new device + unusual geolocation

# SSPR (Self-Service Password Reset) on expired accounts via public ADFS

# New Azure subscription creation under compromised .edu accounts

# Azure tenant creation with Azure for Students subscriptions

# Credential dumping indicators:

Nltest /dclist

Nltest /domain_trusts

Nltest /domain_trusts/all_trusts

Net group "Enterprise admins" /domain

Net group "Domain admins" /domain

Cmdkey /list

# Kerberoasting: SPN enumeration + RC4 ticket requests

# Cobalt Strike beacon via msedge.exe outbound connections

# AnyDesk or other RMM tool installation (persistence)

# AD Explorer snapshot of Active Directory

# Lateral movement: RDP via PowerShell -> mstsc.exe

WIPER MALWARE DETECTION — Shamoon / Filerase / ZeroCleare / IOCONTROL

Shamoon/Disttrack Detection Indicators

YARA-STYLE DETECTION CONCEPTS:

# Shamoon/Disttrack indicators on disk:

# - File named "trksvr.exe" or variants in system32

# - Service named "TrkSvr" (Distributed Link Tracking Server - abused)

# - EldoS RawDisk driver: elrawdsk.sys, eldos.sys

# - Process writing to \\.\PHYSICALDRIVE0

# - Mass file modifications in short timeframe

# - JPEG header bytes (FF D8 FF) in non-image files

# - Scheduled task creation via at.exe or schtasks.exe

# targeting off-business-hours execution

ACTIVE CAMPAIGN BEHAVIORAL DETECTIONS — 01 MARCH 2026

IMMEDIATE Detection Priorities

Telegram / Social Media IOCs

Monitor these channels for early warning of claimed attacks against your client or sector:

SPLUNK / SIEM HUNTING QUERIES

Ready-to-deploy search queries for immediate threat hunting:

Password Spray Detection (Azure AD / M365):

index=azure sourcetype=azure:aad:signin

| stats count by src_ip, user, result

| where result="failure" AND count > 3

| stats dc(user) as targeted_users, values(user) as users by src_ip

| where targeted_users > 5

IOCONTROL MQTT C2 Detection:

index=firewall dest_port=8883

| where NOT cidrmatch("10.0.0.0/8", dest_ip)

| stats count by src_ip, dest_ip, dest_port

| sort -count

DNS Tunneling Detection:

index=dns query_type=TXT OR query_length>50

| eval subdomain_count=mvcount(split(query,"."))

| where subdomain_count > 4 OR len(query) > 60

| stats count by src_ip, query

| sort -count

Credential Dumping Detection:

index=windows EventCode=4688

| search (CommandLine="*ntds.dit*" OR CommandLine="*ntdsutil*"

OR CommandLine="*Nltest*" OR CommandLine="*net group*domain*"

OR CommandLine="*Cmdkey /list*" OR CommandLine="*DomainPasswordSpray*")

RMM Tool Installation (MuddyWater):

index=endpoint (process_name="ScreenConnect*" OR process_name="rutserv.exe"

OR process_name="AnyDesk*" OR process_name="RemoteUtilities*")

| where NOT expected_rmm_tool=true

Wiper Precursor Detection:

index=endpoint (file_name="elrawdsk.sys" OR file_name="eldos.sys"

OR process_name="trksvr.exe"

OR CommandLine="*PhysicalDrive0*"

OR (EventCode=4698 AND (TaskContent="*schtasks*" OR scheduled_hour>20)))

Iranian VPN Exit Node Hunting:

index=vpn OR index=proxy

| lookup iranian_ioc_ips.csv src_ip OUTPUT ioc_match

| where isnotnull(ioc_match)

| stats count by src_ip, user, action, app