Within hours of June’s 12-day war between Iran and Israel erupting, Iranian state-backed hackers and proxy groups launched phishing campaigns, defaced websites and claimed to have leaked troves of stolen data tied to the conflict, according to new threat intelligence released Tuesday.
Telegram also served as a central hub for recruitment, propaganda and orchestration of cyberattacks, according to some 250,000 messages exchanged by 178 Iranian proxy and hacktivist groups throughout the war that were analyzed by SecurityScorecard’s STRIKE threat intelligence team.
The analysis, one of the first comprehensive overviews of the cyberwarfare aspects of the nearly two-week-long conflict, found that Iranian operations were launched in an effort to intimidate civilians, undermine Israeli morale and amplify Iran’s wartime narrative.
The conflict began when Israel launched preemptive strikes against various nuclear targets across Iran in the early hours of June 13, coupled with a covert sabotage operation that kneecapped Iranian ordnance launchers.
The responding cyber campaigns involved three distinct layers of Iranian‑linked actors. At the ground level, loosely organized hacktivists waged symbolic website defacements and claimed to have leaked data under the guise of pro-Palestinian narratives. Above them, proxies aligned with the Islamic Revolutionary Guard Corps combined ideological motives with precise targeting, and frequently conducted joint hacking operations alongside Lebanese or Afghan cyber brigades.
And at the top, direct state‑sponsored units deployed phishing and custom malware with precision timing to track and exploit victims. Altogether, these units created a multi-pronged threat environment that blurred the line between volunteer activism and state tasking, though it’s not clear if Iran’s central government was responsible for overseeing all layers of the hacking efforts.
Iran’s permanent mission to the United Nations did not immediately respond to a request for comment about the findings.
One of the most active players was Imperial Kitten, a group widely tied to the Islamic Revolutionary Guard Corps. The unit stood up conflict‑themed phishing domains, such as nowsupportisrael[.]com and supportisraelfunding[.]com — deliberately named in a way to imply Israeli backing. Once those domains were created, Iran’s cyber warriors deployed advanced remote access malware onto the websites to harvest data from pro-Israel visitors.
Activist collectives also amplified the cyber efforts. Palestinian-linked cells like Cyber Fattah claimed responsibility for a series of data dumps, including the targeting of Channel 13 News, a TV news service in Israel. Their defacement attacks often featured fiery propaganda, including Hebrew-language defacements threatening to “erase Israel from the map.”
Defacements have been a common operating feature of Iranian-aligned hacking groups. In late 2023, CyberAv3ngers made waves for defacing numerous U.S. water system displays.
Another group, the Cyber Islamic Resistance, claimed to have hacked Israel’s Hadassah Ein Kerem Hospital, according to SecurityScorecard. It’s not clear if an intrusion actually occurred. Iranian-aligned hacking units sometimes combine recycled data leaks and theatrics to manufacture panic about hacks that never happened.
Various other cyber actors were also highly active. SEPAHCYBERY, a psychological warfare group linked to the Islamic Revolutionary Guard Corps, launched a barrage of online threats and exaggerated claims about their ability to strike Western targets. Between June 13 and 27, they made roughly 9,000 posts, seemingly aimed at boosting their own attacks and promoting the Islamic Revolutionary Guard Corp’s cyber capabilities, the report says.
Another group, AGLegends — an Iranian hacktivist collective — claimed to have intercepted communications of the B-2 bombers the U.S. used in the June 22 “Midnight Hammer” attack on Iran’s nuclear facilities.
“It is not absolutely certain that they had advance knowledge, but they explicitly discussed B-2 refueling communications, which could suggest they were, by whatever means, expecting this development,” the report says.
The Pentagon did not return a request for comment.
“Cyber-operations are no longer secondary but fundamental to geopolitical disputes,” the report later adds. “State-sponsored actors and aligned proxies exploit cyberspace for diverse strategic goals, including intelligence gathering, propaganda, and direct attacks on critical infrastructure and public entities.”
