Iranian-linked hackers warn ceasefire won’t end cyberattacks

Body

A ceasefire announced between Iran and the United States and Israel is unlikely to deter hackers backing Tehran from carrying out retaliatory cyberattacks, cybersecurity experts said, warning that targets in the U.S. and Israel should prepare for continued activity. The warning echoed a message from a pro-Iranian hacking group that said it would pause attacks on America only temporarily while keeping its focus on Israel. The prospect that digital operations could remain closely tied to the broader conflict has raised concerns that even a lull in fighting may not bring a corresponding lull in cyber risk.

In a statement after the ceasefire announcement, a leading hacking group known as Handala said the group was temporarily postponing attacks on the United States. At the same time, the group said it would continue targeting Israel, asserting in its messaging that the cyber campaign would outlast any military pause. In the same vein, the group warned that the ceasefire would not bring an end to cyber warfare, according to the group’s social media post.

Handala is described as operating as a pro-Palestinian, pro-Iranian network that works independently of Tehran. The group has previously claimed credit for disrupting the operations of the U.S. medical manufacturer Stryker and for hacking into FBI Director Kash Patel’s personal email account, according to the report. The group has also been linked to other intrusions and disruptions, and its statements suggest it sees cyberattacks as part of the broader military contest rather than something that can be paused cleanly.

In one post attributed to Handala, the group wrote: “We did not begin this war, but we will be the ones to finish it,” and added that “The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.” The group’s language underscored its view that conventional diplomacy does not necessarily translate into reduced cyber operations.

The concerns were reinforced by a separate warning from U.S. authorities on Tuesday. The FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency jointly issued an advisory describing how hackers supporting Iran have burrowed into internet-connected computers used to automate and control technology across multiple industrial sectors. The advisory said those systems, known as programmable logic controllers, are used in ports, power plants and water plants—areas that would likely be attractive to foreign hackers seeking to disrupt everyday life.

Officials urged organizations that use the technology to ensure their security precautions were up to date. The report said CISA did not immediately respond to questions about what impact the ceasefire would have on cybersecurity. Experts who reviewed the warning said it should be taken seriously regardless of the sides announcing a temporary truce.

Markus Mueller, a cybersecurity executive at Nozomi Networks, said he expected an increase in cyberattacks on American organizations after the ceasefire rather than a decrease. Mueller said that during any lull in hostilities, hackers could shift away from regional targets directly involved in the conflict and instead try to infiltrate U.S. organizations that participated in the war effort in some way, including data centers, technology companies and defense contractors. He also predicted that some groups based in Iran or Russia may attempt to circumvent the truce by carrying out a high-profile attack intended to attract public attention.

Mueller said such groups are likely to expand cyber activity “both in scale and scope,” including through a prominent attack similar to what was seen with Stryker. The report said attacks attributed to pro-Iranian hackers have so far been high in volume but low in impact, described as designed to boost morale among Iran’s supporters while reminding opponents of continued vulnerabilities.

Handala’s statements came after the group claimed responsibility last month for hacking Stryker, a major medical equipment supply company based in Michigan. In its account, the group described the hack as retaliation for strikes that it said killed Iranian schoolchildren. The FBI responded by seizing four internet web addresses used by the group to spread its messaging, and Handala later leaked old photos of Patel after claiming it had hacked into the director’s personal email account.

Beyond Handala, the report described other pro-Iranian hacking activity, including efforts to install malware on phones of Israelis, penetrate cameras in Middle Eastern countries to improve Iran’s missile targeting, and target data centers and industrial facilities in Israel, Saudi Arabia and Kuwait. Taken together with the group’s ceasefire message and the U.S. government advisory, the reporting suggested that cyber operations are being treated as a persistent, strategic pressure point in the conflict, even as officials pursue limited diplomatic pauses.

Sources included under sources in the publish-time pipeline.