Following Israel’s launch of ‘Operation Rising Lion’ targeting Iranian military and nuclear sites, the cyber domain has rapidly emerged as a volatile second front. New analysis from Radware reveals a sharp escalation in cyber activity by Iranian state-sponsored actors and affiliated hacktivist groups. These campaigns are expected to prioritize espionage, distributed denial-of-service (DDoS) attacks, ransomware, and destructive wiper malware, with a strong focus on disrupting critical infrastructure, including industrial control systems, utilities, and healthcare networks. Intelligence also points to a parallel push in influence operations, with AI-driven botnets and coordinated disinformation campaigns to undermine public confidence and amplify geopolitical tensions.
“Iran is currently more likely than ever to retaliate through cyberattacks due to its significantly reduced ability to respond through conventional military means,” Radware identified in a cyberthreat alert issued on Friday. “Recent Israeli operations have severely degraded Iran’s military infrastructure and leadership. The targeted strike allegedly eliminated around 20 senior commanders, including key figures from the Iranian Air Force and nuclear program.”
It added that the attacks, involving precision airstrikes and Mossad-led sabotage operations, have destroyed missile bases, fuel depots, and strategic assets critical to Iran’s defense capabilities. “As a result, while Iran may be motivated to respond, it lacks the functional military capacity to do so immediately and effectively, making cyber operations a more accessible and viable alternative.”
The alert highlighted that Iranian state-sponsored cyber actors, most notably APT34 (OilRig) and APT39 (Remix Kitten), continue to engage in targeted cyber operations aimed at espionage, infrastructure disruption, and surveillance. Their activities have historically extended across the Middle East and beyond, with a clear focus on regional adversaries.
Recent intelligence suggests that Iranian cyber activity is likely to intensify, with operational priorities expected to include compromising Israeli government and defense networks. Threat actors are also likely to focus on stealing sensitive state and military information. Tactics may include phishing, social engineering, and the exploitation of zero-day vulnerabilities. These intrusions are often masked through legitimate-looking communications or facilitated via compromised third-party vendors and service providers.
Radware added that in line with previous escalatory patterns, Iran may also engage in disruptive attacks intended to degrade or interrupt essential services. “These could include denial-of-service (DoS) campaigns, ransomware deployments, or the use of destructive wiper malware. Furthermore, Iranian cyber operations are likely to be complemented by coordinated information warfare. Drawing from earlier campaigns, Iran is expected to activate AI-driven botnets and inauthentic social media personas to disseminate disinformation, erode public trust in Israeli leadership, and amplify divisive or destabilizing narratives,” it added.
The alert noted that shortly after news of the military operation became public, there was an observed increase in activity by threat actors aligned with Iran on their public and private Telegram channels. The Cyber Bulletin channel received a message from an actor going by the name #OpIsrael about attacks targeting the Israeli public address system (Tzofar) which notifies civilians of potential missile attacks.
“Mysterious Team Bangladesh has issued a warning to neighboring countries Jordan and Saudi Arabia, stating that if they support Israel, they risk facing cyberattacks targeting their national infrastructure,” the alert added. “Arabian Ghost, on the other hand, claimed they shut down Israeli radio stations. Several other groups made threats and claims towards Israeli organizations and one group claimed they took down the website of the Israeli Mossad.”
Cyber hostilities between Israel and Iran trace back to 2010 with the discovery of Stuxnet, the first known cyber weapon designed to cause physical destruction. Stuxnet targeted Siemens PLCs (programmable logic controllers) used in Iran’s uranium-enrichment centrifuges, altering their speeds and causing failures that set back Iran’s nuclear program significantly. In response, Iran ramped up its cyber capabilities and began a wave of retaliatory operations. Over the next decade, Iranian-linked threat actors increasingly focused on Western and Gulf infrastructure.
Since 2020, Iranian cyber campaigns have increasingly focused on Israel. Groups such as APT35 (Charming Kitten), MuddyWater, and CyberAv3ngers have targeted Israeli critical infrastructure, including water utilities, healthcare systems, and industrial control environments. These campaigns have also involved breaches of surveillance platforms and reconnaissance efforts against public transit networks.
Although Israel has not officially claimed responsibility for offensive cyber operations, a series of high-impact incidents, such as disruptions to Iran’s fuel distribution network, railway systems, and industrial facilities, have been widely attributed to Israeli state-linked actors by foreign intelligence agencies and cybersecurity researchers.
Radware urged Israeli organizations to take a series of preventive actions in light of the heightened threat environment. Organizations should enhance monitoring across all networks and endpoints, watching closely for indicators of compromise linked to known Iranian APT groups. All internet-facing systems must be fully patched, and multi-factor authentication should be enforced across all services.
The Radware alert also called upon employees to stay alert to potential phishing attempts. Incident response teams need to be on high alert, with updated playbooks that include scenarios involving nation-state-level threats. Finally, organizations should prepare counter-disinformation strategies and coordinate with trusted media outlets to minimize the impact of fake news before it causes reputational harm.
