New Research Shows Iran's Expansive Cyber Offensive During '12-Day War' with Israel

In the wake of the recent 12-day war between Iran and Israel, a new threat intelligence report has shed light on the extensive cyber offensive launched by Iranian state-backed hackers and proxy groups. The analysis, conducted by SecurityScorecard's STRIKE threat intelligence team, reveals that Tehran's cyber warfare efforts were aimed at intimidating civilians, undermining Israeli morale, and amplifying Iran's wartime narrative.

According to the report, one of the most active players in the Iranian cyber offensive was Imperial Kitten, a group widely tied to the Islamic Revolutionary Guard Corps. This unit created conflict-themed phishing domains, such as nowsupportisrael[.]com and supportisraelfunding[.]com, designed to lure pro-Israel visitors and harvest their data using advanced remote access malware.

Activist collectives like Cyber Fattah also amplified the cyber efforts, claiming responsibility for a series of data dumps targeting Israeli news outlets, including Channel 13 News. Their defacement attacks often featured fiery propaganda, including Hebrew-language threats to "erase Israel from the map." Defacements have been a common operating feature of Iranian-aligned hacking groups.

Other Iranian-aligned hacking units, such as SEPAHCYBERY and AGLegends, were also highly active during the conflict. SEPAHCYBERY launched a barrage of online threats and exaggerated claims about their ability to strike Western targets, making roughly 9,000 posts between June 13 and 27. Meanwhile, AGLegends claimed to have intercepted communications of the B-2 bombers used in the "Midnight Hammer" attack on Iran's nuclear facilities.

The report notes that Iranian-aligned hacking units sometimes combine recycled data leaks and theatrics to manufacture panic about hacks that never happened. However, it also highlights the sophistication and precision with which these groups conducted their operations, often blending volunteer activism with state tasking in a way that blurred the line between the two.

"Cyber-operations are no longer secondary but fundamental to geopolitical disputes," the report concludes. "State-sponsored actors and aligned proxies exploit cyberspace for diverse strategic goals, including intelligence gathering, propaganda, and direct attacks on critical infrastructure and public entities."

The Anatomy of an Iranian Cyber Offensive

In the 12-day war between Iran and Israel, three distinct layers of Iranian-linked actors were involved in the cyberoffensive. At the ground level, loosely organized hacktivists waged symbolic website defacements and claimed to have leaked data under the guise of pro-Palestinian narratives.

Above them, proxies aligned with the Islamic Revolutionary Guard Corps combined ideological motives with precise targeting, often conducting joint hacking operations alongside Lebanese or Afghan cyber brigades. And at the top, direct state-sponsorede units deployed phishing and custom malware with precision timing to track and exploit victims.

The Role of Telegram in the Iranian Cyber Offensive

Telegram played a central hub for recruitment, propaganda, and orchestration of cyberattacks during the conflict. According to SecurityScorecard's analysis, 250,000 messages exchanged by 178 Iranian proxy and hacktivist groups were analyzed.

The Implications for Future Conflicts

The report highlights the growing importance of cyber warfare in geopolitical disputes, with state-sponsored actors exploiting cyberspace for diverse strategic goals. The findings also underscore the need for increased vigilance and cooperation among nations to counter these threats.