The U.S. Department of Homeland Security (DHS) has issued a warning: Iran may be planning low-level cyberattacks as a form of retaliation for the attacks on its nuclear facilities over the past weekend.
Although there is currently no direct threat against the United States, the statement notes the possibility of related incidents such as cyberattacks, violent acts, or even hate crimes with antisemitic motivations, according to Homeland Security Secretary Kristi Noem.
Meanwhile, the Office of the Director of National Intelligence (DNI) had already classified Iran as a serious digital threat. In a report published in March, it warned that Iranian cyber operations pose a significant risk to the security of networks and data in the United States.
According to the DHS, Iranian government-backed groups and some hacktivists have long been targeting poorly protected networks in the U.S., as well as internet-connected devices, aiming to launch cyberattacks that cause disruptions and damage.
Since 2019, the United States has designated the Islamic Revolutionary Guard Corps (IRGC) as a foreign terrorist organization, which reinforces concerns about its direct involvement in these activities.
These hackers have been accused of targeting key sectors such as transportation, healthcare, and public services, according to the Cybersecurity and Infrastructure Security Agency (CISA). Among the most serious cases, they have been accused of hacking a children's hospital in the U.S., a dam in New York, and exploiting vulnerabilities in water supply systems in Pennsylvania and other parts of the country.
In short: they are not only behind digital attacks, but they are targeting services that directly affect the lives of ordinary people—making these threats all the more concerning.
The FBI has pointed out that Iran-backed hackers were behind a series of 46 large-scale DDoS (denial-of-service) cyberattacks against banks such as American Express and Wells Fargo back in 2012. These attacks overwhelmed servers and left thousands of customers without access to their accounts for hours.
With current tensions, several organizations are already taking precautions. Among them are the Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC) and its tech sector counterpart, the IT-ISAC. Both recently warned companies to prepare for a potential increase in cyberattacks originating from Iran.
And it's not just about large-scale attacks. According to the Cybersecurity and Infrastructure Security Agency (CISA), Iranian government-linked groups are using more direct methods like “password spraying” (trying many common passwords at once) or “push bombing,” which involves bombarding users with login notifications in an attempt to trick them into granting unauthorized access. These methods have been used to infiltrate platforms such as Microsoft 365, Azure, and Citrix.
Another concern is that the data stolen in these cyberattacks doesn’t stay hidden on some secret server—in many cases, it ends up on cybercriminal forums, where it’s sold to the highest bidder. According to CISA, this information can fall into the hands of other malicious actors who may use it to commit further fraud or launch new attacks.
There have also been leaks of emails belonging to U.S. government officials. The DNI threat report reveals that Iranian hackers infiltrated the account of a member of Donald Trump’s 2024 campaign team and used it to launch a spear-phishing email (a highly targeted attack) against other team members.
But it didn’t stop there. According to the report, the hackers also attempted to manipulate journalists into publishing information obtained from the hack. And they have a history: in 2020, they stole data from U.S. aerospace and satellite companies, and in 2018 they targeted several universities.
In addition to state-backed groups, dozens of new hacktivist groups (digital activists who use cyberattacks to apply political pressure) have emerged, especially following Iran's retaliatory actions against Israel on June 13.
A cybersecurity company called Radware has identified over 100 new activist groups in just the past week. Some of them have openly threatened to launch attacks against the U.S. One such group, called Hamza, has allied with DieNet and other similar collectives with the aim of targeting U.S. interests following America's entry into the conflict.
According to messages posted on Telegram, Hamza claims to have attacked various branches of the U.S. Air Force, including its training platform, operational capabilities, and even its cloud computing infrastructure.
They also claim to have attacked defense sector companies such as RTX, Sierra Nevada Corporation, and Aurora Flight Sciences, a subsidiary of Boeing. While these claims are still being verified by independent outlets like Euronews Next, the pattern of threats and attacks has clearly been growing in both intensity and coordination.
Meanwhile, DieNet also announced plans to resume large-scale attacks, data leaks, and ransomware campaigns targeting key U.S. infrastructure.
According to cybersecurity firm Radware, DieNet is a relatively new group, having emerged in 2025, but it has already made significant waves. Between March 11 and 17, the group claimed responsibility for 61 attacks against 19 U.S. organizations, including one particularly severe incident in which they allegedly stole a large amount of data from the International Trade Administration and the U.S. Department of Commerce.
Radware was clear in its March report: DieNet’s campaigns are entirely political. The group doesn’t hide its motives—directly blaming Donald Trump and framing its attacks as a form of digital revenge for U.S. military interventions in the Middle East.
And while DieNet is new, Iran already has a well-established history of state-sponsored cyber groups. Radware’s report mentions several well-known names in the cybersecurity world, such as Muddy Water, APT35 (also known as OilRig or Charming Kitten), and APT39 (Remix Kitten), all of which have prior records of attacking Israel and other targets.
Israel’s attacks on Iran are not only having consequences on the ground—they’ve also opened a new front online. All signs point to Iran and its allies responding in the digital realm, with a wide range of possible tactics: from phishing emails and ransomware to disinformation campaigns and more direct sabotage. The first notable signs of cyber activity include the following:
Team Insane Pakistan is a hacktivist group that has been quite active in the digital world. Over the past few years, they have expressed support for causes such as Palestine, Pakistan, and now Iran, aligning themselves with each during their respective real-world conflicts.
Telegram Post by Team Insane Pakistan
The Russian hacker group DieNet, while not clearly linked to the government, seeks to align itself with alliances that are openly anti-Western and anti-Israeli.
DieNet Telegram Post
In a Telegram post shared by LulzSec Black, a message in Arabic allegedly from Hamas appears. In it, the group expresses its support for Iran following the recent Israeli attacks and the deaths of several key Iranian commanders and nuclear scientists.
LulzSec Black Telegram Post
In conflicts like this, which shift from day to day, digital warfare often goes hand-in-hand with (or even precedes) ground warfare. And while many of the attacks or statements from APT groups or hacktivists may sound exaggerated or even theatrical, their real-world impact cannot be underestimated. They influence public opinion, test the security of governments and companies, and add even more tension to an already fragile situation.
The conflict between Israel and Iran is no exception. From the outset, the most sophisticated cyber groups (the so-called APTs) have been operating aggressively, and hacktivist campaigns have begun spreading across the web. The digital dimension of this crisis can escalate quickly, and being prepared requires more than just technology—it calls for context, analysis, and strategic vision.