Iran Flexes Its Cyber Chops

Foreign Policy·🕐 1 sa önce·👁 0 görüntülenme

Hackers linked to the regime are escalating attacks against the United States and Israel as the war rages.

Get audio access with any FP subscription.

ALREADY AN FP SUBSCRIBER? LOGIN

As Iran escalates its retaliatory attacks against the United States and Israel with missiles and drones, heading into a fifth week of war, its cyber warriors are beginning to do the same.

One prominent hacking group secured a particularly attention-grabbing moment on Friday, compromising an old personal email address belonging to FBI Director Kash Patel and publishing many of its contents online, including an old resume and pictures of him smoking cigars and posing in a mirror with a bottle of rum.

As Iran escalates its retaliatory attacks against the United States and Israel with missiles and drones, heading into a fifth week of war, its cyber warriors are beginning to do the same.

An FBI spokesperson acknowledged that Patel’s email had been targeted. “The information in question is historical in nature and involves no government information,” the spokesperson told Foreign Policy, adding that the agency had offered a reward of up to $10 million for information on the group, known as Handala Hack Team, which is linked to Iran’s Ministry of Intelligence and Security.

The breach of Patel’s email was the latest salvo in a tit-for-tat exchange over the past week that saw the U.S. Justice Department seize four websites belonging to Handala on March 19—a week after Handala took credit for a massive cyberattack on U.S. medical equipment manufacturer Stryker. The company was still working to fully restore systems as of Tuesday.

“We are working closely with our global manufacturing sites as operations steadily improve towards full capacity,” a Stryker spokesperson said in an emailed statement. “Manufacturing capability is quickly ramping with most of our sites and critical lines restored.”

Handala, which also recently said it leaked the personal information of several Lockheed Martin engineers based in Israel, is one of several hacking groups linked to the Iranian regime that have targeted U.S. officials and companies over the past week. Another group, known as APT Iran, claimed to have stolen 375 terabytes worth of data from the U.S. defense contractor, according to the threat intelligence firm Flashpoint. Those breaches have not officially been confirmed, and the company told Foreign Policy that “there is no evidence indicating an impact to Lockheed Martin systems, operations or data at this time.”

But for Iranian hacking groups, the obfuscation is often the point, said Cynthia Kaiser, who served as a deputy assistant director of the FBI’s cyber division until May 2025.

“You’ve seen Handala do this a lot … it’s a mixture of lies and real attacks, making it hard to parse out what’s exactly happening,” said Kaiser, who is now the senior vice president of ransomware research at the cybersecurity firm Halcyon. “But if the ultimate aim is showing you can retaliate—either for an internal Iranian audience or for those whose activity you’re trying to dissuade—going public is important,” she added, describing such operations as “kind of cyber-enabled PR campaigns.”

Handala and other groups have also repeatedly targeted Israel, with the Israeli National Cyber Directorate saying that Iran-linked hackers had erased data from at least 60 Israeli companies through so-called “wiper” attacks.

“The borders between nation-state and cyber criminals are blurred very clearly in the case of Iranian actors,” said David Carmiel, the CEO of the Israeli cybersecurity firm Kela. Kela and Halcyon found evidence on the dark web of Iran-linked ransomware group Pay2Key offering 80 percent of profits to hackers targeting “enemies” of Iran(an uptick from its previous 70 percent cut), which it described as “[s]pecial advantageous conditions for Iran’s friends.”

Carmiel said that unlike the ransomware groups typically linked to Russia—whose disruptions are largely focused on making money by seizing access to systems and then restoring them in exchange for multimillion-dollar payouts—Iranian ransomware groups are focused on damage. “It’s less about helping you recover and more about getting some financial gain and doing damage in a destructive manner to your infrastructure.”

Iranian cyber retaliation was relatively muted in the early days of the conflict, when U.S. and Israeli forces used both offensive cyber operations and kinetic airstrikes to kill senior leaders of the Iranian regime and take out a cyber command center.

“But anyone with a laptop could find a way to reengage; it’s not like there’s something magic about the building,” said Mieke Eoyang, who served as the U.S. deputy assistant secretary of defense for cyber policy until April 2025 and is now a visiting professor at Carnegie Mellon University’s Institute for Strategy and Technology. “A lot of the infrastructure malicious actors operate off is virtual anyway, so I would expect that we would see those types of operations coming over time,” she added. “They don’t necessarily need to have that kind of tight command and control structure to deliver significant disruption.”

None of what cyber experts have seen so far from Iranian groups is really out of the ordinary—Iran has a long history of going after Washington and its allies in cyberspace, including compromising critical U.S. infrastructure such as water treatment plants.

Those attacks could still happen as Iran hunkers down in the war and finds its cyber footing. “This is the Iranian playbook,” Kaiser said. “They see cyber as a means to retaliate—it’s a little less escalatory than a physical or kinetic type attack, but it allows them to say they’ve retaliated.”

It also means that even in the unlikely event of a negotiated end to the war, the cyber threat from Iran won’t necessarily dissipate.

“Even if there is some sort of a cease-fire, cyber will keep going because it’s under the radar in many cases,” Carmiel said. “The target universe for Iranian groups just became bigger.”

This post is part of FP’s ongoing coverage. Read more here.

Rishi Iyengar is a staff writer at Foreign Policy. Bluesky: @iyengarish.bsky.social X: @Iyengarish Instagram: @iyengar.rishi

Commenting is a benefit of a Foreign Policy subscription.

Already a subscriber? Log In.

Join the conversation on this and other recent Foreign Policy articles when you subscribe now.

Please follow our comment guidelines, stay on topic, and be civil, courteous, and respectful of others’ beliefs.

I agree to abide by FP’s comment guidelines. (Required)

The default username below has been generated using the first name and last initial on your FP subscriber account. Usernames may be updated at any time and must not contain inappropriate or offensive language.

I agree to abide by FP’s comment guidelines. (Required)

From Iran to Venezuela, Trump has fully embraced offensive cyberoperations.

Ex-diplomats point to a lack of qualified senior staff and a breakdown in trust.

Kaynak: Foreign PolicyOrijinal Habere Git →

İlgili Haberler