Iran's Electronic Operations Room Coordinates 60 Hacktivist Groups

Iran established a centralized coordination mechanism called the "Electronic Operations Room" on February 28, 2026, bringing together more than 60 hacktivist groups to synchronize cyber operations against Israeli, Western, and regional targets, according to a new Unit 42 threat brief.

The coordinated cyber response followed Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel), a joint military offensive launched the same day. Despite Iran's available internet connectivity dropping to just 1-4%, hacktivist collectives claimed over 150 incidents within the first 72 hours.

Key Threat Groups in the Collective

Unit 42's analysis identifies several prominent actors operating under the Electronic Operations Room umbrella:

Handala Hack stands out as the most prominent Iranian persona. Linked to Iran's Ministry of Intelligence and Security (MOIS), the group blends data exfiltration with targeted cyber operations against the Israeli political and defense establishment. Recent claims include compromising an Israeli energy exploration company and Jordan's fuel systems.

FAD Team (Fatimiyoun Cyber Team) focuses on destructive operations, deploying wiper malware designed for permanent data destruction. The group has claimed unauthorized access to SCADA/PLC systems in Israel and neighboring countries—a concerning escalation if verified.

Cyber Islamic Resistance operates as an umbrella collective coordinating teams including RipperSec and Cyb3rDrag0nzz. Their techniques include DDoS attacks, data-wiping, and website defacement, with claimed targets including Israeli drone defense systems and payment infrastructure.

Dark Storm Team specializes in large-scale DDoS and ransomware operations, targeting Israeli banks and public-facing websites throughout the conflict.

Attack Techniques Observed

Unit 42 documented several attack vectors deployed by Iranian-aligned groups:

• Phishing campaigns using malicious Android APKs, including a fake "RedAlert" app mimicking Israel's legitimate rocket alert system
• DDoS attacks against government, financial, aviation, telecom, and critical infrastructure targets
• Website defacement operations for propaganda purposes
• Data exfiltration from government and enterprise networks
• Credential harvesting targeting banking infrastructure
• Wiper malware for permanent data destruction
• Vishing scams impersonating UAE Ministry of Interior officials

The phishing APK campaigns are notable—attackers distribute malicious replicas of the RedAlert emergency app to deliver mobile surveillance and data exfiltration malware to victims seeking legitimate security tools. This echoes similar techniques seen in the MetaMask phishing campaign that used fake incident reports to steal credentials.

Regional Targets Under Attack

Hacktivist claims extend well beyond Israel:

• Jordan: Fuel systems and critical infrastructure
• Kuwait: Armed Forces, Ministry of Defense
• Saudi Arabia: Airport systems, government ministries
• Bahrain: Airport infrastructure
• UAE: Banking systems, government services

The 313 Team (Islamic Cyber Resistance in Iraq) and DieNet have been particularly active in targeting Gulf state infrastructure, suggesting coordination across multiple theaters.

Operational Constraints

Ironically, the kinetic operations that triggered this cyber response may be limiting its effectiveness. Beginning February 28, Iran's internet connectivity collapsed to between 1-4% of normal capacity.

Unit 42 assesses that this "significant degradation of Iranian leadership and command structures will likely hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks in the near-term." The result: Iranian state-sponsored actors may be operating in "operational isolation," potentially granting tactical autonomy to external cells.

This creates an unusual situation where nation-state cyber operations typically rely on centralized coordination, but Iranian actors may be executing independently based on pre-planned objectives.

Pro-Russian Groups Join the Fray

The conflict has drawn participation from approximately 60 hacktivist groups, including pro-Russian collectives. This convergence of Iranian and Russian-aligned hacktivists reflects the broader geopolitical alignments between Moscow and Tehran.

We've previously covered how state-aligned hacktivist personas can serve as proxies for nation-state objectives while maintaining plausible deniability.

Indicators of Compromise

Unit 42 published several IOCs associated with the malicious RedAlert APK campaign:

• hxxps[:]www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk
• hxxps[:]//api[.]ra-backup[.]com/analytics/submit.php
• hxxps[:]//bit[.]ly/4tWJhQh

Organizations in the Middle East should block these indicators and monitor for related infrastructure.

Defensive Recommendations

1. Block known malicious domains - Add IOCs to network security controls immediately
2. Monitor for APK sideloading - Enforce mobile device management policies preventing installation from unknown sources
3. Enhance DDoS protections - Organizations in targeted regions should verify their DDoS mitigation capacity
4. Brief employees on vishing threats - Government impersonation scams are active
5. Review OT/ICS security posture - Claims of SCADA access warrant verification of air-gap controls

For broader context on social engineering threats, review our social engineering defense guide.

Looking Ahead

Unit 42 anticipates "low-to-medium sophistication disruptions" in the near term as connectivity constraints limit coordinated operations. However, the establishment of the Electronic Operations Room demonstrates Iran's intent to institutionalize hacktivist coordination for future conflicts.

Security teams at organizations with Middle Eastern operations should maintain heightened vigilance. The conflict is evolving rapidly, and cyber operations will likely intensify as Iranian infrastructure recovers connectivity.