The tensions between Iran, and Israel backed by the US continues to rise and the war between the countries is far from over. While the visuals of missiles being intercepted and drones wrecking havoc across the Middle East, a silent storm in brewing across the internet as well. Influencing narratives on social media and capturing information around the enemy’s intellectual properties have also become a pertinent technique of modern warfare.
Also read: How Operation Sindoor Was Fought With the Aid of Modern Technology
A new Check Point Research has highlighted how these tactics by Iran appear in real operations, the early warning signals defenders should watch for, and the mitigations that matter most right now. The research has also warns of DDoS attacks, pseudo-ransomware, and data wipers to impose costs, and information operations that pair destructive activity or data leaks with coordinated online amplification going forward.
Top 5 Techniques Iran is Using in Its Cyberwar
Iran’s cyberwar ecosystem includes multiple clusters aligned with state entities, such as the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as deniable operators and “hacktivist” groups. Some of them are as follows”
1. Cotton Sandstorm: This is an Iranian cyber actor affiliated with the IRGC, best known for cyber-enabled influence operations and “fast-reaction” campaigns when regional events spike. This particular entity has been associated with classic disruptive cyber activity with information operations, website defacements, DDoS attacks, email or account hijacking, and data theft followed by “hack-and-leak” style amplification using fake personas and impersonation to shape narratives.
2. Educated Manticore: This cluster aligned with the Islamic Revolutionary Guard Corps Intelligence Organization shows a strong pattern of high-trust impersonation against specific individuals namely journalists, researchers, security experts, academics and foreign-based groups and individuals opposing the Iranian regime.
3. MuddyWater: Widely assessed as tied to Iran’s Ministry of Intelligence and Security (MOIS), MuddyWater has a long record of espionage-driven intrusions against Middle East government, telecom, energy, and private-sector targets.
4. Agrius: An Iranian actor active since 2020, with public reporting linking it to MOIS, it is known for destructive operations in the Middle East, often with an emphasis on Israeli targets. Agrius prioritizes impact: it has conducted disruptive attacks under multiple aliases to cause network-level disruption and to shape narratives through stolen-data leaks, and it was among the earliest Iran-linked actors observed applying this playbook against Israeli and Emirati targets.
5. Handala: In the current escalation climate, it warrants close monitoring as it is optimized for psychological and reputational disruption: breaking into low-hanging systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.
