Alex - stock.adobe.com
News brief: Iran cyberattacks escalate, U.S. targets named
Check out the latest security news from the Informa TechTarget team.
President Donald Trump has suggested the Iran conflict could end within weeks, but his messaging remains fluid. He previously tied any potential ceasefire to reopening the Strait of Hormuz, but later said the U.S. would not get involved in negotiating access to the strait. The president also said diplomatic discussions with Iran are progressing, only for Iranian officials to dispute that claim.
The potential impact on the cybersecurity front is equally uncertain, with news this week that Iran's Islamic Revolutionary Guard Corps named 18 tech companies "legitimate targets" in retaliation for recent U.S. and Israeli strikes on Iran.
"From now on, for every assassination, an American company will be destroyed," the group warned in a Guard-affiliated Telegram channel. The list of targets included Apple, Google, HP, IBM, JPMorgan, Nvidia and Tesla, among others.
This week's featured news highlights the latest about the cybersecurity events coinciding with the Iran war.
Iranian hackers target municipalities to disrupt missile response efforts
Hackers linked to the Iranian government have targeted Microsoft 365 platforms of municipal governments in Israel and Gulf states to hinder their response to Iranian missile strikes, according to Check Point.
In March, more than 300 Israeli and around 25 United Arab Emirates organizations were attacked, with municipal governments being primary targets due to their role in post-strike responses. The campaign, likely supporting Iran's kinetic operations, also targeted energy, transportation and technology sectors, with some attacks extending to the U.S., U.K. and Europe.
Using password-spraying techniques and VPNs, the attackers exploited weak passwords. Check Point advised enforcing MFA and geofencing to mitigate such threats.
Iran's hybrid cybercrime strategy targets U.S. and Israel
Iran is using Russian cybercriminals and state-backed ransomware, such as Pay2Key, to advance its geopolitical goals against the U.S. and Israel, according to KELA's Cyber Intelligence Center. By recruiting affiliates from Russian forums, Iran uses Pay2Key for pseudo-ransomware attacks, blending data destruction with financial extortion. This hybrid approach blurs the lines between state and criminal activities, complicating attribution and increasing legal risks for victims.
Iran incentivizes affiliates with higher payouts for targeting adversaries. Additionally, Iran-backed APT Agrius employs Apostle malware to disguise destructive operations. KELA researchers advised organizations to enhance their defenses with MFA, segmentation and threat intelligence monitoring.
Read the full article by Elizabeth Montalbano on Dark Reading.
Iranian hackers claim to sell Lockheed Martin data
Iran-linked threat actors, tracked as APT Iran, claim to have hacked defense contractor Lockheed Martin, offering alleged F-35 blueprints and Pentagon contracts for $598 million, according to Flashpoint researchers.
A group tracked as Handala or Handala Hack also threatened Lockheed engineers over SMS, demanding they leave Israel. Experts have warned that Iranian actors often exaggerate or fabricate claims, mixing legitimate data with disinformation.
Lockheed Martin expressed confidence in its defenses, while the FBI is offering a $10 million reward for identifying the Handala group, linked to prior attacks. Analysts expect Iran to escalate cyberattacks on U.S. organizations, blending financial motives with geopolitical objectives.
Iran-aligned hacktivists: High claims, modest impact
Despite increased cyberactivity since the Iran war began, Iran-aligned hacktivists have shown limited tangible impact in the Gulf region. Groups such as Nasir Security and 313 Team have exaggerated their achievements, often targeting supply chain vendors rather than the organizations they claim to have hacked. For example, Nasir falsely claimed to breach major oil companies but only accessed contractor data.
Such tactics aim to create psychological effects and confusion, using stolen documents to bolster false narratives. While some researchers have highlighted the potential for coordinated, high-impact operations, others argue these groups lack significant influence, serving more as tools for disinformation and distraction than effective cyberthreats.
Pay2Key shifts focus to U.S. targets amid Iran conflict
The Iran-linked ransomware group Pay2Key recently targeted a U.S. healthcare provider, marking a shift from its historical focus on Israeli systems. The attack, which involved stealthy encryption without data theft, suggests a new emphasis on destruction over extortion.
Pay2Key, active since 2020, has targeted U.S. schools, defense firms and healthcare providers, often collaborating with other ransomware groups. Following the U.S.-Israel bombing campaign in February, Iran-linked cyberattacks have intensified. Pay2Key's operations, once tied to Iran, are now promoted as ransomware as a service on Russian forums, raising questions about its current affiliations. The group reportedly earned $4 million from 51 ransoms over a four-month period in 2025.
Read the full article by David Jones on Cybersecurity Dive.
Editor's note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.
Sharon Shea is executive editor of TechTarget Security.
