Companies, infrastructure and surveillance cameras have suffered cyberattacks since the end of February.

Pro-Iranian group Handala claimed to have snatched 50,000 emails from an Israeli researcher specialising on Iran, the day after it said it had attacked two American companies.

"Seeing them pop up again now isn't especially surprising," said Pierre-Yves Amiot, director of French company Orange Cyberdefense's CERT cyber alert centre, adding that Handala's visible activity got going in late 2023.

American cybersecurity company Palo Alto networks' Unit 42 research service said in early March it had spotted an "escalation of attacks from activists" based outside Iran.

On Thursday it warned against an "increased risk of wiper attacks related to the conflict" in which attackers erase data from a target's computers.

There have been "multiple related incidents impacting orgaizations in Israel and the US," Unit 42 added.

Israel's National Cyber Directorate has issued a series of recent alerts, including on the "hacking of security cameras for espionage purposes" by Iranian groups.

- 'Ambiguity' -

While it is clear that Handala is responsible for multiple cyberattacks, "it's always a bit tricky to tell what's claimed from what's real," Orange's Amiot said.

"They've recently been working on claiming responsibility for attacks that aren't totally accurate... their aim is to try and maintain this ambiguity, to make people believe they're extremely active when the truth may sometimes be less clear," he added.

Such confusion adds up to a "digital fog of war," Amiot said.

It is still unclear what kind of group Handala may be.

Long believed to be a "hacktivist" outfit -- an independent group carrying out politically-motivated cyberattacks -- Handala may be more closely tied to Tehran.

"The group is currently assessed by the threat intelligence community to be a state-directed front for Iran's Ministry of Intelligence and Security," Unit 42 said Thursday.

Handala is itself only the most visible part of Iran's far-reaching cyber operations.

"They're regularly active, but not nearly as active as an APT," said Adam Burgher, a specialist in following so-called "Advanced Persistent Threats" -- the label for the most dangerous hacking groups.

Burgher, an analyst at cybersecurity firm ESET, said Iran has around 10 active groups, with the most active known as "MuddyWater".

All have built up experience over recent years.

"The volume of Iranian state-linked cyber activity remains consistently high, with persistent campaigns observed across diverse industries," Microsoft said in its annual cybersecurity report published in November 2025.

"I would put them behind North Korea, Russia and China in terms of sophistication and complexity, but they do dedicate significant resources to cyber espionage and cyber attacks," Burgher said.

For the moment, Iran's cyber capabilities may be degraded by the general government-imposed internet blackout there.

Fallback satellite connections are an alternative, but are less able to support major operations.

"Complex techniques and attacks are probably not going to be seen until they reestablish their hardline connection," Burgher said.

mng/tgb/ach

Orange

MICROSOFT