Updated June 22

On June 22 DHS released a National Terrorism Advisory System Bulletin highlighting the possible threat to the United States as a result of the ongoing conflict in Iran and the US missile attacks on key nuclear sites in Iran.

The bulletin highlighted the following risk:

Iran retaliated with an attack against a US airbase in Qatar, which was condemned by Qatar and reportedly intercepted. No US casualties were reported but it highlights increasing tensions in the region and active targeting by Iran of US assets.

DarkOwl continues to monitor the dark web and particularly Telegram in order to see what the reaction has been from hacktivist groups.

Reaction to US Missile Attacks

Despite the warning from DHS, DarkOwl have not observed a large increase in claims of US victims from known hacktivist groups in the wake of the US missile strikes on Iran. Although this could change.

Several of the pro Iran/Muslim groups made posts commenting on the US airstrikes in Iran, although the reaction did not appear as strong as it had been to the Israeli attacks the week before. No posts, in our collection, were identified threatening the US directly although as shown below there were some US victims. This appears to be different to how the groups reacted to previous military interventions.

Groups shared images of the tweets and messages on Truth Social made my President Trump to announce the military action. However, in this particular channel there did not appear to be any commentary on the announcement, some of the posts were translated into Arabic.

The same channel also posted information relating to a response from Iran’s Atomic Energy organization. Again, these posts were made without commentary.

Some groups appeared to target US organizations employing DDOS (Distributed Denial of Service) attacks in retaliation. Group 313 reported that it has taken down Truth Social. However, this was not corroborated, some other reports indicated that the site was down due to users trying to access up to date information. The group also shared media reports about the down time.

Another hacktivist group Keymous+ shared a number of US targets which they claimed to have targeted via DDOS. It was unclear why those specific targets had been selected.

Another group, Mr. Hamza, claimed to be targeting the US Airforce. However, they did not show any evidence of the attacks or if they were successful.

The same actor shared a further post in which they claimed that they had targeted the FBI. As part of the post, they shared the hashtag #OP_USA, which would indicate they are conducting a targeted operation against US entities.

President Trump has now stated on social media that there will be a ceasefire between Iran and Israel, channels are sharing his messages on Truth Social. At the time of writing none of the hacktivist groups appear to have reacted to the announcement. However, other channels which are predominantly used to share right wing messages are declaring that Trump has ended the war.

Updated June 20

As tensions continue to mount between Iran and Israel, with both side launching multiple missile attacks, groups on the dark net, specifically Telegram, continue to mount their own digital attacks against the opposing side.  

Last week we covered the outbreak of the war between Iran and Israel, now we review how the conflict has developed online.  

Telegram as a News Source

Telegram continues to be used by both source as a means of sharing breaking news stories. This includes areas that have been targeted by both sides. One image recently shared shows an explosion in the Haifa region of Israel.  

However there have also been multiple reports of disinformation and fake videos being shared online with reports of computer game videos and images from previous conflicts being shared and, in some cases, appearing to exaggerate the damage being inflicted.  

Organizations in Israel and Iran Targeted

Groups from both sides of the conflict have sought to target organizations and websites within their opposing country. The groups have shared information regarding their victims and the method of attack on their Telegram channels. The allegedly successful attacks are usually shared by other groups with the same outlook.  

Iranian Crypto Exchange Targeted 

The Iranian cryptocurrency exchange Nobitex was reportedly targeted by the pro-Israeli hacktivist group, Predatory Sparrow. Iran’s largest cryptocurrency exchange suffered a major hack on 18 June. With cyber security researchers reporting that $90 million was sent from Nobitex wallets to known hacker addresses. The group shared reports of the hack on their dedicated Telegram channel.  

Use of AI generated Images 

As is common with other hacktivist groups, those reporting attacks on organizations and website have been using AI generated images to publicize their posts on telegram. Although these are clearly auto generated it does highlight how this technology could be used for other means.  

Data for Sale 

As well as the DDOS attacks being promoted on Telegram, DarkOwl analysts have identified an increase of data leaks allegedly from both Israeli and Iranian organizations being shared on the dark Web. These posts are being made available for free as well as being sold and claim to contain PII relating to individuals associated with the organizations.  

Co-ordinating Groups 

A number of the groups also appear to be coordinating and conducting attacks together as well as forming alliances. The majority of these alliances had previously been created in response to the October 7 attacks although new groups have emerged. 

Mentions of Foreign Policy 

As well as sharing information about their cyber attacks, some of the groups are also discussing information about the current events and the role that the US could take in the conflict. The opinion is split along country lines.  

---

Keep up to date. Follow us on LinkedIn.