Cyber Retaliation Escalates: Iranian Hacktivists Target Critical Infrastructure Following February 28 Military Strikes

Surge in Retaliatory Cyber Operations

Researchers from Sophos X-Ops CTU have identified a significant increase in Iranian-aligned hacktivist activity following coordinated U.S. and Israeli military strikes on February 28. The spike in operations is being conducted under campaign banners including Operation Epic Fury and Operation Roaring Lion.

These campaigns appear to be politically motivated cyber retaliation efforts aimed at disrupting public-facing services and amplifying geopolitical messaging. While many activities fall under traditional hacktivism, researchers warn that the operational scope is broadening.

Observed Attack Techniques

The campaigns have primarily involved:

• Website defacement carrying political or ideological messaging
• Distributed Denial-of-Service (DDoS) attacks targeting government and private sector portals
• Doxxing operations exposing alleged personal or organizational data
• Public claims of breaches into critical infrastructure systems

Although some infrastructure intrusion claims remain unverified, the messaging strategy is designed to generate psychological and reputational impact.

Key Actors Driving the Campaigns

Several Iranian-aligned groups are either directly involved or amplifying the campaigns:

• Handala Hack Team – A hacktivist group linked to the broader COBALT MYSTIQUE cluster, known for pro-Palestinian cyber operations.
• APTIran – A designation encompassing Iran-linked threat actors engaged in espionage and disruptive cyber campaigns.
• BaqiyatLock – A ransomware-as-a-service (RaaS) operation now actively recruiting affiliates to scale attacks.

The inclusion of BaqiyatLock introduces a financially motivated dimension to what initially appears to be ideologically driven activity.

Critical Infrastructure Concerns

Some groups have claimed intrusions into energy and water management systems. While independent confirmation of operational compromise is limited, the targeting rhetoric signals an escalation toward operational technology (OT) environments.

Sectors potentially at risk include:

• Electric power generation and distribution
• Water treatment and supply networks
• Oil and gas infrastructure
• Municipal and regional utilities

Even unsuccessful attempts can create public anxiety and strain defensive resources.

Affiliate Recruitment and Scaling

Researchers have observed recruitment messaging tied to BaqiyatLock, encouraging affiliates to join retaliatory operations. This decentralized model enables loosely affiliated actors to conduct attacks under a shared ideological banner, complicating attribution and increasing operational volume.

The blending of hacktivism with ransomware affiliate structures marks a shift toward hybrid cyber retaliation campaigns that combine political messaging with potential financial extortion.

Implications for Israeli and U.S. Organizations

Israeli entities remain the primary focus of these operations. However, organizations in the United States—particularly those connected to defense, energy, infrastructure, or Israeli partnerships—may face elevated risk.

Potential consequences include:

• Service disruptions from sustained DDoS activity
• Data leaks resulting from doxxing campaigns
• Reputational damage from defacement incidents
• Ransomware deployment through affiliate expansion

Strategic Outlook

The surge in activity demonstrates how cyber operations are increasingly embedded within geopolitical conflict dynamics. Hacktivist campaigns can serve multiple strategic purposes, including narrative control, disruption, intelligence gathering, and economic pressure.

Organizations operating in sensitive sectors should heighten monitoring, reinforce DDoS protections, strengthen network segmentation—particularly between IT and OT systems—and review incident response preparedness for coordinated disruptive campaigns.

As geopolitical tensions persist, the risk of further cyber escalation remains elevated, particularly in sectors tied to national infrastructure and regional alliances.