The apparently disjointed response from Iranian hackers to the 12-day conflict with Israel in June actually demonstrated a significant degree of alignment and coordination, according to research published Tuesday.

SecurityScorecard’s STRIKE Team analyzed 250,000 messages from Iranian proxies and hacktivists from more than 178 groups whose activity ranged from pushing propaganda to stealing data to defacing websites to launching cyberattacks.

“Our analysis reveals a detailed map of operations that were fast, targeted, and ideologically charged,” its report states. “In many cases, the threat groups appear to have coordinated their operations with agility and deep alignment.”

Separately Monday, the Middle East Institute published an analysis that arrived at similar conclusions.

“Iran’s conduct in cyberspace during the 12-day war marked a turning point in its cyber strategy, reflecting greater coordination, clearer strategic intent, and the integration of digital tools across military, political, and psychological domains,” Nima Khorrami, an analyst at NSSG Global and a research associate at the Arctic Institute, wrote for the think tank.

The cyber fallout from the 12-day conflict led to a warning from the U.S. government about potential spillover. But some have questioned how effective any of the cyber operations between Iran and Israel were.

“It can be easy to conflate the volume of cyber activity in the Israel-Iran war with decisive impact,” Nikita Shah, a senior resident fellow at the Atlantic Council’s Cyber Statecraft Initiative, wrote last week. “But the value of cyber attacks for each state came from them serving as a means of shaping and augmenting the information environment, rather than bringing the conflict to a conclusive end. While these incidents may have caused harm or disruption in the short-term, they failed to provide any decisive military advantage. Instead, the impact was disproportionately felt by ordinary Iranian and Israeli citizens.”

SecurityScorecard highlighted how one group, the Iranian government-connected group known as Imperial Kitten or Tortoiseshell, changed tactics as the fighting grew more intense. It began using conflict-themed phishing lures and built infrastructure for the campaign almost immediately after the onset of physical battles.

That suggested the group “has planning or tasking cycles that respond quickly to conflict flashpoints,” SecurityScorecard said.

Further Iranian hacking activity included conducting reconnaissance, recruiting on the Telegram messaging app and advertising vulnerabilities, the company observed.

The post Iranian hackers were more coordinated, aligned during Israel conflict than it seemed appeared first on CyberScoop.

An international law enforcement operation conducted this week targeted the members of and infrastructure used by NoName057(16), a pro-Russian hacktivist group that has conducted distributed denial-of-service (DDoS) attacks across Europe since early 2022.

Operation Eastwood disrupted over 100 servers worldwide and resulted in two arrests, seven international arrest warrants, and 24 house searches across multiple jurisdictions. The operation, coordinated by Europol and Eurojust with participation from 12 countries, broke up a cybercrime network that had mobilized an estimated 4,000 members who conducted attacks against entities in countries across Europe and in Israel.

NoName057(16) used Telegram channels, specialized forums, and messaging applications to distribute attack tools, tutorials, and plans. The group employed gamification techniques including leaderboards, badges, and cryptocurrency rewards to keep members active, particularly targeting younger individuals by claiming the group was defending or working on behalf of Russia.

Group members relied on the open-source “DDoSia” platform and a botnet comprising several hundred servers, which allowed the group to scale attack capacity. Participants downloaded malware that enabled them to contribute computing resources to coordinated attacks, with the most active contributors receiving financial incentives in cryptocurrency.

The group chose its targets based on political events. At first, they attacked websites in Ukraine. Later, they expanded their attacks to countries in NATO and organizations that support Ukraine. Some of their attacks took place during the European elections, affecting Swedish government agencies and bank websites. They also timed attacks with major political events, including the Ukrainian president’s speech to the Swiss parliament and the NATO summit in the Netherlands.

Germany issued six of the seven arrest warrants, with two suspects identified as primary operators residing in Russia. The operation involved help from law enforcement agencies in Czechia, Estonia, Finland, France, Germany, Latvia, Lithuania, the Netherlands, Poland, Spain, Sweden, Switzerland, and the United States.

The post Pro-Russian DDoS group NoName057(16) disrupted by international law enforcement operation appeared first on CyberScoop.