The apparently disjointed response from Iranian hackers to the 12-day conflict with Israel in June actually demonstrated a significant degree of alignment and coordination, according to research published Tuesday.

SecurityScorecard’s STRIKE Team analyzed 250,000 messages from Iranian proxies and hacktivists from more than 178 groups whose activity ranged from pushing propaganda to stealing data to defacing websites to launching cyberattacks.

“Our analysis reveals a detailed map of operations that were fast, targeted, and ideologically charged,” its report states. “In many cases, the threat groups appear to have coordinated their operations with agility and deep alignment.”

Separately Monday, the Middle East Institute published an analysis that arrived at similar conclusions.

“Iran’s conduct in cyberspace during the 12-day war marked a turning point in its cyber strategy, reflecting greater coordination, clearer strategic intent, and the integration of digital tools across military, political, and psychological domains,” Nima Khorrami, an analyst at NSSG Global and a research associate at the Arctic Institute, wrote for the think tank.

The cyber fallout from the 12-day conflict led to a warning from the U.S. government about potential spillover. But some have questioned how effective any of the cyber operations between Iran and Israel were.

“It can be easy to conflate the volume of cyber activity in the Israel-Iran war with decisive impact,” Nikita Shah, a senior resident fellow at the Atlantic Council’s Cyber Statecraft Initiative, wrote last week. “But the value of cyber attacks for each state came from them serving as a means of shaping and augmenting the information environment, rather than bringing the conflict to a conclusive end. While these incidents may have caused harm or disruption in the short-term, they failed to provide any decisive military advantage. Instead, the impact was disproportionately felt by ordinary Iranian and Israeli citizens.”

SecurityScorecard highlighted how one group, the Iranian government-connected group known as Imperial Kitten or Tortoiseshell, changed tactics as the fighting grew more intense. It began using conflict-themed phishing lures and built infrastructure for the campaign almost immediately after the onset of physical battles.

That suggested the group “has planning or tasking cycles that respond quickly to conflict flashpoints,” SecurityScorecard said.

Further Iranian hacking activity included conducting reconnaissance, recruiting on the Telegram messaging app and advertising vulnerabilities, the company observed.

The post Iranian hackers were more coordinated, aligned during Israel conflict than it seemed appeared first on CyberScoop.

Arizona election officials say a hack targeting a statewide online portal for political candidates resulted in the defacement and replacement of multiple candidate photos with the late Iranian Ayatollah Ruhollah Khomeini.

While officials say the threat is contained and the vulnerability has been fixed, they also blasted the lack of support they’ve received from the federal government, claiming the Cybersecurity and Infrastructure Security Agency is no longer a reliable partner in election security under the Trump administration.

Michael Moore, the chief information security officer for Arizona’s Secretary of State, told CyberScoop that his office first became aware that something odd was happening on June 23, while many officials were at a conference. One user managing the candidate portal noticed that one of the candidate images uploaded to the site didn’t “make sense” because it appeared to be a picture of Khomeini. The next day they were notified that candidate profiles going back years had also been defaced with the same picture.

“My first call was to Arizona’s [Department of] Homeland Security,” Moore said. “We started troubleshooting, locked down that portion of the site, and started doing preventative measures to reduce our attack surface.” 

Moore said other important systems, such as the statewide voter registration database and its confidentiality system for domestic abuse survivors, are hosted on servers that are  segmented from other parts of the network. He said there is no evidence that the attackers “even attempted” to access state voter rolls.

Incident responders determined that the attacker was using the candidate portal to upload an image file containing a Base 64-encoded PowerShell script that attempted to take over the server.

Moore described the affected candidate portal as an older, legacy system that wasn’t designed for security. Unlike many other statewide systems, the candidate portal was explicitly created to accept uploads from the public.

Moore likened the situation to “a village that’s surrounded by a castle; we’ve got a moat, we’ve  got a drawbridge, we’ve got a portcullis and guards on the walls.”

“But when our village needs to do business,” he said, “we have doors and windows that are open and an adversary can just walk through … masquerading as a legitimate business.” 

The substance and timing of the hack point to someone with pro-Iranian interests. The incident took place the day after the U.S. bombed Iranian nuclear sites, and a Telegram message linked in the defacement promised revenge against Americans for President Donald Trump’s actions. 

Moore said they do not have definitive attribution for the attack at this time.

A deteriorating partnership

For years, CISA has coordinated election security between  states and the federal government, sharing intelligence on vulnerabilities or hacking campaigns, deploying cybersecurity experts, and assisting with active incidents.

Arizona, through its state DHS, contacted multiple federal agencies about the hack, including the FBI. But CISA was not part of that outreach.

In a scathing statement, Secretary of State Adrian Fontes, a Democrat who has long focused on election security, said that this once-fruitful partnership between CISA and states had been damaged as the agency has been “weakened and politicized” under the Trump administration.

“Up until 2024, CISA was a strong and reliable partner in our shared mission of securing American digital infrastructure, but since then the agency has been politicized and weakened by the current administration,” Fontes said.  

Fontes said he personally reached out in a letter to Homeland Security Secretary Kristi Noem months ago in an effort to establish a relationship but was “dismissed outright.”

“Given their recent conduct, and broader trends at the federal level, we’ve lost confidence in [CISA’s] capacity to collaborate in good faith or to prioritize national security over political theater,” he continued. “This is exactly the kind of division that foreign adversaries of Russia, China and Iran seek to exploit. Cybersecurity should never be a partisan issue. When trust breaks down between levels of government, we put our democratic system at risk.”

Since being sworn into power, President Donald Trump and his administration have taken an axe to CISA’s budget and workforce, eliminated regional offices, fired disinformation experts, and drastically reduced the agency’s once-robust support for securing state elections. 

Moore doubled down on Fontes’ sentiments, telling CyberScoop “it was easy and natural to work with CISA until 2024.” Under previous administrations he had a litany of CISA employees on speed dial, but “right now, in 2025, we have no [federal] cybersecurity advisors.”

“We will occasionally communicate with CISA at a regional level, but we don’t have that direct level of support” we used to, he said.

Outside of elections, he referenced the massive SharePoint vulnerability disclosed by Microsoft over the weekend as a prime example of CISA’s diminished capacity and willingness to coordinate national responses to major cyber threats.

“We’re effectively trying to recreate the federal government,” Moore said. “In the past, CISA would have led the charge [to coordinate around the SharePoint flaw]. I didn’t get an email from CISA until [Monday] morning warning about the event, and that’s too late. This started on Friday morning and the damage was done by Monday morning.”

A DHS spokesperson called Fontes’ criticism “misguided.”

“Here are the facts: In late June, the state requested assistance. On July 1st the Arizona Secretary of State posted a notice on their website and took their candidate portal offline for several days ahead of their primary special election,” the spokesperson said. “Since then CISA has been working with Arizona and has provided direct assistance to support their response efforts.”

A former senior DHS official told CyberScoop that “there does seem to be a loss of confidence among both private sector and state and local governments with regard to CISA” under the Trump administration.

In particular, the administration change has led to a “deemphasis of CISA in terms of being the primary federal civilian cyber response agency,” the former official continued. Additionally, the agency does not yet have a Senate-confirmed leader and “they’ve lost a lot of talent, mostly on the technical side, like engineering and the technical services division that’s hard to replace,” they added.

The official requested anonymity to speak candidly with CyberScoop about their interactions with DHS.

Further, the lack of action from the federal government on other critical matters related to the agency, like reauthorization of the expiring Cybersecurity Information Sharing Act, have “led stakeholders of CISA to question whether or not it is the same agency they could count on six or seven months ago.”

The official said they believe the administration is looking to change perceptions and expectations around CISA’s mission, as Trump, Noem and others have sharply criticized the agency for its election security work.

“My sense is this is exactly what they wanted, which was a reset of the relationship with CISA and the department, but also how it is perceived and acts in the interagency and beyond,” the official said.“When they say focus the core mission on cyber, to me that says programs of record like EINSTEIN and a lot of emphasis on things like [the Continuous Diagnostics and Mitigation program], resetting the relationship on infrastructure protection and providing more targeted resources for assessments, or cyber hygiene related initiatives,” they continued. “That has yet to make its way through the pipeline, though, and what you have now is kind of a half thought out plan.”

The post After website hack, Arizona election officials unload on Trump’s CISA appeared first on CyberScoop.