The Digital Front Line: Israel and Iran Turn the Internet into a Covert Combat Zone

The Israel-Iran conflict is barely a week old, but the security repercussions for the two combatants and the wider global community can already be seen as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region so organizations worldwide must be prepared.

Trustwave SpiderLabs is monitoring and investigating this specific cyber battlefield, compiling an investigative research report that details how each side utilizes its cyber capabilities to exploit its opponent's weaknesses and employs cyberattacks to bolster areas where it cannot compete militarily.

Spiderlabs’ research team has compiled a comprehensive list of measures organizations and nations can take to protect themselves, remain resilient, and stay ahead of potential malicious cyber activity.

The full report is available here.

Fighting in the Shadows

By their very nature, combat-related cyber operations are visibly powerful; however, that does not mean they are any less intense.

In fact, Trustwave SpiderLabs research has found the cyber domain is now a central theater in the Israel–Iran conflict, serving both as a tool for strategic influence and as a battlefield for covert, high-stakes confrontation.

What distinguishes the Israel–Iran cyber conflict is its relentless nature and heightened intensity. On the kinetic side of the battle, we see waves of air and missile strikes followed by a lull as each side prepares for its next attack.

However, digital battles are continuous, often unfolding quietly alongside diplomatic maneuvers or covert actions. The boundary between cyber espionage and cyber sabotage is often indistinct. While public attention tends to focus on hacktivist activity or website defacements, the real action lies in covert, highly targeted operations conducted by both nations. These state-sponsored campaigns are strategic, technically sophisticated, and largely hidden from public view, making them difficult to detect, attribute, or evaluate in real-time.

The Combatants and Their Surrogates

The report contains a detailed analysis that examines the participants and their cyber capabilities, along with dozens of outside groups that have opted to support either Iran or Israel. These include pro-Israel organizations such as Israeli Gladiator and Predatory Sparrow, while APT Iran and Al-Qassam Cyber Brigades back Iran.

This imbalance reflects broader geopolitical sentiment in online spaces, where narratives opposing Israel tend to mobilize more hacktivist engagement, particularly from actors across the Middle East, South Asia, North Africa, and even parts of Latin America and Eastern Europe.

Organizations globally, including those in the US, Australia, and the UK, must recognize that this digital conflict poses a tangible risk. Even without direct involvement, threat actors often exploit heightened global awareness to enhance social engineering and phishing attacks, and tend to cast a wide net making vigilance crucial for all sectors, particularly critical infrastructure, defense, and government. Additionally, anyone perceived as being supportive of one side or another may be a potential target.

With reports of the US government increasingly aligning itself with Israel, US and Western companies should be on high alert. This is particularly the case for those with US government business as the example of an Argentine company with Israeli defense ties mentioned in this report shows.

While Iranian-backed groups exhibit a higher volume of activity, pro-Israel entities demonstrate elite, surgical strike capabilities. Organizations in these Western nations should implement robust cybersecurity hygiene, including updated patches, MFA, restricted access, and strong incident response plans, as well as prepare for soft cyber operations like fake emergency alerts, to defend against potential collateral damage and maintain resilience.

The overabundance of Iranian support is countered by the fact that the pro-Israel presence, while notably smaller, is more elite, featuring high-impact players like Predatory Sparrow, a group widely believed to be linked to Israeli intelligence operations, and Garuna Ops, known for surgical strikes against Iranian critical infrastructure. These groups appear more technically sophisticated but are fewer in number, operating more like specialized cyber units than crowd-sourced collectives.

Cyberattacks and Counterattacks

Even though the vast majority of cyber activity between Iran and Israel is covert, Trustwave SpiderLabs has unearthed several incidents claimed by surrogate groups. While no outside sources have confirmed these attacks, they remain illustrative of the threat landscape.

The pro-Palestinian, pro-Iranian hacktivist collective Handala claimed it exfiltrated over 2 TB of data from Israeli firms between June 14–15. Notable alleged victims included the Delek Group and its subsidiary Delkol, with Handala purporting to have stolen sensitive information involving the company's military partnerships. The group also asserted breaches of Y.G. New Idan, 099 Telecommunications, and AeroDreams, an Argentinian drone firm linked by Handala to the Israeli Air Force.

The hacktivist group DieNet, which may have connections to cyber communities in Eastern Europe, publicly declared its support for the Iranian side in the cyberwar, framing its operations as part of a broader ideological and geopolitical resistance against what it labels "Zionist aggression". It has claimed DDoS attacks against Israeli infrastructure, with the group claiming to have targeted a variety of Israeli systems, often coordinating its actions with statements on Telegram and other hacktivist-friendly platforms.

Information on Israeli actions is scant. Israeli cyber operators expertly cover their tracks, unlike hacktivist groups, which are more interested in results than public acclaim. There are some indicators detailed in the report that Israel has hit Iranian government facilities and financial institutions.

For example, on June 17, 2025, the cyber group Predatory Sparrow escalated its campaign against Iranian institutions by announcing a targeted cyberattack on Bank Sepah, one of Iran's oldest and most strategically important banks. Sepah Bank is allegedly associated with the Islamic Revolutionary Guard Corps (IRGC).

More information is included in the report.

Comprehensive Remediation Measures for Israel-Iran Cyberwarfare Threats

The report's list of protective measures can be read in full detail in the report. It includes:

• DDoS Attacks on Government, Finance, and Infrastructure: Implement always-on DDoS protection, redundancy, and regular simulation drills to defend against and recover from distributed denial-of-service attacks.
• Data Leaks and Identity Theft: Utilize automated detection, citizen alert mechanisms, and metadata forensics to counter data leaks and identity theft.
• Critical Infrastructure Intrusions (Water, Energy, Healthcare): Isolate OT networks, enhance 24/7 SOC monitoring, and enforce mandatory reporting to secure critical infrastructure.
• Hacktivist Campaigns and Defacement: Employ real-time web monitoring with auto-restore, DNS hardening, and brand defense programs to combat hacktivist campaigns and defacement.
• Cross-Sector Coordination: Establish joint cyber coordination units and conduct nationwide incident war-gaming to foster inter-agency resilience and information sharing.

Finally, tips to identify soft cyber operations such as fake emergency alerts and psychological operations are discussed:

• Strengthen Authentication of Official Alerts: Implement digital signatures on emergency messages and educate the public on how to verify authentic government communications.
• Harden Civil Alert Infrastructure: Upgrade security protocols for all emergency communication systems, enforcing multi-factor access and regular penetration testing.
• Real-Time Monitoring and Takedown Response: Establish a national task force to monitor and rapidly debunk fake alerts through partnerships with telecom and social platforms.
• Public Education and Resilience Campaigns: Equip the public with critical evaluation tools for emergency messages, emphasizing "verify before you act" behavior.
• Telecom and SMS Provider Collaboration: Work with providers to block spoofed sender IDs and consider country-wide sender ID whitelisting for critical alerts.
• Behavioral Simulation & Training: Conduct drills involving fake alerts to train communities and emergency services in recognizing, containing, and reporting such incidents without panic.
• Leverage Threat Intelligence Sharing: Integrate this threat type into broader cyber threat intelligence frameworks, sharing indicators of spoofing and disinformation with partners.
• Legal and Diplomatic Measures: Explore legal and diplomatic tools to sanction or disrupt infrastructure used in influence campaigns, especially those linked to foreign actors.

While this blog highlights the key points, please note that Trustwave SpiderLabs' threat intelligence organization is actively monitoring the situation and utilizing all available security tools to protect Trustwave's clients from related cyber threats, as well as to provide actionable threat intelligence to the broader market.

For additional support and information, visit our Israel-Iran cyberwarfare resource center.