Iran-aligned groups are trying to make their mark in the Gulf, but the results have fallen short of remarkable.
Since the onset of war, there's been scant hard evidence that Iran-aligned hacktivists have had a significant impact in the Gulf region, despite their widely publicized claims.
Whenever a major national or geopolitical event occurs, both cybercriminals and the cybersecurity community activate. Malicious cyber activity always follows major headlines, so researchers and reporters look out for rising threats with each news cycle. Those researchers and reporters then track that activity, fueling a lesser, secondary news cycle.
The Iran war is one of these classic cases. New data from Bitdefender indicates that since Feb. 28 — the day the ayatollah was assassinated — the rate of malicious emails targeting Gulf countries has risen an average of 130%. The data surged immediately, stayed elevated, and at peak reached almost four times its pre-war rate. In other words: the activity increase is there.
A rise in activity, however, does not necessarily equate to a commensurate rise in impact. In general terms, researchers disagree on how dangerous Iran-aligned hacktivist and cybercriminal groups are. When it comes to hard evidence, though, they've found, at best, a modest impact from this latest, much anticipated surge.
Consider "Nasir Security," a group that can be considered Iran-aligned, despite its frequent identity crises (in recent months it has aligned with Hezbollah, as well as the Alawite ethnic group in Syria). After appearing and then disappearing in the wild in October 2025, it seemingly returned to action in support of Iran's war effort on March 10.
In the two weeks that followed, the group announced that it had compromised three Middle Eastern oil and gas companies: the United Arab Emirates' (UAE) Dubai Petroleum, Oman's CC Energy, and Al Safi, a smaller company that operates gas stations in Saudi Arabia and the wider region.
On first glance, this might seem like a big deal. While Iran attacks Middle East oil facilities from the skies, Nasir Security is carrying out data leaks against those same sorts of organizations in cyberspace, combining to cause real trouble for Iran's enemies, and havoc in global oil markets.
To the surprise of nobody, though, this hacktivist group vastly overstated its achievements. Rather than the companies they claim to have breached, "The group is attacking [related] supply chain vendors involved in engineering, safety, and construction," explains Resecurity COO Shawn Loveland.
The logic is simple, he says: "Contractors' digital identity information is a typical 'low-hanging fruit,' making them an easy target for business email compromise (BEC) and account takeover (ATO). The actors target contractors, as they may store various engineering documentation and internal files during collaboration with energy companies on their projects. That data is used as a 'shiny object' to claim a breach of the energy company itself."
Nasir has stolen and leaked legitimate documents. In the case of Dubai Petroleum, for instance, Resecurity says that while it lied about having exfiltrated more than 413GB from the company, it did steal a few legitimate internal reports, maps, and schemes from the contractor. The real documents theoretically could be utilized in later spear-phishing attacks, but mostly they helped the threat actor sell the legitimacy of the leak on its website.
The point of these attacks is more about feelings than facts. "The actors attempted to capitalize on the authentic documents (stolen from a third party) and the complexity of investigating the point of compromise, which can be time-consuming, leaving the audience in uncertainty. Such tactics are widely used by threat actors to plant misleading narratives," Loveland says.
For instance, it's easy to claim a denial-of-service (DoS) attack against a website that blocks the ability for researchers to check its uptime. And as Pascal Geenens, vice president of cyber threat intelligence at Radware, explains, "'Defacement' can mean anything from a full website compromise to posting a picture in a comment section and sharing the direct link. System compromise claims similarly run the gamut, from genuinely sensitive intrusions to publicly exposed cameras or unprotected IoT dashboards."
One example of an Iran-aligned group taking advantage of this confusion is the "313 Team." Its biggest recent claims include DoS shutdowns of Bahrain and Kuwait government and military services. According to public reporting, both governments experienced minor disruptions, but the attacks either failed to have the impact that 313 claimed, or were subsequently attributed to groups other than 313. Dark Reading cannot independently confirm what happened in these cases.
"It's important to note that with hacktivist activity, the claim is part of the attack itself," says Justin Moore, senior manager of threat intelligence for Palo Alto Networks' Unit 42. When the Iran war started, Unit 42 tracked a surge of cyberattack claims that didn't all have backing in evidence, but seemed to have an impact merely for having been uttered.
"The narrative that they are operating everywhere is critical to the psychological aspect of their activity, keeping the looming potential threat of attack by them in the news cycle," Moore says. "For an organization, the challenge is managing the reputational fog of war that these groups intentionally create the moment they post on Telegram.”
As a rule of thumb, Geenens says, "groups believed to be proxies for or closely aligned with a nation-state carry more weight in their claims than self-proclaimed anonymous channels." For example, the Iranian hacktivist operation most widely believed to have carried out concrete, meaningful cyber activity in March is Handala. Handala isn't actually the hacktivist operation it claims to be; it's a false flag for Iran's Ministry of Intelligence and Security (MOIS).
"While many hacktivist actions are indeed noisy and designed for psychological effect, we have observed a significant shift toward destructive and high-consequence operations," argues Matt Hull, vice president of cyber intelligence and response at NCC Group. He notes that some groups are actively targeting critical infrastructure and deploying wipers — which they've long been known to do — and attributes major significance to Iran's rumored "Electronic Operations Room" for coordinating cyber activity across its proxies.
"The establishment of the Electronic Operations Room (EOR) has synchronized hacktivist groups, allowing them to act as a force multiplier for state objectives," Hull says. "Even if an individual attack seems minor, the cumulative effect creates a massive drain on defensive resources and provides a smoke screen for more sophisticated state-sponsored actors to move undetected."
For Loveland, this interpretation of events is too generous. "In fact, none of the Iran-linked, pro-Iranian groups (including Handala) or state-sponsored groups are making any meaningful impact on the Iran conflict, as confirmed by numerous independent assessments and our threat analysis," he argues. "Iran and its proxies are orchestrating such campaigns on behalf of groups like 'Nasir Security' to sow uncertainty and create the optics of cyberattacks."
Since the onset of war, there's been scant hard evidence that Iran-aligned hacktivists have had a significant impact in the Gulf region, despite their widely publicized claims.
Whenever a major national or geopolitical event occurs, both cybercriminals and the cybersecurity community activate. Malicious cyber activity always follows major headlines, so researchers and reporters look out for rising threats with each news cycle. Those researchers and reporters then track that activity, fueling a lesser, secondary news cycle.
The Iran war is one of these classic cases. New data from Bitdefender indicates that since Feb. 28 — the day the ayatollah was assassinated — the rate of malicious emails targeting Gulf countries has risen an average of 130%. The data surged immediately, stayed elevated, and at peak reached almost four times its pre-war rate. In other words: the activity increase is there.
A rise in activity, however, does not necessarily equate to a commensurate rise in impact. In general terms, researchers disagree on how dangerous Iran-aligned hacktivist and cybercriminal groups are. When it comes to hard evidence, though, they've found, at best, a modest impact from this latest, much anticipated surge.
Case Study: Nasir Security
There's a chasm between what many Iran-aligned groups have been claiming and what they've been accomplishing.Consider "Nasir Security," a group that can be considered Iran-aligned, despite its frequent identity crises (in recent months it has aligned with Hezbollah, as well as the Alawite ethnic group in Syria). After appearing and then disappearing in the wild in October 2025, it seemingly returned to action in support of Iran's war effort on March 10.
In the two weeks that followed, the group announced that it had compromised three Middle Eastern oil and gas companies: the United Arab Emirates' (UAE) Dubai Petroleum, Oman's CC Energy, and Al Safi, a smaller company that operates gas stations in Saudi Arabia and the wider region.
On first glance, this might seem like a big deal. While Iran attacks Middle East oil facilities from the skies, Nasir Security is carrying out data leaks against those same sorts of organizations in cyberspace, combining to cause real trouble for Iran's enemies, and havoc in global oil markets.
To the surprise of nobody, though, this hacktivist group vastly overstated its achievements. Rather than the companies they claim to have breached, "The group is attacking [related] supply chain vendors involved in engineering, safety, and construction," explains Resecurity COO Shawn Loveland.
The logic is simple, he says: "Contractors' digital identity information is a typical 'low-hanging fruit,' making them an easy target for business email compromise (BEC) and account takeover (ATO). The actors target contractors, as they may store various engineering documentation and internal files during collaboration with energy companies on their projects. That data is used as a 'shiny object' to claim a breach of the energy company itself."
Nasir has stolen and leaked legitimate documents. In the case of Dubai Petroleum, for instance, Resecurity says that while it lied about having exfiltrated more than 413GB from the company, it did steal a few legitimate internal reports, maps, and schemes from the contractor. The real documents theoretically could be utilized in later spear-phishing attacks, but mostly they helped the threat actor sell the legitimacy of the leak on its website.
The point of these attacks is more about feelings than facts. "The actors attempted to capitalize on the authentic documents (stolen from a third party) and the complexity of investigating the point of compromise, which can be time-consuming, leaving the audience in uncertainty. Such tactics are widely used by threat actors to plant misleading narratives," Loveland says.
High-Profile Attacks Have Holes
Not all hacktivist groups leave behind easily scrutinized evidence, such as downloadable data leaks. Part of the reason why cybersecurity analysts have struggled to verify most of the hacktivist activity being reported online is because lower-level threat actors are naturally attracted to the kinds of cyberattacks that either can't be easily disproven, or are subject to creative interpretation.For instance, it's easy to claim a denial-of-service (DoS) attack against a website that blocks the ability for researchers to check its uptime. And as Pascal Geenens, vice president of cyber threat intelligence at Radware, explains, "'Defacement' can mean anything from a full website compromise to posting a picture in a comment section and sharing the direct link. System compromise claims similarly run the gamut, from genuinely sensitive intrusions to publicly exposed cameras or unprotected IoT dashboards."
One example of an Iran-aligned group taking advantage of this confusion is the "313 Team." Its biggest recent claims include DoS shutdowns of Bahrain and Kuwait government and military services. According to public reporting, both governments experienced minor disruptions, but the attacks either failed to have the impact that 313 claimed, or were subsequently attributed to groups other than 313. Dark Reading cannot independently confirm what happened in these cases.
"It's important to note that with hacktivist activity, the claim is part of the attack itself," says Justin Moore, senior manager of threat intelligence for Palo Alto Networks' Unit 42. When the Iran war started, Unit 42 tracked a surge of cyberattack claims that didn't all have backing in evidence, but seemed to have an impact merely for having been uttered.
"The narrative that they are operating everywhere is critical to the psychological aspect of their activity, keeping the looming potential threat of attack by them in the news cycle," Moore says. "For an organization, the challenge is managing the reputational fog of war that these groups intentionally create the moment they post on Telegram.”
As a rule of thumb, Geenens says, "groups believed to be proxies for or closely aligned with a nation-state carry more weight in their claims than self-proclaimed anonymous channels." For example, the Iranian hacktivist operation most widely believed to have carried out concrete, meaningful cyber activity in March is Handala. Handala isn't actually the hacktivist operation it claims to be; it's a false flag for Iran's Ministry of Intelligence and Security (MOIS).
Is the Threat from Iran-Aligned Hacktivists Significant?
Researchers disagree on the seriousness of the threat these groups pose."While many hacktivist actions are indeed noisy and designed for psychological effect, we have observed a significant shift toward destructive and high-consequence operations," argues Matt Hull, vice president of cyber intelligence and response at NCC Group. He notes that some groups are actively targeting critical infrastructure and deploying wipers — which they've long been known to do — and attributes major significance to Iran's rumored "Electronic Operations Room" for coordinating cyber activity across its proxies.
"The establishment of the Electronic Operations Room (EOR) has synchronized hacktivist groups, allowing them to act as a force multiplier for state objectives," Hull says. "Even if an individual attack seems minor, the cumulative effect creates a massive drain on defensive resources and provides a smoke screen for more sophisticated state-sponsored actors to move undetected."
For Loveland, this interpretation of events is too generous. "In fact, none of the Iran-linked, pro-Iranian groups (including Handala) or state-sponsored groups are making any meaningful impact on the Iran conflict, as confirmed by numerous independent assessments and our threat analysis," he argues. "Iran and its proxies are orchestrating such campaigns on behalf of groups like 'Nasir Security' to sow uncertainty and create the optics of cyberattacks."