With the US and Iran having reached a fragile ceasefire this week, security researchers and executives are left wondering whether there will be a commensurate pause in the cyberwarfare that has ramped up around the war.
The day after the temporary truce was announced, Iran’s most high-profile false-flag hacktivist operation, Handala, offered that it would participate in a temporary pause in hostilities. But even if one takes that group at its word, history suggests that ceasefires rarely stop or slow cyberactivity surrounding kinetic wars. In fact, in the absence of more effective ways of fighting, cyberattacks tend to flare significantly.
“Historical data and recent intelligence analysis indicate that a military ceasefire rarely equates to a ‘digital stand-down,'” warns Austin Warnick, director of Flashpoint’s National Security Intelligence Team. Instead, he tells Dark Reading, “Cyber operations often remain steady or even flare up as an asymmetric pressure valve while kinetic hostilities are paused.”
Iran’s Handala Cyberactivity Ceasefire
On April 8, Handala posted a typically flowery, but in some ways candid, notice to its Telegram channel. It conceded that “according to the orders from the highest leadership” in Iran, it has postponed its cyber activity against the United States.
Source: Check Point Research
This is significant, as Handala has unquestionably been the most widely publicized threat actor in the war. It claimed responsibility both for the ransomware-ish attack against Stryker — the biggest cyber fish of the war so far, for Iran — and the compromise of FBI director Kash Patel’s personal email account, which is the most symbolically significant incident so far.
Handala did qualify its cyber ceasefire, though, by noting that “The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.” Eventually the attacks will resume, and in the meantime, the group will still be directing all of its cannons at Israel.
For Sergey Shykevich, threat intelligence group manager at Israel-based Check Point Research, it’s too early to tell whether Handala — or Iranian advanced persistent threats (APTs) more generally — will stop or slow down any attacks. Promises aside, he says, “I would not be surprised if, at some point over the next two weeks, they resume cyberattacks as another means of applying pressure against the US.”
How Cyber Threat Actors Respond to Geopolitics
Real and fake hacktivist operations, and similarly loud threat actors, might gain something by glomming onto ceasefire deals. They might hope to earn some legitimacy and status by pulling up a chair at the big boy table, and participating in a major geopolitical event. Whether their promises actually mean anything, though, varies from conflict to conflict.
Following the Oct. 7 massacres in Israel, and Israel’s invasion of Gaza thereafter, the two sides reached a temporary ceasefire in late November 2023. At that time, one of Handala’s closest equivalents, Cyber Toufan — also a false-flag hacktivist operation, and also part of Iran’s “Resistance Axis” — indicated that it was pausing operations until the war resumed. It’s unclear whether Cyber Toufan slowed its activity at all, because between November and December 2023 it had claimed more than 100 Israeli victims on its leak site.
Source: Telegram, via the Reichman University’s International Institute for Counter-Terrorism (ICT)
More often than not, ceasefires stoke cyberattacks, as warring sides take to this alternative method of hurting their enemy and gaining leverage for future negotiations. One Hamas-aligned threat actor used a 2021 ceasefire with Israel as its excuse to rev up a fresh phishing campaign across the Middle East, for example. And when Ukraine and Russia agreed to a Black Sea ceasefire last year, both sides simply used the downtime to carry out major cyberattacks, including some against the very same kinds of energy infrastructure that the ceasefire was meant to protect.
Going even further back, Markus Mueller, field chief information security officer (CISO) for Nozomi Networks, explains, “The major cyberattacks in Ukraine took place during a time when, at least on the Russian side, the war wasn’t active. It was right after Russia annexed Crimea. They hadn’t really done the big push — what some folks call the second Ukraine war. That in-between period is when we saw a lot of the larger attacks.”
Do Ceasefires Pause Cyberwars, or Inflame Them?
In general, FlashPoint’s Warnick says, “Threat actors treat diplomatic pauses as technicalities, using the time to pivot toward secondary targets or allies to maintain pressure without technically violating military agreements. Current evidence further supports this, as low-level and nuisance-level cyber activity from [Iran-aligned] groups like the 313 Team and Conquerors Electronic Army has continued without pause.”
On April 8, 313 Team claimed responsibility for an attack on an Australian government authentication portal, and Conquerors Electronic Army claimed distributed denial-of-service (DDoS) attacks against Israeli targets, plus the US-based freelancer website Upwork.
Mueller agrees with Warnick’s assessment, as it pertains to the current situation in Iran. “I think there will be a change in cyber activity both in scope and scale,” he says. “The majority of activity we’ve seen around this conflict so far is regionalized. We foresee — based on what we’ve seen with other conflicts both within the region, but also with Ukraine — that it’s going to grow a little more broad, and we’re going to have more activity in North America, more activity in Europe, or any country that was seen as supporting the conflict.”
Though most ceasefires don’t cease cyberattacks, there is one ironic example to the contrary — a temporary peace deal which caused a substantial slowdown in malicious online activity. In the leadup to negotiations for the 2015 Iran nuclear deal, analysts observed the Islamic Republic probing US critical infrastructure for vulnerabilities that might facilitate serious attacks. But during the negotiating period, malicious cyberactivity went from high-volume to zero. According to The New York Times at the time, security researchers found not one single instance of a malicious phishing email, or critical infrastructure probe, aimed by Iran at the US during that period. Malicious activity resumed a couple of weeks after the negotiations ended, but at a slower rate, and didn’t reach pre-negotiation levels until Donald Trump tore up the deal.
Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
