Name: Intelligence Briefing: The Israel-Iran Conflict
Uploaded: 2025-06-18T16:30:11.208Z
Duration: 1 h 1 min
Description: Intelligence Briefing: The Israel-Iran Conflict

Transcript for "Intelligence Briefing: The Israel-Iran Conflict": Good morning, all. My name is John Conra, and I serve as Insic Group's senior director for strategic intelligence, which attracts state sponsored advanced persistent threat or ADT campaigns with a focus on the big four, China, Russia, Iran, and North Korea, cybercrime and hacktivism, as well as global geopolitics. I'm joined today by three of Insek's top analysts, Alex, Mary, and Paul, who represent these three portfolios to discuss the evolving situation in The Middle East, what threats we've already seen, and more importantly, what we expect is to happen in the near and medium term as the conflict between Iran and Israel continues to escalate. A few housekeeping items before we get started. An on demand recording will be available to registrants following the webinar, And the the formatting today is is facilitated, questions and answers. You may add questions to the chat feature here, and we'll address those that we can as we go through. But, additionally, our analysts may chime in at will on any question to keep the conversation, free flowing and a little bit more dynamic. So with all that said, let's get started and and dive right in. So let's start with, with Mary. But, again, feel free to chime in as you guys have thoughts. Let's let's briefly lay out what's occurred over the last few days between Israel and Iran. I think it's been a whirlwind, period going back a week or so ago. There was a little bit of kind of room rumors that something may be brewing between Israel and Iran, and then they feel like things have really spiraled rather, rather quickly over the last week or so. So let's just lay the groundwork, first. So I'll hand it over to you, Mary. I'd like to start with a brief timeline and also touch on a few key takeaways from the conflict thus far. So early in the morning on June 13, Israel initiated operation rising lion. And Israel's prime minister clearly stated its objectives to remove the Iranian threat to Israel's survival. So this included Iran's nuclear enrichment, weaponization, and ballistic missile capabilities. Israel had early success in targeting Iran's main enrichment facility at Natanz, killing key nuclear scientists, and decapitating Iran's military chain of command. Additionally, Israel smuggled and prepositioned drones inside of Iran for offensive operations to incapacitate the air defenses and missile systems inside Iran, and this was likely a key element of its success. Iran then responded with operation true promise three. This was the third version of true promise one and two, which were the missile and drone barrages that Iran fired at Israel in April and October of last year. Approximately 80 to 90% of Iran's retaliatory strikes were intercepted, though in limited number did reach Israeli population centers. So while the attack demonstrated improved performance compared to Iran's April and October barrages, Iran's overall effectiveness remained limited. And then since Friday, Israel's ongoing strikes have broadened to include energy and nonmilitary regime infrastructure such as Iran's state broadcaster. So the key takeaways from the last six days. This operation underscored Israel's superior conventional military strength, its intelligence dominance, and really demonstrated its advanced firepower and intelligence integration. Additionally, Israel successfully implemented a leadership decapitation strategy that dismantled much of Iran's senior military command structure, and this was leveraging a model that it previously applied to both Hamas and Hezbollah in the last year and a half. So as a result, Iran is now in a place of unprecedented vulnerability. It's lost control of its airspace, its missile capabilities are severely degraded, and it doesn't have reliable proxies to confront Israel. So this really represents, I would say, a failure of Iran's forward defense doctrine. Interesting. Thank you for laying that groundwork. Who what can we what can we divine so far around some of the targets that have been hit perhaps, and in both in Iran and Israel around priorities for either either regime? Do you have any insight in there? Yeah. Certainly, nuclear and military targets have been very much the focus of Israel's, campaign. It the targeted strikes, on its personnel and its leadership, in the military chain of command has been a major focus and, driven by intelligence. On the other hand, Iran's barrages are hitting civilians or targeting civilians, across the board. So, there's also been, on both sides, oil facilities or energy facilities have been struck. So it's it's the the risk of this devolving to widen, is is, definitely, on the rise. Great. Thank you. So now that we know exactly kinda what's been unfolding over the last few days, how did how did we get here? I mean, Iran nuclear issue has been a slow burning one for decades at this point. Like, what what brought us to this point? What catalyzed the current conflict? And, essentially, what I'm asking is, like, why now? Have, you know, we've been inevitably been hurtling towards this since the October seventh attacks in Israel, or are there larger forces that that work here? Yeah. That's a great question. So I'll address both the sort of immediate reason as well as the larger context in the post October 7 period and conflict. So the immediate catalyst was Israeli intelligence about Iran's fast advancing nuclear capabilities. Iran was allegedly taking unprecedented steps to research weaponization according to Israel, and it had stockpiled enough enriched uranium for at least nine nuclear weapons according to the IAEA. Israeli intel also reported, that it indicated Iran could build a bomb more quickly if it had elected to do so, and its ballistic missile program had been dramatically expanded. So according to Israel, Iran had plans to produce 300 ballistic missiles per month. So all of these factors, these developments were perceived as an existential threat for Israel. It decided to disable that threat now rather than face it in the future. Additional things that have been going on, Israel was not convinced that US diplomacy would dismantle Iran's enrichment program or change Iran's nuclear ambitions. And on the Iran side, it had also announced that it would build a third nuclear enrichment site in addition to Forto and Natanz after the IAEA declared that Tehran was noncompliant with its safeguards agreement. That was the first time in twenty years, and that happened a day before all of this kicked off. So those are some of the sort of, like, immediate firm, reasons that we are where we are today. But I also wanna address the larger strategic shift following 10/07/2023. Israel has really established its unchallenged position in the region. It was demonstrated in Gaza, Lebanon, and now in Iran that it will not compromise on its national security. And Iran has ramped up its nuclear activities over the last year, and hardliners in the country have increasingly advocated for the supreme leader to reverse his nuclear fatwa, which allegedly bans nuclear weapons. So after direct confrontation with Israel in 2024, nuclear weapons were pitched as sort of the only effective deterrent. So 2024 really saw this unprecedented direct conflict between these two adversaries, but those exchanges were directly tied to Iran's support to Hamas and Hezbollah. Now this is Iran directly confronting what it sees as an existential threat. Israel is implementing what appears to be a meticulously developed plan designed to realize a long standing strategic objective against Iran's nuclear program. Great. Thank you, Mara. Paul, Alex, anything to add? Yeah. If I may, John, really have an interesting perspective, I think, very closely associated with what Mary just mentioned. And looking at Iran from a long term perspective, You see the polarization that really transpired, in inside of Iran as contributing towards this, almost like a catalyst towards this point. And you start to see, even throughout the years of, the cooling off of the Islamic Revolutionary Guard's involvement in the politics of the country post Iran Iraq war, through the opening up of the dialogue among civilizations concept that was led by the former president, Khartani. The support and backing that they had received by our quote unquote pragmatist leaders such as Ayatollah Akbar, Hashami, Rafsanjani, and that type of a tide that tried to propel Iran towards an integration with the world economy, and not an isolationist type approach, which, had dominated, the perspectives and the strategic perspectives of the IRGC. That, however, started to unravel somewhat during the, first and second terms of, Mahmoud Ahmadinejad, so the former president of the country. And the the serious issue, I think, started to arise when the essentially, the bureaucratic elements within, the Islamic, Republic started to really lose power to the IAGC's increasing militarization of its foreign policy. And you start to see almost direct correlations between, the IAGC's involvement in multiple theaters around the region as being, the backdrop of, this slow encroachment into or close very close to Israeli territory. And at that point, you start to see Israel leading tactical strikes inside multiple different theaters, which I think then took us to this point where Israel decided for its strategic well-being to target inside nuclear well, the nuclear facilities obviously inside of Iran. I think the quick second point I would like to note is, why we are here also is because of the as part of that polarization inside of the Iranian political spectrum, you start to see, this increasing factionalization and almost a isolation of, the pro Islamic revolutionary guards elements that live inside that ecosystem. And they created a bubble on this for themselves where the IOGC controlled elements of the economy, elements of foreign policy, science and research and development, which obviously contributed to the weaponization program, and all the other different elements that we see, used as part of the asymmetric warfare program of Iran within the Greater Middle East. The the interesting component is how that those factions that were not anymore within that special circle, of trusted elites and military leaders, started to almost break away from the system. And I think you start to see, again, direct correlations between, counterintelligence operations, recruitment by foreign intelligence agencies inside the Iranian system, specifically against elements of the IRGC's intelligence organization and the Ministry of Intelligence. And we you know, at least from the cyber perspective, we started to see that materialize in the multiple different, SADA, activist fronts that, disclosed significant amounts of information on the program, that is the cyber program. And those fronts where, for example, Roshan Ghani, Black Box or Jeb SDR, Ahmad News, and most recently, got the last year's labs of the gun. I think that is quite telling of how, the system, was so polarized inside of Iran and contributed to the broader, issue that we are currently facing, there. Yeah. Thank you, Paul. Really interesting insights into kind of the internal dynamics between military and the the intelligence services, in Iran. I really just wanna know about the the factionalization that that occurs. Alex, did you have any thoughts on on the cyber side? Yeah. Hopping in from the cyber angle, you know, to the question of what how we got here, we got here because escalation in cyberspace, it doesn't exist in a vacuum. It accumulates over time and boils over. So it it doesn't manifest out of nowhere. From a cybercrime and hacktivism perspective, the conditions for this flashpoint have been have been building for months, if not years. What we're seeing now is the convergence of of multiple long simmering pressure points exacerbated for us following, October 2023. So the the war in Gaza, reignited a global wave of of activist groups. Think back to October 8, 10/09/2023 when long dormant groups like Anangost or Anonymous Sudan showed up out of nowhere and started targeting, Israeli red alert applications. And a lot of commentators wondered how on earth did they they come out of the woodworks. It reignited, this this kind of global waves. We saw nearly a 150 groups at that time, most of which were unaffiliated, loosely organized, and and globally distributed rally around, the war in Gaza, and they never really went away. So that infrastructure, that momentum from a year and a half ago were already in motion, before the events of the past few days. Kind of focusing more narrowly on Iran itself, it's it's long maintained a a flexible cyber posture, that leverages is, cyber criminal and pseudo activist groups as proxies. It factors into a a broad strategy of using proxies in the widest sense. There's more of a there's more than a decade of examples we can pull from, going all the way back to cutting sort of justice and the Shamoon campaign to Moses' death and Abraham's acts in the late twenty tens to even more recently, Handala hack team, cyber avengers, soldiers of Solomon. These groups operates just below the threshold of war. They're leaking, defacing, deploying malware at a small scale without triggering retaliation. So, something really interesting that InstaGroup identified was in the hours, the days, the weeks preceding this recent escalation. We saw a a a ton of of pro Iranian activist groups that we had been tracking for two years, suddenly come back online after being dormant for many months. So one specifically, Handala hack team hadn't been active since February 2025 and, restarted their extortion blog, reopened their Telegram channels Tuesday of last week, about two and a half days before, Israel began strikes on Iran. This suggests some kind of pre positioning maybe, some narrative or perception shaping, maybe even signaling. So that's really important to note. And then briefly, lastly, the the cyber criminal underground, while not ideologically aligned, it has been war washing this region for a year and a half. We can talk more about that term later, but the term that we use at Recorded Future to to really describe how threat actors capitalize on human suffering and geopolitical tensions. We saw in the hours before the conflict began up until now, actors capitalizing for for a quick buck sharing, recycled, reposted, false or fabricated data breaches for money, for forum credits. It creates a really noisy environment, but it's it's not a new phenomenon by any stretch of the imagination. These cyber criminal and hacktivist ecosystems have normalized this behavior for years. All it took was a spark to catalyze escalation, to catalyze an increase in volume of activity. This wasn't sudden and and that's how we got here at least from a cyber perspective. Cool. Thank you very much, Allison. So, yeah, that's a prelude to kind of our transition into cybercrime activism and APT discussion, in a few minutes here. But just to kinda round out this this section on kind of laying the landscape and geopolitical tensions. What real quick, I mean, what do you think the implications of this are on the, Russia's war against Ukraine? We can certainly see a potential oil shock due to strikes on the Iranian oil infrastructure, for example, or blocking the straight or moves Being a much needed boon for Russia's war chest as as oil prices increase, for example, are there any other effects that that people should be on the lookout from, like, a strategic perspective? Yeah. I mean, that's a that's a great question because there are indirect synergies between these two theaters of conflict that we definitely need to talk about. We can separate these implications, I think, into two buckets, non cyber and cyber. I'll go briefly through the non cyber risks. So as you mentioned, energy windfall for Russia. We saw Brent crude was at about $77 per barrel as of this morning, up 10% since mid June. You think about everything that's come out over the last few days about GPS jamming in the Strait Of Hormuz, the diversion of shipping lanes from the Strait, threats to closure, threats to closure, for for straight, transit. All of this stuff rises, oil prices and naturally rising oil prices prop up Russia's war economy. Many researchers have commented on this for years. Zelensky has been on the record of commenting on this for years that higher oil prices and revenues, indirectly strengthen Russia's war effort and provides them with a medium term, economic advantage. So that's the first thing to really to really keep in mind. The second thing is that, provided there is Western, Western militaries that join in Israel's campaign against Iran, this will, invariably reduce Western focus on Ukraine. So any shift in diplomatic or military bandwidth bandwidth could in the near to medium term slow or dilute support for, Ukraine. That's that's really important to note. The third thing is, we all know that Iran is a is a key supplier of drones and missiles to Russia. Conflict in The Middle East will likely, divert stocks or drain logistics. This is a really important point given that Russia and Iran signed a formal partnership on military cooperation in January of this year. However, the supply chain, specifically with regards to drones, could have a significant impact on the battlefield in Ukraine. Russia will likely have to surge domestic production, but without Iranian, collaboration, this could be difficult. And the last thing is is that Russia may initially benefit from regional tensions, gaining gaining time to regroup in Ukraine as other states are distracted. However, prolonged conflict, could, force Moscow to recalibrate its resources. And, one of the predictions that we had in a report we released late last year on Russian sabotage operations is given Russia needs artificial leverage, it could, create that artificial leverage by, increasing its attacks on critical infrastructure or sabotage operations in Europe. And then very quickly, that was the non cyber and then from the cyber bucket, breaking it down to cybercrime hacktivism and state sponsored operations. Cybercrime is going to see a massive increase in chaos capitalism, especially out of the Russian cybercriminal underground. This spike in cybercrime noise prevents prevents a lot of opportunities for Russian speaking cyber criminals, those on XSS, exploit forum, and so forth to rebrand, resell, or reframe old breaches targeting organizations in the region under the guise of this new conflict. We see this all the time in the Russian, cyber criminal underground. We report on it extensively. We have, entire dedicated reports on it like Russia's, war in Ukraine disrupts the cyber criminal underground or dark covenant two point o. So definitely go check those out. But but it's really important. This kind of blurs the lines between attribution. It it inflates demand for stolen data, and it adds a lot of volatility to a crowded marketplace. We also note that a lot of commodity cyber criminal tooling is Russia based or Russia administered. Similar to our observations with operations in Ukraine, we may expect to see Russian tools, used to target Israeli, assets and organizations as, cyber campaigns, uptick a little bit. Very quickly, I'll go through hacktivism. We'll see a lot of cross pollination and narratives. So pro Russian hacktivists and their affiliates, specifically groups like, Server Killers, TwoNet, z Alliance, they're actively expressing support for Iran, thus increasing the risk of of joint or coffee campaigns against perceived adversaries, Israel, The United States, UK, France, and so forth. We've already observed this in October 2023 with the, foundation of a group called the Holy League, which was a collective of of 54 pro Russian and pro Iranian, threat actor groups. They joined together and, had DDoS and website defacement campaigns together. We will likely see a resurgence of that. We'll also note that a lot of the DDoS for hire tools that pro Iranian hacktivists may use are Russia based as well. So the Zeus API, Channel DDoS, Krypton, these are all Russian language, Russian administered tools. Expect to see those tools used against Israel. And then the last thing is resource diversion for APT campaigns. We have a trove of public reporting showing overlap between Russian and Iranian, threat groups, as well as overlaps in operational capacity, intelligence sharing, cyber training, and so forth. A hot war in The Middle East, will will likely, refocus and reallocate infrastructure and capabilities, which could fragment operations or see tools and trade craft across two different theaters, in both Ukraine and Israel. Yeah. Very interesting. I we we do have a number of questions that we'll get to, right after this next question before we transition to kind of the APT, cybercrime, and activism sections of this. But, I mean, Mary, I guess, and and, and Paul as well, where are we going with this? Take out your crystal ball. Where do you see this conflict going? Is this gonna be a long a long slog, or is this gonna peter out, over the next few weeks? What what scenarios do you foresee in the near medium terms, and how do they affect the threat landscape? Yeah. Well, I'll jump in here. I wanna caveat that this is obviously a completely unprecedented situation. So, you know, I wanna highlight a couple key unknowns. The first is the extent of US Israel alignment. How much weight does Israel have over The US's decision making? That appears to be in flux right now, as well as Iranian decision making. Now that his inner circle is dead, the IRGC advisers that he surrounded himself with, have been taken out, how much influence do the moderate voices have with the supreme leader, versus the IRGC high blinders? So with those questions in mind, I wanna explore a couple scenarios. The first is one in which Iran concedes and pursues the diplomatic off ramp. So in this scenario, the conflict would be contained to Israel and Iran, which it has been so far. Under this scenario, Israel would sustain its offensive operations until it can decisively degrade Iran's nuclear infrastructure and dismantle its ballistic missile capabilities. And FODO remains the key question. Without US help, does Israel have any other options, any other unconventional ways such as cyber intelligence that it can use against this deeply fortified location? In this scenario, Iran would endure devastation across its military and critical infrastructure, but it would hold out long enough to project an image of resilience and convey that it has credibly withstood, Israeli military pressure. So then it would be forced to the negotiation table with really little to no leverage. So Iran would then concede on paper to give up its nuclear enrichment program and agree to dismantle Forto. So key a key factor and unknown in this scenario is how intrusive monitoring and inspection regimes would be able to ensure that Iran does not attempt to reconstitute. So what would that look like? What would Iran agree to, under this scenario? And then the potential challenges to this is that Iran could still have its nuclear ambition. A weapon would be potentially seen as an only effective deterrent, and Iranian hardliners could gain influence under this scenario. Iran could also experience sort of a rally around the flag effect as it recovers from the strategic shock. But, again, this would be, you know, the the intrusive monitoring inspections, would be the key to ensure that Iran doesn't pursue this nuclear ambition or it doesn't persist. Now under the scenario two, Iran rejects the diplomatic off ramp, and The US would then join Israel in attacks on nuclear sites, and Israel would widen its target set to systematically dismantle the regime's critical assets. So in this scenario, Iran refuses to to surrender and concede its nuclear program, and the result would likely be a US strike on Forto and US increasing support for eradicating Iran's nuclear capabilities. Israel would likely widen its targeting to encompass regime governance structures, critical national infrastructure, and strategic economic nodes. And this would result in economic devastation in Iran, worsening electricity shortages, and the domestic security apparatus would be fundamentally weakened in this scenario. Then Iran would then resort to asymmetric capabilities really out of desperation. So this is where you might see an attempt to close the Strait Of Hormuz, or Iran could conduct asymmetric naval attacks on adversaries maritime or energy infrastructure in the Gulf. Iran would likely attack US bases in the region, although these operations would incur a massive and overwhelming response by The US and its allies. And, additionally, Iran could conduct terrorist attacks against US and Israeli diplomatic and economic interests or personnel overseas. So that would not be maybe immediate reaction, but, a longer a medium to longer term reaction by Iran. Additionally, Iran could pull out of the nonproliferation treaty and eject IAEA inspectors in this scenario. But really at that point, its nuclear program is is destroyed and the regime is really, fully isolated. It would then devolve into a failed state. So this is where you sort of get the conditions for regime change because the regime would be so weakened that the Iranian opposition would have an opportunity to rise up. So these are two, I would say, sort of two ends of the spectrum. And, you know, if anything in between could happen, but I just wanted to kinda outline, you know, two potential potential scenarios. What does your gut tell me where we're heading towards here? I know I'm asking you to a a a large question, but what what would you guesstimate here? You know, I I think, you know, based on Khamenei's supreme leader Khamenei's response this morning, to the unconditional surrender, post on x by president Trump. I think, there's certainly a little bit of the, we're gonna put our head down and fight, feeling in Iran. At least that's what the regime is projecting at this point. And so I think we are gonna get closer to scenario two, if it does that for much longer. Yeah. That's largely my my assessment as well. We've already set I think started to see some elements of this. I think they're Iran Iran Iranian parliamentarians already started a bill, to withdraw from the NPT. We've already seen some limited strikes on energy infrastructure, in Iran, and there's there's all sorts of rumors about Iran potentially trying to block the state of Hormuz. So I I tend to agree we're kinda trending in that scenario. I guess so turning to to cybercrime and activism, Alex, can you tell us what we've observed thus far, what we expect to see in the near medium terms, and who are the major players here, in major TTPs that that, that organizations need to be aware of? Yeah. It's a great and it's a complicated question. So we've observed a a really predictable but escalating pattern of cyber criminal opportunism and hacktivist mobilization, both of which are shaping the threat landscape in two distinct unique ways. So I'll unpack each of them in more granularity in a second. But in the near to medium term, I would expect a persistent hacktivist pressure, the continued use of of conflict keywords to inflate cybercrime sales. So things like Israel, Iran, IDF, and so forth, as well as an ongoing mix of of real compromises buried under under really noisy defacements and influence operations, and false claims. So for defenders, kind of the bottom line upfront is is that means we're really gonna have to separate signals from noise. We're gonna have to map, influence operations as seriously as intrusions. We have to understand that cybercrime and hacktivism are no longer siloed. They are deeply entangled in modern conflicts, and this is something that's been characterized, since October 2023, but really has has become deeply enmeshed since February of twenty twenty two, and the the Russian full scale invasion of Ukraine. We've seen this, globally. So, getting a little more granular, I'll talk about cybercrime first. We have evidence that financially motivated actors are already exploiting the chaos for for profit. So since, June 13, Instac Group has tracked at least 35 new database listings on dark web sources affecting, Western and Israeli organizations. Threat actors aren't ideologically aligned. They're they're just responding to conflicts, conflict driven demand signals. They're they're capitalizing on perceptions of value associated with Israeli and and US Israeli organizations. This is especially true on the low tier dark forums, which is, seen by a lot of people as a a successor to breach forums. It caters to an English speaking audience across, The Middle East and North Africa, South Asia, Southeast Asia, and then on Exploit and XSS, which is more top tier, mature, supporting, technical Russian speaking threat actors. So something kind of interesting we've identified in a lot of those leaked databases is that many of them advertise, claim ties to to, Israeli defense or government entities, Ministry of Defense, Ministry of Justice, IDF. We saw a post from this morning from NACTER named digital ghost on dark forums that was claiming to compromise the Iron Dome. Probably nonsense, but intentional nonsense. It has a purpose. In reality, what we're seeing is is mostly targeting of, Israeli small and medium sized businesses. So this is something really interesting. We've seen a lot of tagging of advertisements as like Israeli Ministry of Defense. And then the actual victim, when we look at the sample data, we look at the screenshots, we we conduct victimology profiling, has nothing to do with the Israeli Defense Ministry at all, but it's rather a a construction company based in Southern Israel. We've seen a lot of of kind of nonsensical breaches. Hey. I'm targeting, Israeli organizations that are supporting the war effort. And in one case, it was like a Jewish deli in New York City. Had nothing to do with the conflict between Israel and Iran at all. This is something that we call, war washing. The entire point of this is to boost visibility, pricing, and impact. It it reflects a very similar strategy to what we've observed in Ukraine. Really just the exploitation of geopolitical flashpoints to drive traffic, monetization and marketplace manipulation with very little concern for the underlying political context or in some of those cases, fabricated concern. Targeting a yoga studio in Tel Aviv does not have to do with Israeli national security, but we saw a yoga studio for sale, database for sale for $5,000 on XSS. What does that say? Again, it's just war washing. It's the intent to direct traffic to something based on on a geopolitical flash point. So that's kinda what we're seeing in cybercrime. And then on the hacktivist side, it's it's a bit different. So we're seeing, you know, a a large surge in ideologically motivated groups, a large surge in ideologically motivated threat activity. So nearly a 100, groups that we've observed, over the last week. A lot of these groups break down into two specific camps. So we've got about 10 of these groups breakdown into kind of a pro Israel camp. This would include things like predatory sparrow, Karuna ops, anonymous Israel. About 10 are anti Iran as we categorize it. Like, that that kind of bucket, that will be Jedi security, Yemeni danger, anonymous Syria. A lot of these claim to be resistance movements or cyberpartisans, located within regional states, that oppose, Iran. And then that last group is going to be what we generally call anti Israel. And that's not because they're pro anything, but because they're really geographically diffuse. So there's about 90 groups that factor into this. It's gonna include, high profile groups like Dynet, Kimus, team insane Pakistan, mysterious team Bangladesh, and so forth. That last group of those 90 groups, that's not new at all. It predates, the current escalation. It's got roots in in the war in Gaza going back to October 2023. But but really what's changed here for us is that the Iran Israel conflict, has has acted as an amplifier for those preexisting groups. So it's pulling in new actors, regional non unrelated actors, or it's reinvigorating dormant ones. This is really important because because a lot of these groups engage in DDoS attacks, website defacements, hack and leak, sometimes doxxing of executives. There's going to be geopolitical spillover that affects digital alignment. So so some of those groups within that 90 that I just mentioned, some of them are pro Pakistani groups. Some of them are based in India. Some of them are based in Bangladesh, but target Israel religiously, because of geopolitical alignment. The pro Russian groups support Iran, as we talked about, earlier. So it makes a very volatile threat surface and it also blurs the lines between theaters of conflict. I would also put a a big asterisk on threats to critical infrastructure. So we we've talked a lot in the past about Iranian groups using, hacktivist proxies or pseudo hacktivist proxies to to threaten critical infrastructure in Israel and in Western Europe and North America. A lot of Iranian groups, state sponsored actors carry out offensive cyber operations with plausible deniability. They they put on cyber criminal or hacktivist faces in order to conduct these tax tasks and then, kind of disavow them, that's something that we really have to be mindful of. Yeah. Thank you. I mean, it is often asserted that many of the patriotic hacktivist go back to proxies, wouldn't mind, or otherwise for states to distance themselves from their activities, but without giving tacit approval. Is this dynamic at play, here on either side of the the conflict, and what relationship between the state and and the hacker activist communities are there? I think particularly in Iran, would probably be the focus. Yeah. It's a good question. I mean, the the dynamic is absolutely in play. It's very much so in play, especially on the Iranian side. So Iran has a a very long history of using hacktivist style groups as deniable proxies that allows the state to conduct offensive operations, under the guise of ideology. We've seen this repeatedly with threat actors like, Handala Hek team or cyber avengers, groups that present themselves as these kind of grassroots resistance movements but exhibit infrastructure, victimology, trade craft that overlap with known state sponsored groups. So, specifically, we look at Andala Hek team that has overlaps with, Void Manticore. Moses Staffer Abraham Axe, has overlaps with a group called Marigold Sandstorm. And and cyber avengers soldiers of Solomon, has been named by, the United States Department of Justice and Department of the Treasury as linked to the IRGC cyber electronic command. So, it's it's complicated. It's not about hiding attribution, but by using proxies, Iran outsources operational risk, both in cyberspace and in in in the real world. If an attack is traced or if it escalates or if it harms civilians, Iran can simply disavow it as the work of patriotic hackers, over overzealous sympathizers. But if it succeeds, Iran then reaps the strategic benefits, narrative control, psychological pressure, disruption. This is parallel, very closely with what we observe in Russia, specifically the Russian threat landscape targeting Ukraine, the use of pseudo activist personas, which which we're familiar with, among among sandworm, of course. But it's echoed in in Iran as well. On the Israeli side, the picture is much less clear and it's mostly because of a field of view bias, but we do see some high capability groups aligned with Israeli interests, most notably predatory sparrow. So I did see some questions come through on the q and a about predatory sparrow. It's a tax on Iranian banking infrastructure and cryptocurrency exchanges, this morning. Their previous operations have included destructive malware, ICS, OT manipulation, public leaks with with communications campaigns that seem, time for maximum impact, I would say. And whether StateBact or not, their access and coordination support or supports the the assessment that there's some strategic alignment that, at least in our assessment, is unlikely to be coincidental. It's one of predatory sparrow specifically is one of the only few high credibility hacktivist groups that we track specifically in this theater. Israel tends to operate with much tighter operational security, much fewer patriotic hacktivist personas flooding social media, but also the pro Iranian side is just disproportionately noisy, which makes it hard to to to make assessments on on Israel itself. So, yes, in both cases, there there's some kind of state backed, state activist dynamics, loosely tolerated online communities to to fully integrated offensive tools, kind of masquerading as independent threat actors. It's part of a broader trend that we've seen globally. We see it in China. We see it in Russia. We've seen it with North Korea masquerading as non state actors, or or taking on cyber criminal personas. States are blurring the lines between official and unofficial, public and private, cyber and psychological. The point of this is to gain strategic leverage without crossing red lines in any official capacity. Yep. All makes sense. And you actually preempted my question on predators, Baragas, and demand the attacks in the, the Israeli banks. Thank thank you for that, for the Iranian banks. I guess, with just a few questions here, related to hacktivism before we transition to APT. Could do we anticipate a DDoS campaign similar to maybe against US energy infrastructure or against financials again like we did ten plus years ago with the Azzed and all, all Kusama cyber fighters? Or is that, is that group kind of, spun down or moved on to other things? Well, I I would just say specifically that we do anticipate, a an increase in DDoS activity as in as well as an increase in, website defacement activity targeting organizations based in Western Europe and North America, particularly in The US, The UK, France, and and other NATO member states. We see, generally speaking, anytime there's a geopolitical flash point, The United States and its organizations being secondary targets, in addition to Israeli targets. We saw this in, the the later half of twenty twenty three and early twenty twenty four following the onset of the war in Gaza. A lot of these groups specifically target The United States because they perceive The United States as a shared adversary and as a financial backer of Israeli operations, throughout The Middle East. It's it's, part of the justification. It's part of the motivation. I would expect DDoS attacks against public facing infrastructure, against web based panels, against things like that. We can talk more at the end about mitigations if people have specific, questions about mitigations and situational awareness and and foresight. But, yes, we we assess that it is highly likely that these groups will also target, organizations in Western Europe and North America as part of a coordinated DDoS campaign. Thank you. And one last question here. From these new databases that you are referencing, starting to show up on on criminal forums, is the data new or are they repost from previous events? Can you clarify there or is it a mix? Oh, so we can assess that, we're we're going through each of these databases one by one. We want to be very careful with how we validate them. But of the 35 that we've identified, we've identified that at least 10 of those 35 are recycled from previous breaches, whether that they were, leaked for financial purposes or that they were shared by hacktivist groups. So in several cases, we've identified breaches previously attributed to groups like siege sec or ghost sec, groups, like anonymous Sudan and so forth, previous, leaks, particularly, Moses staff. So Moses staff used to have an extortion blog. That extortion blog leaked a bunch of, Israeli documents and databases. Those documents are being repacked, recycled, presented as new from from June 2025, but they're generally from the late twenty ten to early twenty twenties and they've been in Moses' staff, their that public attribution, their possession for a very long time. So that's part of the strategy. The the strategy again is to redirect, attention here to distract, to confuse people. We can confirm that at least 10 of those have been previously leaked or being bumped, and are from previous years. They're from earlier in the year or they're from, going back even as as as early as 2022. Great. Thank you so much. So, Paul, moving on to, state sponsored cyber activity. What have we seen so far, in this conflict? Conversely, what have we not seen that we would have expected to? Any are there any surprises here? Yeah. Thank you, John. I think, starting with the latter question, many people probably suspected that or many analysts as well suspected that there would be an immediate, retaliatory attack, something in terms of, the Shu Moon style operations, and that's something that we did not see. However, from the general observations that have been reported in open sources, some figures have been floating around suggesting that there's been an increase in approximately 700% of Iran led cyber attacks against Israeli, networks since the, missile the launch of the, essentially, the operations inside of Iran. Now that figure is, in my opinion, a little bit questionable because that could be something as simple as vulnerability scanning, password spraying, or brute forcing attempts with, you know, generic type credentials as opposed to something that's been, as a concerted effort, to target these networks. I would say as what Alex mentioned before regarding the, GPS jamming as well as the types of, GPS interference operations, that is something that was expected because Iran has been executing that type of an activity, in the Homeless Strait, for quite some time now. And so the reports of those 900 approximately 900 vessels ranging from, tankers to cargo ships and smaller does and whatnot, experiencing some form of interference is is definitely in line with the types of capabilities that the IAG sees navy as, quote unquote, perfected over the decade long activity in the region. I think, something that has also been observed and I think in line with what Alex has said, has been a lot of the flooding activity on social media networks. And this has been all about collecting information, to target Israeli networks. So for example, the different types of organizations have included defense industrial base, health and financial sectors. And I quote this from a specific group that, I was just looking at, earlier, yesterday. The threat actor claims, the hospital service and financial sectors of the Israeli regime are also being infiltrated by a specific group. I won't name the group. But it is implementing ransomware attacks on the servers and the infrastructure of the Israeli regime. These are the types of claims that we are seeing, and these are groups that are associated with or are believed to be having share an association with specific state sponsored groups. Now when it comes to the more espionage oriented elements, we, as as our friends in the community know, we we leverage our capability to track server configurations to identify, newly registered infrastructure linked to Iranian threat actors, which enables us to, kinda detect that early registration of those, command and control infrastructure and so forth. In at least one instance, we have observed, espionage focused groups registering infrastructure that's tailored specifically to the, Israeli threat landscape, which would suggest that there is a a tailored or a targeted approach to the cyber operations. Now, with regards to the destructive component, which is, I think, in the minds of many who are trying to assess, where Iran's next steps, will be, this is very much associated with how Iran perceives, not only its direct confrontation with Israel, and if whether The United States enters the fray, but whether it sees other third parties associated, with this, with this conflict. So, open source reports have and I think as as both Mary and Alex have mentioned, there's the eyes on on the the the alliance essentially of of Israel in the region. So the members of the Abraham Accords, Bahrain, The United Arab Emirates, and many of the others that are probably associated with European governments that will, have to deal with a type of a cyber attack from a state sponsored group. So United Kingdom and France, obviously. Those are all the the the third parties that we assess could face some form of an attack. Looking at the historical, ways that Iran has implemented such attacks. So looking at Shamoon two, the target attacks against Saudi Arabia, or looking at the Shamoon three operations, against, the oil and gas sector, that impacted an Italian oil and gas company in 2018. You're looking at essentially a form of retaliatory operation. So again, within the context of the destructive attack, the the potential for a destructive attack is definitely going to increase if we see, the the, involvement of The United States in the immediate future against Iran. When it comes to Israel, because we've seen, Iranian state sponsored operations against the Israeli ecosystem for now many years, it's almost the question of how much more can they do at this point because all efforts have been really pointed towards, I mean, in large part towards the the Israeli environment. And that then will take us into the the the perspectives of how and which organizations are really involved. But I'll let I'll let you guide us into that into that, environment if you want us to go there. Yeah. Thank you. No. I like the the potential for the, US intervention in the conflict as a signpost for when we really should could start seeing some of the more destructive operations on either side start taking place as the gloves kind of have to come off as it were for Iran in such a scenario, as the pressure will be wildly, wildly increased. So with that said, what do you what what are some of the primary offensive Iranian cyber units organizations should concern themselves with defending against, and what are some notable TTPs that customers can use? Yeah. Absolutely. So from an organizational perspective, because we know that many of these, cyber units are associated with one organization or the other inside the country, complex and from a complex environment assessing the the regime's response, we should expect that the the IOGC affiliated units, that the Moise affiliated units, and even the procedures cyber capabilities. So at this point, those that can execute website defacements and so forth will be, put into full effect, to launch attacks. From, I mean, from also from an information warfare perspective, and we started to see that across multiple platforms on social media, they have been really in full effect, releasing, quantities of of content, to suggest essentially to to spread the narrative of fear, of what will happen if Iran is attacked and so forth. And they've used, a lot of, graphic video generated content, to show military, type responses such as a ballistic missile type response and so forth. We've seen in the past, the similar type of information warfare operation, launched a crisis or conflict points that it was Iran has, really, had to face. From the units themselves perspectives, we can expect all the major names. So from the moist side of the table, muddy water and APT 34 oil rig, as well as, for example, Void Manticore, which is associated with more of the destructive component. And from an intelligence collections perspective, you know, we've the ones that we track internally, for example, Green Blava, Green Charlie, Green Delta, green foxtrot associated with the major groups externally known as tortoiseshell, charming kitten, APT forty two and so forth, continue their espionage operations. And when we're considering these espionage operations, we have to look at the the types of targeting methodologies, and we're going to be considering this as an immediate need for information of intelligence value by these groups. So the types of TTPs that we're used to, seeing from these groups will have to slightly be amended due to the immediacy requirements, by the Islamic Republic. So, social engineering TTPs, for example, ones that we would see from various groups that take a little bit more time. They're kind of long winded email exchanges. We would imagine that being drastically reduced, which actually exposes these groups to a lot of, errors when they're launching their attacks and in the the types of, spear phishing, messages that they send to their targets and so forth. But initial access is also gonna involve, aspects such as, passwords, right, group forcing, vulnerability scanning, and all those types of activities that, many groups such as Peach Sandstorm, are known for executing not only against, high value strategic targets within government, and the defense industrial base, but also, against, ICS elements, not only in The Middle East, but also outside and within the North American, threat landscape. Other types of, TTPs, I mean, we we have so many, but the abuse of legitimate Internet services, this is definitely gonna be another element to watch for. Companies will have to worry or consider, the the attacks leveraging, remote, management, tools. So AnyDesk and a whole host of others that the the Iranian groups love to use when they target and they use those for lateral movement once they're inside target networks or establishing a very rapid foothold in those networks. We'll imagine them continuing to abuse file sharing services such as Dropbox, Ignite, Google Drive, and OneCloud, to deliver, that message. And obviously, I think there's so many frameworks, and c two, type based malware that, these these groups have, developed, for their operations that, names such as, Bug Sleep, Powerless, and, Blackout and SAD c two framework. These are all the ones that are being used by the major groups. The the the companies, individuals involved in the defense of their networks will have to really fine tune, the signatures and detection mechanisms to ensure that, these, that that those are primed, for the type of detection. Obviously, from the destructive component, we know that, within the at least the Israeli threat landscape, groups such as, Void Manticore, have used, BB, ransomware or CL ransomware sorry, wiper malware. But we also know that other groups have used, Zeroclear, Dustman, and Deadwood. These are all different types of wipers employed by, different Iranian APT groups. So, from from just from within those few TTPs discussed, there are definitely, potentials, for for these groups to launch targeted attacks, and it'll be really up to, defensive operators, in each, organization to ensure that their networks are primed for, defense. Cool. Very interesting. Thank you. Just in the interest of time, I'm gonna combine kind of two related thoughts, towards the end here. So, you know, say I'm a business, multinational business without really a presence in in The Middle East or especially in in Israel and Iran. What do I do about this? How do I how do I you know, what what does my threat posture look like, and how what should I be doing to defend myself? And just what more broadly, what can organizations do so that you do have a presence there, to mitigate the risk of being successfully targeted, by some of these groups? And that's that's an open floor to to all of it. I can go quickly and take some of the cyber, first. So in terms of mitigations, even without a physical presence in Iran, it is Iran or Israel, enterprises are are far from immune. In today's cyber threat environment, spillover is the norm. It's expected. It's not the exception. So if your company is based in or does business with countries viewed as as even backing Israel, say The United States, UK, France, Germany, and so forth, or as adversarial to Iran, you may be targeted symbolically. Hacktivists and pseudo hacktivists that we mentioned in particular, aren't precision operators. They go after logos, headlines, and brands that they associate with the enemy regardless of location or affiliation or if even that affiliation exists. You might rely on vendors, logistics, third parties with connections to the regions. Threat actors often go after very fragile parts of a stable supply chain of a trusted ecosystem. We've already seen small and medium sized Israeli businesses hit, ones that I mentioned and those framed as military linked even when they're not. So you have to be careful about that kind of stuff. Hacktivists in particular don't require geopolitical logic. It's not saying that they're stupid. They don't need logic in order to conduct campaigns. They need attention. Companies with global name recognition, even if they're unrelated to the current escalation, especially those operating in finance, energy, media, defense, Those are all prime targets for DDoS, defacement, and so forth. And cyber criminals, again, like I've mentioned many times, are just using this conflict to drive engagement in sales. Even using unrelated breaches that that are being repackages to look like geopolitical targeting. So you could be compromised by an opportunistic threat actor and roped into this without warning and for no reason. The calculus changes a lot if The United States gets involved, obviously. We'd likely see, as I said, a a surge of anti American hacktivism and cyber criminal capabilities for cyber criminals in general. Once The United States is fair game, this opens up their prospects. It opens up the market dramatically, so expect to see a lot more targeting there. But my bottom line really is you can't control geopolitics. Unless we have any heads of state on this call, you can't control geopolitics, you can control your exposure. The best defense is situational awareness. It's recognizing that you are in scope of a campaign even if you're not in the region and act accordingly. So you're gonna have to, tune detection and logging for data staging, for wipers, for credential theft, especially those TTPs linked to cyber criminal and hacktivist groups mentioned in this webinar will obviously be recorded. I have named all of the ones that we believe are worth naming. So go back through those, consult with Recorded Future, your threat intelligence provider, open sources to look at trade craft, and capabilities associated with those groups. Obviously, for for small to mid sized businesses, watch your public facing portals for defacements and DDoS, look at your legacy infrastructure that might be breached and then repurposed as as a data as a data hack and leak operation, patch rapidly, enforce multi factor authentication, all the very basic stuff. But, yes, even if the attack is low skill or something you perceive to be low skill, the story can go viral. We've seen many times that fake fabricated or or low credibility claims go viral on social media when they really have no, tangible threat to an organization. So threat actors attack by association, not by logic. Cyber criminal and hack to the threats are asymmetric. Be prepared. Act accordingly. Reacting in real time is too late. So so we're gonna have to practice situational awareness here. Do I have time to jump in on physical risk risk perspective? Yep. Real quick. Need to wrap up. So I would just say, organizations should proactively identify and remove information about their executives, and senior leadership, that can be gotten from open sources, particularly PII and contact information, really minimize threat actor's ability to establish a pattern of life for the senior leaders, and only aim to limit the disclosure of what's absolutely minimum necessary, and then use the recorded future platform. We've got an executive protection reference guide, and organizations can also commission executive profile to evaluate the risk landscape facing their executives, as well as use the the the Recorded Future Intelligence Cloud to, monitor for social media messaging and other sources, that these extremist groups use or prefer to use to detect threats to your organization's, specific sectors or facilities. Great. Thank you. As we're running short on time, I I think we'll leave it there. But just a big thank you to all of our participants, Alex, Mary, and Paul, as well as all all of our attendees for their insights. There will be this this was a recorded session. If you registered for the event, you should receive within twenty four hours a, a link to the, the download for the, to for the recording. So, look out for that, if you'd like to go back and revisit any of the content. Otherwise, thank you all, for, listening out there and joining us today and, and for your questions. And, until next time. See you then.