Blog Post by Jiwon Lim
When a group of hackers broke into water systems across the United States in 2023, they left a message: “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”
At the time of the attack, the “CyberAv3ngers” presented themselves as ideologically motivated hacktivists protesting Israel’s actions in Gaza. However, within a month, the U.S. Treasury Department sanctioned six officials from the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) for directing the operation. The hacktivists were state actors all along.
This is a recurring pattern in the Iranian cyberthreat landscape. In developing its cyber ecosystem, Iran has made deliberate efforts to deputize hacktivist proxies in state actions without state attribution. Iran now presents a coordinated cyber threat comprised of state-sponsored advanced persistent threat (APT) actors from the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence (MOIS), combined with an expanding ecosystem of opportunistic hacktivist groups.
These relationships manifest across a range of sophistication, from unsophisticated but coordinated distributed denial-of-service (DDoS) attacks and website defacements to advanced destructive campaigns targeting industrial control systems (ICS) and operational technology (OT).
As Iran expands its cyber operations, the tactics, techniques, and procedures (TTPs) employed by Iranian hacktivists increasingly mirror those used by state-sponsored APTs, raising critical questions about capability sharing, cross-recruitment pipelines, and formal command-and-control relationships within this environment. Understanding these dynamics is essential for accurately assessing threat actor attribution, informing defensive priorities, and calibrating appropriate policy responses.
Iranian Cyber Ecosystem
Actor labels such as “hacktivist” or “state-sponsored” are distinct classifications defined by observed tactics, self-attribution, and external assessments. In the Iranian context, these categories often blur.
The IRCG and MOIS operate much of Iran’s cyber offense capabilities and organizations. The IRCG is military-affiliated and under the direct control of the supreme leader, while MOIS is housed under the civilian presidency. Both of these organizations have affiliated state-sponsored APTs, including well-documented threat actors such as APT33 and APT35 within the IRGC and APT34 (OilRig) and MuddyWater within the MOIS. The goal of each actor varies, but they reportedly share TTPs and operational coordination to conduct strategic espionage, sabotage, and influence operations against foreign governments, dissidents, and critical infrastructure.
Hacktivist actors are labeled separately from these government-affiliated groups. Broadly, hacktivists act independently of a state government in support of a certain political or social ideology, much like physical activism, but with cyber tools such as hacking.
Much of Iran’s hacktivism, in line with hacktivist operations globally, has been characterized by strong ideology and low-to-medium sophistication, as recently seen in conducting opportunistic DDoS attacks, doxxing campaigns, and website defacements against Western and Israeli actions. However, some Iranian hacktivist groups have targeted industrial control systems (ICS), demonstrating higher levels of sophistication and prompting questions regarding their independence from the government. Attribution to Iranian hacktivist groups tends to be straightforward on the surface due to self-accreditation practices. However, deliberate false-flagging and evolving TTPs pose hurdles for clear verification.
Alignment of Iranian Hacktivism with the State
Use of hacktivist groups as state proxies is not new. Russia, for one, is a prime example of using hacktivist groups in operations against Ukraine to stake plausible deniability and remain resilient to external disruption. Perhaps taking example, since the 2010s, Iran has also leaned on these government-affiliated hacktivist groups to stay below the threshold of conventional warfare and hold plausible deniability. This alignment can be traced back to shared tooling and TTPs between named Iranian APTs and Iranian hacktivist groups, as well as coordinated hacktivist attacks with state military operations.
In the last few years, Iranian cyber operations against U.S. critical infrastructure have become more commonplace. Many have claimed the label of a ‘hacktivist’ campaign, whether or not the label holds true. The case of CyberAv3ngers and their operations against U.S. water and wastewater systems showcases a common trajectory from hacktivist posturing to confirmed state operations targeting industrial control systems. The group first surfaced in October 2023, targeting ‘made in Israel’ infrastructure.
By November, according to CISA, it had compromised at least 75 devices made by Israeli company Unitronics, including 34 in the U.S. wastewater sector. Despite claiming the hacktivist label, CISA and cybersecurity organizations have since negated this, citing funding and tooling that exceeded typical hacktivist capabilities and sophistication. While attribution differs by nation and actor, many now affiliate the group and its members with the IRGC.
At the military operation level, the twelve-day Israel-Iran conflict in June 2025 demonstrated how Iran’s hacktivist ecosystem operates at scale and in coordination with the state during kinetic hostilities. Analysis of over 250,000 Telegram messages from more than 178 hacktivist and proxy groups revealed rapid mobilization as air strikes began. Iranian-backed and affiliated hacktivist groups like Fatimion Cyber Team, Cyber Fattah, and Cyber Islamic Resistance conducted reconnaissance, DDoS campaigns, website defacements, and data theft operations coordinated with military developments on the ground. The patterns in attack timings, target selection, and exchange of vulnerabilities and attack scripts across groups suggest orchestration rather than organic hacktivist activity. The sustained, coordinated nature of these campaigns indicates a coordinated influence operation with institutional backing rather than opportunistic volunteers.
Strategic Implications for Iran’s Military and Cyber
The strategic value of this cyber ecosystem lies in its flexibility. State objectives can be pursued through various groups, from sophisticated APTs to state-sponsored activist collectives, depending on the required capability, acceptable attribution risk, and desired escalation level. When Iran wants deniability and widespread influence, it uses hacktivist personas. When it needs sophisticated access and narrow targeting, it deploys the APT groups. The blurred lines allow for the same resources and information to move between groups. As showcased in the twelve-day conflict coordination and the attribution of the hacktivist groups’ targeting U.S. infrastructure, Iran has no qualms in utilizing hacktivist proxies to carry out cyberattacks and influence operations to support Tehran’s national security objectives. Using proxies for plausible deniability is essentially how Tehran can scale these operations and remain resilient to disruption.
As mentioned, beyond direct technical impact, hacktivist operations serve as a critical perception-shaping function. Iran understands this. DDoS attacks, while often dismissed as less sophisticated attacks, can still knock key systems offline, creating downtime and cascading disruptions, especially for small-to-mid-sized companies with less robust infrastructure.
In these influence campaigns, Iranian hacktivists often exaggerate their impact to generate confusion, serving to shape perception and compensate for capability shortcomings. Increasingly, as Iran sees return value in cultivating hacktivism and the barrier of entry lowers for cyber offense, the operations may grow in severity.
Without early action, categorizing each actor will only grow more difficult. There remain many Iranian or Iran-supporting hacktivist groups posing a threat to the United States and its allies, such as Laneh Dark and Handala, that have yet to be officially affiliated with the Iranian government.
As conflict grows in the region and technological capabilities accelerate operations, the number of hacktivist groups will only increase. Hacktivist groups can exist independently. However, Iran’s history of utilizing hacktivist groups as state proxies cannot be overlooked. In addition to the state APTs, the United States must approach Iranian hacktivist groups with skepticism regarding their claimed independence.
As the U.S. approaches future Iranian cyberattacks, the distinction between hacktivist nuisance and state-directed threat instrument will be essential to determining the appropriate response.
To this end, there is a clear need to closely track the infrastructure and TTPs registered to hacktivists, from simultaneous timing with Iranian operations and political events to their procurement methods. This will be key for clear attribution and action, from implementing security patches to identifying adversarial state intent and escalation.