As Iran ramps up its retaliatory attacks against the US and Israel with missiles and drones, heading into the fifth week of the war, its cyber-warriors are beginning to do the same.
A notorious hacker group had a particularly interesting moment on Friday, compromising former FBI Director Kash Patel’s email address and publishing much of its content online, including the former. continue and picture of him smoking a cigarette and putting himself in the mirror with a bottle of rum.
As Iran ramps up its retaliatory attacks against the US and Israel with missiles and drones, heading into the fifth week of the war, its cyber-warriors are beginning to do the same.
A notorious hacker group had a particularly interesting moment on Friday, compromising former FBI Director Kash Patel’s email address and publishing much of its content online, including the former. continue and picture of him smoking a cigarette and putting himself in the mirror with a bottle of rum.
An FBI spokesman acknowledged that Patel’s email was targeted. “The information in question is historical and does not involve government information,” the spokesman said Foreign Policyand added that the organization has offered a reward of up to 10 million dollars for information about the group known as the Handala Hack Team which is linked to the Ministry of Intelligence and Security of Iran.
The breach of Patel’s email was the latest in a tit-for-tat exchange last week that saw the US Department of Justice. to catch four Handala sites on March 19—one week after Handala took credit for a A major cyber attack on US medical facilities manufacturer Stryker. The company was still working to fully restore systems as of Tuesday.
“We are working closely with our global manufacturing sites as operations improve to full capacity,” a Stryker spokesman said in an emailed statement. “Manufacturing capacity is increasing rapidly and many of our sites and critical lines have been restored.”
Handala, which also recently said it leaked the personal information of several Lockheed Martin engineers based in Israel, is one of several hacking groups linked to the Iranian regime that have been targeting US officials and companies in the past week. Another group known as APT Iran, he demanded stole 375 terabytes worth of data from a US defense contractor, according to threat intelligence firm Flashpoint. The breach has not been officially confirmed, the company said Foreign Policy that “there is no evidence indicating an impact on Lockheed Martin’s systems, operations or data at this time.”
But for Iranian hacker groups, that ambiguity is often the key, said Cynthia Kaiser, who served as deputy assistant director of the FBI’s cyber division until May 2025.
“You’ve seen Handala do this a lot … it’s a mix of fake and real attacks, making it hard to figure out what’s really going on,” said Kaiser, who is now senior vice president of ransomware research at cybersecurity firm Halcyon. “But if the main goal is to show you can retaliate—either to a domestic Iranian audience or to those whose activities you’re trying to prevent—going public is important,” he added, describing such activities as “a kind of Internet-enabled PR campaign.”
Handala and other groups have also repeatedly targeted Israel, and Israel’s National Internet Directorate saying that hackers linked to Iran had wiped data from at least 60 Israeli companies through so-called “wiper” attacks.
“The boundaries between nation and cybercriminals are clearly blurred for Iranian actors,” said David Carmiel, CEO of Israeli cyber security firm Kela. Eat with Halcyon found evidence on the dark web of Iran-linked ransom group Pay2Key offering 80 percent of profits to hackers targeting Iran’s “enemies” (a spin-off from its previous 70 percent cut), which it described as “(s)pecific conditions of benefit to Iran’s friends.”
Carmiel said that unlike the ransomware groups commonly associated with Russia—whose disruption is more focused on making money by taking access to systems and then returning them in exchange for millions of dollars in payments—Iranian ransomware groups are focused on destruction. “It’s less about helping you recover and more about making a financial profit and wreaking havoc on your infrastructure.”
Iran’s cyber retaliation was relatively muted in the early days of the conflict, when the US and Israeli forces used both offensive internet activity and kinetic air strikes to kill the main leaders of the Iranian regime and took over the cyber command center.
“But anyone with a laptop can find a way to re-engage; it’s not like there’s anything strange about the building,” said Mieke Eoyang, who served as US deputy secretary of defense for cyber policy until April 2025 and is now a visiting professor at Carnegie Mellon University’s Institute for Strategy and Technology. “Many of the infrastructure malicious actors are operating in a very unusual way, so I would expect that we would see those types of activities coming over time,” he added. “You don’t have to have that kind of strong command and control structure to create significant disruption.”
None of what cyber experts have seen so far from Iranian groups is out of the ordinary — Iran has a long history of going after Washington and its allies in cyberspace, including affecting critical US infrastructure such as water treatment plants.
Such attacks could still happen as Iran plunges into war and secures its cyber base. “This is an Iranian playbook,” Kaiser said. “They see cyber as a way to get revenge—it’s less dangerous than physical or kinetic attacks, but it allows them to say they’ve gotten revenge.”
It also means that even in the unlikely event of a negotiated end to war, the cyber threat from Iran will not end.
“Even if there is some kind of ceasefire, the internet will continue because it’s under the radar a lot of the time,” Carmiel said. “The target world for Iranian groups has grown.”
This post is part of FP’s ongoing coverage. Read more here.
