Operation Epic Fury: Cyber War Assessment

APT Iran — Hack-and-Leak with OT Claims  

APT Iran is a pro-Iranian hacktivist collective that has become prominent for hack-and-leak operations and has escalated into OT-themed claims during this conflict. The group claims phishing-enabled access to Jordan Silos Company one month prior to public disclosure, with alleged manipulation of temperature controls in northern grain silos, weighing software, and solar power inverters. A solar PV monitoring dashboard was published alongside the claim. The level of narrative detail is sufficiently high to be either genuine or deliberately crafted for psychological effect — independent verification has not been confirmed. If any portion of the OT access claim is genuine, it represents a meaningful escalation beyond DDoS into operationally relevant critical infrastructure interference targeting food security infrastructure.  

NoName057(16) — Pro-Russian Affiliate  

NoName057(16) is a Russian-affiliated hacktivist collective that has consistently targeted Western and US- aligned nations since 2022. During the current conflict, the group has redirected significant capacity toward Israeli targets, framing this as solidarity with Iran. The group claimed DDoS disruption of the Jerusalem Post and an Israeli ISP, and its Telegram posts indicate an operational strategy of dividing attention between Europe and the Middle East. When NoName's attacks are blocked by DDoS mitigation services, the group frames this as the defender 'hiding' rather than a successful defense — a narrative tactic designed to maintain psychological momentum regardless of technical outcome.  

Z-Pentest Alliance — OT Claims Against Israeli Water  

Z-Pentest Alliance is a pro Russian group that published one of the most operationally significant claims of the conflict on March 3: alleged full access to a pump control and water supply management system in Israel, supported by a screenshot of an HMI panel showing Hebrew-language controls for water pressure, flow rate, supply meters, and pump operating hours. The group claims the ability to switch equipment on and off, change operational settings, and trigger emergency processes. Attribution to a specific Israeli operator has not been confirmed, and the claim may reflect access to a test or decommissioned system. Regardless of verification status, the targeting intent is explicit and aligns with a pattern of OT-focused claims across the ecosystem.  

313 Team, Conquerors Electronic Army, Keymous  

The 313 Team, operating under the Islamic Cyber Resistance in Iraq banner, was among the first to expand targeting from Israel to Gulf states, declaring attacks against Jordanian government portals and announcing a declared target list spanning Jordan, Saudi Arabia, UAE, and Kuwait. Conquerors Electronic Army conducted a multi-sector DDoS campaign on March 4 under the 'Wa'd al-Akhira' operational banner, hitting civil emergency alerting, financial services, media, industrial, and healthcare sectors across five separate attacks within 12 hours. Keymous operates a recurring declared target format, naming new countries daily and publishing check-host screenshots as proof of disruption.  

Pro-Israel / Anti-Iran Hacktivists  

The structural imbalance between pro-Iran and anti-Iran hacktivist groups is a persistent feature of this conflict type. As of March 2, 2026, 59-60 pro-Iran groups are active against 11 anti-Iran groups. The imbalance is not a reflection of capability — it reflects operational model. Israel's state-level offensive cyber capability makes independent hacktivist groups largely redundant on the Israeli side. Allied-side actors also avoid Telegram as a coordination platform, reducing their visibility in open-source monitoring.  

APT GROUP LANDSCAPE 

Iran's nation-state cyber apparatus is among the world's most prolific and tactically diverse. Over the past decade, Tehran has institutionalized offensive cyber through units linked to the IRGC and the Ministry of Intelligence and Security (MOIS). Iranian APTs operate across the full spectrum — from espionage and credential harvesting to destructive disk wipers, DNS hijacking, and OT intrusion. The current internet blackout has temporarily degraded their ability to operate from within Iran, but the operational posture built over years ensures that geographically dispersed operators and external infrastructure remain active. 

Key Iranian APT Groups: Current Status and Capabilities 

MuddyWater (Static Kitten / Mercury / Mango Sandstorm) 

MuddyWater is an IRGC-linked group known for targeting government, transport, and industrial sectors across the Middle East and beyond. The group leverages phishing with PowerShell loaders, abuses legitimate Remote Management and Monitoring (RMM) tools for persistence, and uses DLL side-loading via its PowGoop component. In February 2026, MuddyWater was confirmed to be conducting Operation Olalampo — a structured cyber offensive operation targeting the META (Middle East, Turkey, Africa) region. TTPs in this operation overlap with the RedKitten campaign from January 2026, indicating coordinated infrastructure. Threat researchers confirmed MuddyWater is establishing forward cyber posture aligned with the current kinetic conflict. MuddyWater's new MuddyViper backdoor targeting Israeli and Egyptian critical infrastructure was discovered December 2025. 

APT34 / OilRig (Helix Kitten / Hazel Sandstorm) 

APT34 is one of the most technically sophisticated Iranian APT groups, specializing in credential harvesting, DNS hijacking, and long-term regional espionage targeting Middle East government, telecom, and financial sectors. The group's hallmark is DNS tunneling for C2 and high-entropy subdomain generation that is detectable in DNS query logs. APT34 is assessed to be active in the current environment, though direct attribution of specific incidents to the current conflict cycle requires additional technical confirmation. Its long-term access operations against Gulf state governments mean pre-positioned access may already exist in target environments. 

APT35 / APT42 (Charming Kitten / Phosphorus / Mint Sandstorm / TA453) 

APT35 and APT42 are IRGC-linked groups that have expanded their scope in recent years to heavily target civil society — journalists, NGOs, academics, think tanks, and policy experts. APT42's January 2026 RedKitten campaign targeted human rights NGOs with macro-laced Office documents disguised as records of protesters killed during the January 2026 crackdown in Iran, using GitHub, Google Drive, and Telegram bots for C2. The group's operational pattern post-Operation Epic Fury would logically include expanding this targeting to organizations reporting on or engaged with the current conflict. APT42 operates almost entirely within cloud environments post-compromise — bulk email forwarding rules and OAuth grants to unrecognized third-party applications are primary behavioral indicators. 

APT33 (Elfin / Refined Kitten / Magnallium) 

APT33 is the preeminent Iranian threat against aerospace and energy sectors, with a documented history of destructive wiper deployment. The group's Shamoon and ZeroCleare wipers remain in its arsenal, and the current conflict provides clear motivation to activate destructive capabilities against US and Gulf state energy infrastructure. The kinetic strikes against Saudi Aramco's Ras Tanura facility in the current conflict and the targeting of QatarEnergy LNG suggest that critical energy infrastructure is being struck kinetically and may be targeted cyber-physically in parallel. APT33's alignment with energy sector targeting makes it a priority concern for Saudi Aramco, QatarEnergy, and Gulf state utilities. 

CyberAv3ngers (IRGC-affiliated) 

CyberAv3ngers is the most OT-focused Iranian threat actor, specifically targeting water utilities, ICS/OT systems, and exposed industrial control environments. The group's IOCONTROL malware is purpose-built for OT and IoT infrastructure targeting US and Israeli water utilities and fuel management systems. CISA has issued an advisory and a Rewards for Justice offer of up to $10 million for attribution information remains active. IOCONTROL was confirmed updated as recently as March 1, 2026 — active maintenance during an active conflict. The hacktivist OT claims (APT Iran's grain silo claim, Z-Pentest Alliance's water HMI claim) share targeting logic with CyberAv3ngers' established doctrine. 

Fox Kitten / Pioneer Kitten 

Fox Kitten specializes in exploiting unpatched VPN appliances and edge devices for initial access. Pioneer Kitten was observed in the 24 hours preceding this report actively exploiting Ivanti Connect Secure (CVE- 2024-21887) and Citrix ADC/NetScaler (CVE-2023-3519) — both vulnerabilities with known Iranian exploitation history. Organizations that have not patched these systems are at active risk of compromise by Pioneer Kitten serving as initial access broker for downstream Iranian APT operations. 

Allied Offensive Cyber Operations 

The US-Israel offensive cyber operations on February 28 represent the most sophisticated allied cyber campaign ever disclosed. US Cyber Command served as first mover, beginning operations before any kinetic weapon was deployed. The combination of BGP routing disruption, DNS infrastructure attacks, SCADA/ICS system targeting, and app-level compromise of widely-used civilian applications represents a full-spectrum offensive that deliberately targeted Iran's communications capacity, leadership coordination, and public psychological cohesion simultaneously. Predatory Sparrow — the Israeli intelligence-linked group that previously struck Iranian steel and fuel infrastructure — is presumed active in current operations, though the group's operational security model means its activity does not surface in Telegram-based OSINT. 

Third-Party Nation-State Opportunism: Camaro Dragon (China-Linked APT) 

Operation Epic Fury has created a strategic intelligence windfall for actors beyond the direct belligerents. External Threat Research identified a rapid-onset cyber espionage campaign launched by Camaro Dragon— a China-linked advanced persistent threat group — within a single day of the military escalation. This timeline is not coincidental. It reflects a well-resourced intelligence operation that maintains continuous monitoring of geopolitical developments and pre-positions campaign infrastructure capable of near- immediate deployment.The campaign targeted organizations in Qatar — a deliberate choice. Qatar sits at the intersection of US military basing (Al Udeid Air Base, the largest US military installation in the Middle East), LNG energy diplomacy, and regional mediation. For a state actor conducting long-range strategic intelligence collection, Qatar's communications, policy deliberations, and energy infrastructure represent exceptionally high-value collection targets — especially during an active regional crisis when diplomatic channels are at maximum activity. 

Attack Chain and Malware 

The infection chain began with conflict-themed archive files distributed across Qatari organisational networks. The lure file was titled: 'The destruction caused by an Iranian missile strike around the US base in Bahrain' — a realistic conflict-era document title that would be entirely plausible as an intelligence briefing or news summary during the first days of Operation Epic Fury. The archive contained an LNK shortcut file which, on execution, contacted a compromised remote server to download the first-stage payload. This staged delivery approach — in which the initial file appears benign and the malicious payload is retrieved remotely — is specifically designed to evade email security gateways and static file scanning.The full infection chain deployed two primary tools. PlugX is a modular remote access backdoor with a decade-long history across Chinese state-linked espionage operations. It provides persistent remote access, file system enumeration, keylogging, and data exfiltration — capabilities well-suited to long-term intelligence collection from within government, diplomatic, or energy sector networks. Cobalt Strike was additionally deployed as a post-exploitation framework for internal reconnaissance, lateral movement mapping, and identification of high-value systems for deeper compromise.A technically notable element of the campaign was the abuse of Baidu NetDisk — a Chinese cloud storage application — through DLL hijacking. The attackers placed a malicious DLL alongside the legitimate Baidu NetDisk executable, causing the trusted application to load the malicious library on launch. Because the process is initiated by a legitimate, signed application, many endpoint detection systems attribute theactivity to trusted software rather than flagging it as malicious. This technique allowed Camaro Dragon to inject the PlugX backdoor into the system in a manner that blends with normal application behaviour. 

Strategic Assessment: China's Third-Party Exploitation Posture 

The framing of this conflict as a bilateral US-Israel versus Iran cyber campaign requires revision. Camaro Dragon's rapid activation confirms that at least one third-party nation-state is actively exploiting the conflict to conduct parallel intelligence collection operations under cover of regional chaos. The strategic logic is sound: during an active military escalation, defensive attention is concentrated on the primary threat actors (Iranian APTs, hacktivist groups), network traffic volumes increase dramatically, and organisations deprioritise routine threat hunting in favour of operational continuity. This creates precisely the conditions under which a patient espionage actor can establish persistent access with reduced risk of detection.China's intelligence collection priorities in the Gulf region include US military posture and logistics, LNG pricing negotiations and supply chain decisions, diplomatic communication between Gulf states and Western capitals, and the broader regional realignment being forced by the conflict's outcome. Camaro Dragon's Qatar-centric targeting aligns directly with all four priorities. The timing — within 24 hours of the first kinetic strikes — indicates this was not an opportunistic campaign assembled after the fact, but a pre-planned contingency operation activated on a trigger event. 

REGIONAL IMPACT: MIDDLE EAST NATION-BY-NATION ASSESSMENT 

Kuwait — Most Heavily Targeted Gulf State 

Kuwait has been the most heavily targeted Gulf state in this conflict, subject to a coordinated DDoS campaign targeting national aviation, financial institutions, and core government digital infrastructure simultaneously. DieNet confirmed DDoS against Gulf Bank, Kuwait Finance House, Al Ahli Bank of Kuwait, 

Weyay Bank, and the Kuwait Government Online Portal. The 313 Team attacked the Kuwait Armed Forces portal and the state e-portal, with both attacks confirmed by check-host evidence. Fatimion Cyber Team declared large-scale targeting of all Kuwaiti government websites. Over 10 confirmed disruption incidents against critical state entities have been recorded. 

Jordan — Escalating Threat, OT Escalation 

Jordan faces a multi-vector threat with nationwide threat declarations referencing airports, railways, banks, transport, and water supply systems. DieNet expanded to Jordan with confirmed DDoS against Jordan Kuwait Bank, Jordan Commercial Bank, and Bank of Jordan. The 313 Team reported a complete one- hour shutdown of the Jordanian e-government portal. The most significant development for Jordan is the APT Iran claim of unauthorized access to Jordan Silos Company, a state-linked grain storage entity. If any portion of that OT access claim is genuine — and the level of operational detail (phishing access one month prior, temperature manipulation, weighing software modification, solar inverter disabling) makes it worth serious investigation — it would represent a direct threat to Jordan's food security infrastructure. The University of Jordan Library also confirmed a cyberattack as a victim-confirmed incident. 

Saudi Arabia — Newly Elevated Target 

Saudi Arabia emerged as a new priority target within the first 72 hours, driven by its political alignment with the US and the Saudi government's permission for American use of Saudi bases — a trigger explicitly cited in the SYLHET GANG-SG hack claim against the Saudi Ministry of Home Affairs. DieNet confirmed DDoS against Riyad Bank and Al Rajhi Bank. Evil Markhors added additional DDoS targeting. Nation of Saviors claimed a 21GB breach of Saudi engineering firm Baran Company. Handala claimed breach of Saudi Aramco facilities. Multiple groups under #OpSaudi and #OpGCC banners have declared ongoing operations. The convergence of financial sector DDoS, data breach claims, and physical infrastructure (kinetic drone strikes on Ras Tanura) makes Saudi Arabia a high-priority concern across both digital and physical threat vectors. 

UAE — Physical and Digital Convergence 

The UAE is experiencing a unique intersection of kinetic and cyber threats. Amazon Web Services confirmed its UAE Middle East (ME-CENTRAL-1) data center was physically struck by drone strikes, causing extensive cloud service outages affecting dozens of services. A separate localized power disruption also affected AWS Bahrain (ME-SOUTH-1). UAE-based scammers are exploiting the conflict environment to impersonate the Ministry of Interior and harvest Emirates ID numbers from civilians. The US Consulate in Dubai was struck by an Iranian drone attack. UAE organizations face compound risk from kinetic infrastructure damage, service disruption cascade, and social engineering exploitation of the crisis environment. 

Qatar, Bahrain — US Base Proximity Risk 

Both Qatar and Bahrain host major US military installations and have been struck kinetically by Iranian ballistic missiles — Al Udeid in Qatar and Ali Al Salem in Kuwait, plus a Shahed-136 drone at the US Naval Support Activity in Bahrain. DieNet's declared target lists include airport operational systems, banks, and utilities in both countries. A Shahed drone struck a radar installation at the 5th Fleet facility. Both countries must treat the current period as one of elevated combined kinetic and cyber risk. 

Cyprus — Newly in the Conflict Perimeter 

Cyprus was explicitly framed as a legitimate target by DieNet before any public reporting confirmed UK involvement in the conflict — a signal of intelligence sharing within the pro-Iran hacktivist network. The presence of British military bases is cited as the trigger. DieNet's targeting narrative for Cyprus circulated in hacktivist channels before a drone impact was confirmed. Cypriot government, aviation, and infrastructure assets should be treated as within the active operational geography. 

INDUSTRY AND SECTOR TARGETING ANALYSIS 

The targeting landscape of this conflict spans virtually every sector of critical infrastructure, with specific sectors facing elevated combined risk from both state-level APTs and hacktivist collectives. The targeting logic reflects both strategic objectives (disrupt, degrade, blind) and psychological warfare objectives (create domestic fear, erode public trust, amplify psychological impact of kinetic strikes). 

The targeting of civil emergency alerting systems by Conquerors Electronic Army is operationally significant beyond its immediate impact. Disrupting Israel's public alert system — which notifies civilians of incoming missile attacks — during a period of active Iranian missile launches represents a direct threat to civilian life in a way that most DDoS operations do not. This category of target, alongside OT claims against food storage and water supply, marks the most serious potential escalation beyond symbolic disruption.One of the most severe claims observed during the reporting period involved alleged industrial control system (ICS) access targeting Israeli infrastructure. Threat actors associated with the Russian-aligned Z- Alliance collective claimed access to water supply pump control systems and industrial production environments, including a flour manufacturing facility. While the claim remains unverified, it represents the highest-severity OT/ICS intrusion claim reported during the conflict period and highlights the risk of cyber operations escalating from digital disruption to physical infrastructure impact. 

TRENDS AND ANALYTICAL ASSESSMENT 

The OT Threshold Is Being Tested 

The most significant trend of this conflict, from a threat analysis perspective, is the speed at which OT/ICS claims appeared. In previous conflicts, OT targeting claims emerged weeks into an escalation cycle — if at all. In the current conflict, claims of PLC access, grain silo temperature manipulation, water system HMI access, and energy production monitoring appeared within the first 96 hours. Whether these claims reflect genuine intrusions or deliberately crafted information operations, the intent to signal capability against physical infrastructure is deliberate and systematic.The normalization of OT-targeting rhetoric across pro-Iranian, pro-Palestinian, and pro-Russian actor clusters is itself an intelligence signal, regardless of claim verification. Organizations operating water, energy, food supply, and government infrastructure in Israel, Jordan, and the broader Gulf region should treat the current environment as an elevated risk period even if no individual claim has been independently verified. 

Russian Alignment as a Force Multiplier 

The explicit joining of pro-Russian collectives — NoName057(16), Z-Pentest Alliance, Russian Legion — to the pro-Iran campaign represents a structural expansion of the adversary ecosystem. These groups bring documented DDoS capability, OT access claim experience, and established Telegram audiences to a conflict they previously had no operational involvement in. NoName057(16) is dividing operations between Europe and the Middle East simultaneously, suggesting structured targeting priorities rather than spontaneous mobilization. This is a concerning development: it means allied-side organizations may face DDoS tooling and OT claim techniques developed and refined during the Ukraine conflict now redirected at Middle Eastern targets. 

The Psychological Operations Dimension 

Iran's documented pattern of overstating intrusions — turning a single compromised machine into a claimed facility-wide breach — is operating at scale in this conflict. The IRGC-affiliated Telegram channel claiming penetration of 160 Israeli data centers, the DDoS operation framed as 'complete control over all systems,' and the fabricated data leaks are all components of an information operation strategy designed to force public responses on the attacker's timeline. Organizations need internal protocols for responding to Telegram breach claims before they generate press coverage — Iran's information operations are specifically designed to exploit the gap between a claim and a reputation. 

Data Exposure as a New Primary Weapon 

The 4.69 million Israeli citizen data leak by actor 'bzaari' on LeakBase represents one of the largest regional data exposures in the current cycle. This aligns with a broader trend: pro-Iran groups are increasingly shifting from disruption-focused campaigns toward psychological operations and mass data exposure. The data fields exposed — phone numbers, emails, names, DOB, location, relationship status,work details — are precisely the fields needed for targeted doxxing, harassment campaigns, identity theft, and secondary social engineering. The parallel doxxing of Reza Pahlavi's passport details by ENTITY reinforces that targeted psychological warfare against individuals — not just organizations — is now a primary operational technique. 

CISA at Reduced Capacity 

With CISA operating at reduced staffing due to a DHS funding lapse, the defensive posture of US civilian infrastructure is structurally weaker at precisely the moment it faces elevated risk. The absence of a published National Cybersecurity Strategy from the Trump administration, combined with CISA's institutional weakening, creates an environment where critical infrastructure organizations must operate with less federal coordination and guidance than previous conflict periods provided. 

Timeline Extension and Retaliatory Window 

President Trump's revised 4-5 week operational outlook has extended the anticipated window for Iranian cyber retaliation from approximately three weeks to potentially mid-April 2026. The current suppression of APT activity from within Iran is a near-term condition — once connectivity recovers, Iranian state- sponsored groups will retool and return. The organizations compromised in the coming weeks will largely be those that treated the current period as one of reduced risk simply because the most sophisticated actors are temporarily quieted. 

TTP Table by Actor 

Indicators of Compromise 

CONCLUSION 

Operation Epic Fury has opened a cyber conflict with no clear endpoint. The kinetic and digital fronts were simultaneous from the first hour, and the cyber campaign will outlast the military operations. Iranian APT groups do not stand down when strikes stop — they retool, rebuild, and return. The current internet blackout is a near-term suppression mechanism, not a structural defeat of Iran's cyber capabilities.The hacktivist ecosystem filling the visible void is real, loud, and growing. Most DDoS claims are exaggerated. Most data leak claims require forensic validation. But the OT-targeting claims appearing within 96 hours of the conflict's opening represent a threshold that organizations in food, water, and energy infrastructure cannot ignore simply because verification is pending. The intent is deliberate. The targeting logic is documented. The capability — however imperfectly characterized by current claims — is real. The organizations most likely to be compromised in the coming weeks are those that interpreted the suppression of visible APT activity as a signal of reduced risk, rather than as a temporary operational condition. The conflict is active. The threat actors are adapting. The defensive window is now.