US-Israeli campaign triggers Iranian counteroffensive targeting Gulf energy, critical infrastructure

Iran has entered its third consecutive day of near-total internet blackout as the coordinated U.S.-Israeli cyber and military campaign has pushed the confrontation into what analysts describe as an unprecedented digital battlefield. At the same time, pro-Iran hacking groups are signaling retaliation, threatening to target Western and Gulf critical infrastructure.

“There are now 60 hacktivist groups engaged in activities. Most neighboring countries to Iran have been targeted,” CyberKnow said in a Monday message on X. “Pro-Russian groups are starting to join the fight in support of Iran and more will join in coming days.” 

Another post said that “Noname05716 has joined the cyber activity in support of Iran. You can expect groups part of their pro-Russian cluster to commence operations.”

One of the first tangible signs of that counter-offensive emerged on Monday. RedPacket Security reported that the pro-Iran, pro-Palestinian group Handala claimed Israel Opportunity Energy as a ransomware victim. In a post on its leak site, the group identified the company as a prominent oil and gas exploration firm and asserted that it had compromised the organization’s network. Handala wrote on X, formerly Twitter, that ‘the beginning of massive cyber attacks’ was imminent, adding hours later that ‘the destruction of cyber infrastructures is currently underway.’

“The message portrays that the organization has been hacked. The post does not specify any encryption outcome or confirmed data leak details beyond noting the intrusion, and it does not list a ransom amount. The post date is 2026-03-02 13:29:53.115777, which serves as the publication date for this disclosure,” the post added. “The narrative includes political references connected to other public figures, but these are not framed as part of the operational impact on the company; the focus remains on the claim of a security breach and the attackers’ assertion of a compromised network.”

The leak page states that a claim URL is included, suggesting there is a source or evidence page associated with the post. However, there are no screenshots or images reported on the leak page, as the page shows zero visual media entries. The content conveys a breach narrative and indicates some form of data exfiltration or exposure, but it stops short of detailing specific data categories or the extent of access. 

Overall, the RedPacket Security post presents a ransomware-type intrusion claim without publicly disclosed ransom figures or demonstrated data download links within the visible portion of the page.

While the disclosure offered no clear evidence of operational disruption, RedPacket Security reported no confirmation of system encryption, no stated ransom demand, and no screenshots or independently verified data samples to substantiate the claim. Though a claim URL was referenced, no visual proof or detailed description of exfiltrated data was publicly available. 

The Israel Opportunity Energy post fits into a broader pattern of mobilization. Cybersecurity firm Radware previously recorded a 700% spike in cyberattacks against Israel during the 2025 conflict. Researchers say elements of that same ecosystem are now reactivating.

Meanwhile, the Ministry of Defense of the State of Qatar announced that the State of Qatar was attacked by two drones launched from the Republic of Iran. “One drone targeted a water tank belonging to a power plant in Mesaieed, and the other targeted an energy facility in Ras Laffan Industrial City, belonging to Qatar Energy, without reporting any human casualties.”

The statement added that “All damages and losses resulting from the attack will be assessed by the relevant authorities, and an official statement will be issued later.”

The ‘Strategic Axis: Iran & Israel’ wrote on X, that ‘Critical infrastructure in Qatar’s Ras Laffan and Mesaieed facilities severely damaged in a military attack, halting LNG production worldwide.’ 

Yesterday, CyberKnow wrote that “DieNet the first hacktivist group supporting Iran to expand DDoS attacks outside of the Gulf and US. Suggesting attacks on Cyprus, because they host a British base. The UK has had nothing to do with the current US/Israel- Iran fighting.”

Commenting on the latest developments, Brian Harrell, former Assistant Secretary for Infrastructure Protection at the U.S. Department of Homeland Security (DHS), wrote in a statement to Industrial Cyber that this conflict will likely see a surge in state-sponsored cyber-activity from Iran and its proxies, specifically targeting U.S. energy, water, and telecommunications critical infrastructure. 

“Infrastructure owners have seen this coming for weeks, but for those who haven’t been paying attention, organizations must implement hardening measures and constant digital monitoring,” Harrell said. “Threat hunters should be working overtime right now. By combining disruptive attacks with bombastic rhetoric, Iran will seek to erode public trust in government institutions and project domestic strength during this period of heightened conflict.”

He added, “Specifically targeting operational technology within critical infrastructure through the exploitation of internet-facing Industrial Control Systems and vulnerable PLC hardware. Iranian threat actors, such as Charming Kitten and CyberAv3ngers, are leveraging Generative AI to scale spear-phishing campaigns and utilizing Living-off-the-Land techniques to bypass traditional detection.”

Recognizing that targeting of energy infrastructure in the Gulf is crossing new red lines” Ben Cahill, director for energy markets and policy at the Cockrell School of Engineering, The University of Texas at Austin, wrote in a Twitter message that “There’s been a shared reluctance in recent years to directly attack critical infrastructure (large refining & petchem complexes, liquefaction facilities, offshore platforms). The Ras Tanura & Ras Laffan attacks push things in a new and worrisome direction.”

Flashpoint detailed in threat analysis that Iran’s retaliation was swift and geographically broad, leveraging a pre-planned ‘Mosaic Defense’ doctrine that enables decentralized, asymmetric warfare. “This strategy facilitated immediate and continuous counter-attacks despite leadership decapitation. The Islamic Revolutionary Guard Corps (IRGC) and its allies launched hundreds of missiles and drones, targeting U.S. military installations across the Persian Gulf, including Al Udeid Air Base in Qatar, the U.S. 5th Fleet headquarters in Bahrain, and bases in Kuwait, Iraq, and Jordan. These attacks caused U.S. casualties, including three service members killed in Kuwait, and damaged high-value assets like an AN/FPS-132 early warning radar in Qatar.”

The analysis added that the conflict is characterized by a multi-domain approach from both sides, encompassing kinetic strikes, maritime operations, and activity in the cyber and information domains.

“U.S. and Israeli TTPs include preemptive, large-scale air and sea strikes under ‘Operation Epic Fury.’ A key TTP is the use of long-range B-2A ‘Spirit’ stealth bombers, which conducted a nearly 36-hour mission from Whiteman Air Force Base, Missouri, to strike hardened, underground ballistic missile sites in Iran with 2,000-pound bombs,” according to the analysis. “This demonstrates an ability to penetrate heavily defended airspace to neutralize strategic threats. Extensive pre-strike reconnaissance using assets like the P-8A Poseidon, MQ-4C Triton, and E-3A AWACS aircraft was conducted to map Iranian air defenses and targets.”

Furthermore, strikes have focused on decapitating leadership and destroying critical military infrastructure, including naval vessels, air bases, and missile launchers. 

Identifying Iranian and proxy TTPs is defined by the ‘Mosaic Defense’ doctrine, which enables a decentralized, asymmetric, and continuous response. Flashpoint said that this involves rapid, multi-front, and multi-wave launches of ballistic missiles, cruise missiles, and one-way attack drones (Shahed-136, Arash-2) to overwhelm and saturate air defense systems like Patriot and THAAD. 

It added that “Targets are diverse, ranging from military bases and naval vessels to critical economic infrastructure such as oil refineries, airports, and data centers. Iran has also demonstrated the use of cluster munitions in its missile attacks on Israel. In the maritime domain, Iran has attacked commercial oil tankers and declared the Strait of Hormuz closed, threatening a vital global energy chokepoint. Proxy groups like Hezbollah and Iraqi militias extend Iran’s reach, launching coordinated attacks from Lebanon and Iraq.”

Iran’s national connectivity has fallen to around 1% of ordinary levels, according to data from independent internet watchdog NetBlocks, as the country endures a near-total internet blackout, with a population of over 90 million affected. NetBlocks CEO Alp Toker confirmed the blackout was consistent with Iran’s wartime playbook, noting that the regime likely imposed it to counter potential inbound cyberattacks during its own military operations, and to prevent the locations of senior regime figures from being exposed through metadata and user-generated content.

Cloudflare confirmed that internet traffic in Iran dropped to effectively zero as of 18:45 UTC on February 28, signalling a complete disconnection from the global internet. The digital shutdown began shortly after several Iranian news websites, including the official IRNA news agency, reported being targeted by sophisticated cyberattacks.

Security researchers warn that the threat is not merely rhetorical. CrowdStrike’s Adam Meyers said the firm was already observing activity from Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks. “These behaviors often precede more aggressive operations,” Meyers said. “In past conflicts, Tehran’s cyber actors have aligned their activity with broader strategic objectives that increase pressure and visibility at targets, including energy, critical infrastructure, finance, telecommunications, and healthcare.” 

Compounding the threat is the condition of America’s own cyber defenses. The Cybersecurity and Infrastructure Security Agency (CISA), the agency responsible for tracking and alerting the public on such threats, has been operating with sharply reduced staffing due to a funding lapse, prompting experts to warn, “this is a bad time for Washington’s cyber agency to be operating with limited staff.”

​​In its 2026 X-Force Threat Intelligence Index, IBM highlights the growing footprint of sophisticated state actors in the global cyber threat landscape, noting that several of the most exploited vulnerabilities were linked directly to advanced persistent threat groups with state backing or alignment. The report points out that techniques and tooling once largely exclusive to well-resourced nation-state adversaries have increasingly diffused into the broader cybercrime ecosystem, blurring lines between state and criminal operations as they pursue supply chain and identity-centric objectives. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.