Shaky Ceasefire Unlikely to Stop Cyberattacks From Iran-Linked Hackers for Long

Summary

Iran-backed hacking group Handala announced it would temporarily pause attacks on the US following a ceasefire but pledged to resume operations when opportune, while continuing strikes against Israel. U.S. authorities warned that Iranian hackers have infiltrated programmable logic controllers in critical infrastructure including ports, power plants, and water facilities. Cybersecurity experts predict cyberattacks will increase rather than decrease during the lull, as threat actors shift focus to high-profile targets in the tech and defense sectors.

Full text

Hackers backing Tehran say an uncertain ceasefire between Iran and the United States and Israel won’t end their retaliatory cyberattacks, a warning that American cybersecurity experts say potential targets in the U.S. and Israel should take seriously. One leading hacking group known as Handala said after the ceasefire announcement that it was temporarily postponing attacks on the U.S. but would continue to target Israel. It vowed to revive its efforts against America when the time was right — demonstrating again how digital warfare has become ingrained in military conflict. Already, the two-week ceasefire appears at risk of fraying over significant disagreements between the parties, which each are claiming victory in the war. A pro-Palestinian, pro-Iranian network that operates independently of Tehran, Handala has claimed credit for disrupting the operations of the U.S. medical manufacturer Stryker and hacking into FBI Director Kash Patel’s personal email account, among other cyberattacks. The group is just one of several proxy hacking networks allied with Iran. “We did not begin this war, but we will be the ones to finish it,” Handala wrote on its X account. “And let it be clear: The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.” U.S. authorities warned on Tuesday that hackers supporting Iran had burrowed into internet-connected computers used to automate and control technology in a variety of important industrial sectors. The computers, known as programmable logic controllers, are used in ports, power plants and water plants — key targets for foreign hackers looking to disrupt everyday life in the U.S. In a joint advisory from the FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency, officials urged organizations that use the technology to ensure their security precautions were up-to-date. CISA did not immediately respond to questions Wednesday about the impact that the ceasefire would have on cybersecurity.Advertisement. Scroll to continue reading. Cybersecurity experts say the warning should be taken seriously by potential targets regardless of the sides announcing a temporary truce. Markus Mueller, a cybersecurity executive at Nozomi Networks, said he anticipates an increase in cyberattacks on American organizations following the ceasefire, not a decrease. That’s because any lull in hostilities would allow hackers to shift from regional targets directly involved in the conflict to efforts to infiltrate U.S. organizations that participated in the war effort in some way, a list that includes data centers, tech companies and defense contractors. He also predicted that some groups based in Iran or Russia may seek to circumvent the truce by launching a significant cyberattack on a U.S. target that is designed to attract the attention of the American public. “With a ceasefire, we will likely see an expansion of cyber activity both in scale and scope,” Mueller said. “These groups will likely try to execute a high-profile attack such as what we saw with Stryker.” So far, the attacks attributed to pro-Iranian hackers have been high in volume but low in impact, designed to boost morale among Iran’s supporters while reminding its opponents of continued vulnerabilities despite their military advantages. Handala claimed responsibility last month for hacking Stryker, a major medical equipment supply company based in Michigan. Handala claimed the hack was in retaliation for strikes that killed Iranian schoolchildren. The FBI responded by seizing four internet web addresses used by the group to spread its message. Handala then leaked several old photos of Patel after saying it had hacked into the FBI director’s personal email account. Other pro-Iranian hackers have been linked to efforts to install malware on the phones of Israelis, penetrate cameras in Middle Eastern countries to improve Iran’s missile targeting, and target data centers and industrial facilities in Israel, Saudi Arabia and Kuwait. Related: Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks Related: Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare Related: Iran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting Tool Written By Associated Press More from Associated Press Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in WarfarePro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal AccountPoland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy SectorIran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting Tool3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaIran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During WarPentagon’s Chief Tech Officer Says He Clashed With AI Company Anthropic Over Autonomous WarfareFBI Investigating ‘Suspicious’ Cyber Activity on System Holding Sensitive Surveillance Information Latest News Data Leakage Vulnerability Patched in OpenSSLRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverUS Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingIran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MovePamela McLeod has been named as CISO of the state of New Hampshire.Aspen Digital has named Matt Altomare as its new Senior Director for Cybersecurity Programs.Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Programmable Logic Controller (PLC) compromises

Entities