Threat Advisory: Israel-Iran Conflict Rising Hacktivism and UK Exposure

By Adarma’s Threat Intelligence Team 

The Adarma Threat Team are closely monitoring events in the Middle East, particularly the ongoing conflict between Israel and Iran, and the implications of US airstrikes carried out on 21 June 2025. At the time of publishing, a ceasefire was reported in the press on the morning of 24 June 2025.   

Our assessment is that the threat of Iranian Advanced Persistent Threat (APT) activity targeting the UK or Europe remains low. We believe Iran is more likely to focus on strategic or opportunistic targets in Israel or the US.  

As the UK has so far maintained relative neutrality, promoted diplomatic solutions to the conflict and is not participating directly in military activities, we assess that UK businesses and infrastructure are unlikely to be a priority target. Iranian authorities may calculate that targeting the UK could risk drawing it further into the conflict.  

We are also monitoring Iranian-aligned hacktivist groups. At present, they are targeting Israel, the US and Middle Eastern countries perceived as insufficiently supportive of Iranian interests in the region.  

The vast majority of these attacks are Distributed Denial of Service (DDoS), although there have also been breaches of small businesses, resulting in leaked credentials or data. Based on the information shared in threat actor Telegram channels, we assess that the non-DDoS attacks are primarily exploiting easily accessible web-based vulnerabilities such as Structured Query Language injection. 

Larger Russian hacktivist groups such as NoName057(16) initially ignored the bombing of Iran, continuing to target countries based on Ukraine-related news cycles. However, this morning they acknowledged the conflict via their public Telegram channel, posting that they will “support our associates from the Muslim world, who are fighting the Israeli aggression”. The group then began launching DDoS attacks on Israeli government and political web infrastructure.  

We assess that these attacks are intended to signal support for Middle Eastern hacktivist groups such as Killnet, Usersec, Holy League and others with whom Russian groups have formed alliances since 2023 as part of broader campaigns against Ukraine and NATO-aligned nations.  

In addition to the DDoS activity by Russian groups, the Russian threat group Z-Alliance have claimed to have targeted the industrial control systems of an Israeli dairy factory. These claims remain unverified, but we are monitoring closely for any independent confirmation.  

Recommended Defensive Actions from Adarma

Although the current threat to the UK remains low, we encourage organisations, particularly those in critical infrastructure or with regional exposure, to adopt a heightened security posture. Based on observed tactics and historical activity by Iranian and aligned threat actors, organisations should: 

• Enforce multi-factor authentication across all IT, OT, and cloud environments  

• Conduct rapid cyber-readiness assessments to identify critical assets, patch known vulnerabilities and close any security gaps 

• Monitor in real time for suspicious network traffic, privilege escalation, and data exfiltration attempts 

• Review and test DDoS mitigation strategies to ensure readiness  

• Increase visibility into OT and ICS environments and strengthen detection logic 

• Conduct tabletop exercises involving APT, DDoS, ICS attacks and include prolonged outage scenarios 

For further insight into the potential cyber impact of this conflict on UK organisations and Critical National Infrastructure, including threat actor motivations and tactics, watch our latest Cyber Insiders podcast.  

Content Note: This episode was recorded before the latest developments involving US involvement in the Israel-Iran conflict (21/6/25).