Since the onset of recent geopolitical conflict, hard evidence shows that politically motivated, Iran-aligned threat actors have had limited verifiable impact in the Gulf region, despite their widely publicized claims.
Whenever a major geopolitical event occurs, both financially motivated threat actors and the cybersecurity community increase their activity. Malicious cyber activity reliably follows major headlines, prompting security researchers to monitor for rising threats with each news cycle. Researchers track this activity, providing a secondary layer of data to the unfolding events.
The recent conflict involving Iran follows this pattern. Data from Bitdefender indicates that since February 28, the day of the ayatollah's assassination—the rate of unauthorized email campaigns directed at Gulf countries rose by an average of 130%. This activity surged immediately, stayed elevated, and at its peak reached nearly four times its pre-war rate. The measurable increase in activity is clear.
A rise in activity, however, does not automatically translate to a proportional security impact. Security researchers maintain varying assessments of how much risk Iran-aligned threat groups present. When evaluating hard evidence, analysts have found a modest material impact resulting from this anticipated surge.
Case study: Nasir Security
There is a notable gap between what many Iran-aligned groups claim to accomplish and their verifiable technical impact.
The group known as "Nasir Security", which has aligned itself with Hezbollah and the Alawite ethnic group in Syria—illustrates this pattern. After an initial appearance in October 2025 and a subsequent pause, the group resumed activity on March 10. In the following two weeks, the group claimed to have compromised three Middle Eastern oil and gas companies: Dubai Petroleum in the United Arab Emirates (UAE), CC Energy in Oman, and Al Safi, a company operating gas stations in Saudi Arabia and the wider region.
While these claims appear severe on the surface, technical analysis reveals a different reality. The group vastly overstated its access. "The group is attacking [related] supply chain vendors involved in engineering, safety, and construction," explains Resecurity COO Shawn Loveland.
The logic behind this methodology is straightforward. "Contractors' digital identity information is a typical 'low-hanging fruit,' making them an easy target for business email compromise (BEC) and account takeover (ATO)," Loveland notes. "The actors target contractors, as they may store various engineering documentation and internal files during collaboration with energy companies on their projects. That data is used as a 'shiny object' to claim a breach of the energy company itself."
Nasir Security has accessed and exposed legitimate internal documents, but not from the primary targets. In the case of Dubai Petroleum, Resecurity’s analysis indicates the group falsely claimed to have exfiltrated more than 413GB of data from the company. Instead, the group obtained a smaller set of authentic internal reports, maps, and technical schemes from a third-party contractor. While organizations must remain vigilant against these documents being used in future spear-phishing campaigns, the primary goal of the release was to fabricate legitimacy for the group's public claims.
The objective of these campaigns centers heavily on psychological impact. "The actors attempted to capitalize on the authentic documents (stolen from a third party) and the complexity of investigating the point of compromise, which can be time-consuming, leaving the audience in uncertainty," Loveland states. "Such tactics are widely used by threat actors to plant misleading narratives."
Verifying high-profile claims
Not all politically motivated threat groups leave behind verifiable evidence, such as downloadable data sets. Analysts often find it challenging to verify claimed activity because many lower-level groups rely on methods that are difficult to definitively disprove or are open to broad interpretation.
For example, threat actors frequently claim denial-of-service (DoS) disruptions against websites that actively block automated uptime checks. Pascal Geenens, vice president of cyber threat intelligence at Radware, explains that "'Defacement' can mean anything including a full website compromise and posting a picture in a comment section and sharing the direct link. System compromise claims similarly run the gamut, including genuinely sensitive intrusions and publicly exposed cameras or unprotected IoT dashboards."
The "313 Team" serves as an example of an Iran-aligned group leveraging this ambiguity. The group recently claimed DoS shutdowns of government and military services in Bahrain and Kuwait. Public reporting indicates both governments experienced minor disruptions, but the incidents either lacked the impact 313 Team claimed or were traced to other threat groups.
"with hacktivist activity, the claim is part of the attack itself," says Justin Moore, senior manager of threat intelligence for Palo Alto Networks' Unit 42. Unit 42 tracked a surge of incident claims at the start of the conflict that lacked verifiable evidence but still generated public concern.
"The narrative that they are operating everywhere is critical to the psychological aspect of their activity, keeping the looming potential threat of attack by them in the news cycle," Moore says. "For an organization, the challenge is managing the reputational fog of war that these groups intentionally create the moment they post on Telegram."
As a baseline for evaluating risk, Geenens notes that groups believed to operate as proxies for a nation-state carry more weight in their claims than self-proclaimed anonymous channels. For instance, Handala, widely assessed to be a false flag operation for Iran's Ministry of Intelligence and Security (MOIS)—is the operation most frequently associated with concrete, verifiable cyber activity in March.
Evaluating the threat scene
Security researchers maintain different perspectives on the severity of the risk these aligned groups pose to organizational infrastructure.
Matt Hull, vice president of cyber intelligence and response at NCC Group, suggests organizations should prepare for more severe outcomes. "While many hacktivist actions are indeed noisy and designed for psychological effect, we have observed a significant shift toward destructive and high-consequence operations," Hull says. He points to groups targeting critical infrastructure and deploying wipers. He also highlights the role of Iran's reported "Electronic Operations Room" (EOR) in coordinating proxy activities.
"The establishment of the Electronic Operations Room (EOR) has synchronized hacktivist groups, allowing them to act as a force multiplier for state objectives," Hull states. "Even if an individual attack seems minor, the cumulative effect creates a massive drain on defensive resources and provides a smoke screen for more sophisticated state-sponsored actors to move undetected."
Loveland offers a more measured assessment of the current situation. "In fact, none of the Iran-linked, pro-Iranian groups (including Handala) or state-sponsored groups are making any meaningful impact on the Iran conflict, as confirmed by numerous independent assessments and our threat analysis," he states. "Iran and its proxies are orchestrating such campaigns on behalf of groups like 'Nasir Security' to sow uncertainty and create the optics of cyberattacks."
To protect operations against these methodologies, security teams should focus on securing vendor and supply chain access. Implementing strict identity controls and multi-factor authentication mitigates the risk of the business email compromise and account takeover tactics these groups rely upon. Additionally, establishing clear communication protocols helps organizations effectively navigate the reputational uncertainty these threat actors attempt to create.