By AJ Vicens
March 1 (Reuters) - A wave of cyber-enabled operations took place early Saturday morning alongside the joint U.S.-Israeli attack on targets across Iran, according to cybersecurity experts and observers.
The operations included the hacking of multiple news websites to display various messages and the hack of BadeSaba, a religious calendar app with more than 5 million downloads, which displayed messages telling users “It’s time for reckoning” and urging armed forces to give up weapons and join the people.
Reuters could not establish contact with BadeSaba’s chief executive.
A spokesperson for U.S. Cyber Command did not immediately respond to a request for comment.
Internet connectivity in Iran dropped precipitously at 0706 GMT, and then again at 1147 GMT, with only minimal connectivity remaining, Doug Madory, director of internet analysis at Kentik, said in a post on X.
The cyberattack on BadeSaba was a smart move because government supporters use it and they tend to be more religious, said Hamid Kashfi, a security researcher and founder of cybersecurity firm DarkCell.
Cyber operations also struck a variety of Iranian government services and military targets to limit a coordinated Iranian response, the Jerusalem Post reported on Saturday. Reuters has not been able to independently verify the claims.
“As Iran considers its options, the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and U.S.-affiliated military, commercial, or civilian targets,” said Rafe Pilling, the director of threat intelligence with cybersecurity firm Sophos.
The attacks could include the amplification of old data breaches presented as new, unsophisticated attempts to compromise internet-exposed industrial systems, and potentially direct offensive cyber operations, Pilling said.
Activity in the Middle East has increased, said Cynthia Kaiser, a former top FBI cyber official and current senior vice president at anti-ransomware firm Halcyon. Kaiser said the firm has also seen calls to action from known pro-Iranian cyber personas who in the past have carried out hack-and-leak operations, ransomware attacks and distributed denial-of-service attacks (DDoS), which flood internet services rendering them inaccessible.
The current cyber activity may precede more aggressive operations, said Adam Meyers, senior vice president of counter adversary operations with CrowdStrike.
“CrowdStrike is already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks,” he said.
Cybersecurity firm Anomali said in an analysis shared with Reuters on Saturday that state-backed Iranian hacking groups were already carrying out “wiper” attacks that erase data on Israeli targets ahead of the strikes.
Although Iran is often mentioned by U.S. cyber officials alongside Russia and China as a threat to American networks, Tehran’s previous responses to attacks on its soil have been muted.
In June, after the U.S. struck Iranian nuclear targets, there was little sign of the disruptive cyberattacks often invoked during discussions of Iran’s digital capabilities beyond a short-lived interruption of services in Tirana, Albania’s capital, according to media reports.
(Reporting by AJ Vicens in Detroit; Editing by Chris Sanders and Lisa Shumaker)
