Geopolitical Escalation Triggers Surge in Hacktivist Cyberattacks A new analysis by Intel 471 reveals that U.S. and Israeli military strikes against Iran in late February 2026 sparked a sharp rise in hacktivist activity, with ideologically aligned groups launching retaliatory cyber campaigns. The surge underscores how geopolitical conflicts increasingly extend into cyberspace, where loosely organized collectives and state-aligned proxies use disruptive operations including DDoS attacks, website defacements, and data breach claims to signal support, amplify propaganda, and target perceived adversaries. Between February 27 and March 6, 2026, Israel emerged as the most impacted region, followed by Kuwait and Jordan, with Bahrain, Qatar, and the UAE also ranking among the top ten affected areas. The most targeted sectors included national government, aerospace and defense, and technology. Pro-Iranian and Iran-aligned hacktivist groups rapidly mobilized, directing operations against the U.S., Israel, and neighboring countries, often coordinating through social media and messaging platforms. Key incidents included: - Iranian Handala Hack claimed breaches of oil and gas organizations in Israel, Jordan, and Saudi Arabia, as well as an Israeli research institute. - WeAreUst and Anonymous Sana’a allegedly targeted an Israel-based defense and security technology firm. - UniT 313 conducted DDoS attacks against military and government entities in Bahrain and Saudi Arabia. - Cyber Islamic Resistance compromised home routers linked to an Israeli fiber-optic provider and a U.S. military online directory. - Iraqi FAD Team claimed attacks on supervisory control systems in Israel and allied nations. - Mr. Soul, linked to Cyber Av3ngers, threatened Israeli power infrastructure and claimed to have disabled warning sirens. Pro-Russian hacktivist groups also joined the fray, with NoName057(16) launching DDoS attacks under the #OpIsrael banner, targeting political parties, local authorities, and telecommunications providers. Other groups, including Hider_Nex, PalachPro, and Z-Pentest Alliance, claimed disruptions to Israeli telecommunications, water supply systems, and financial institutions. Dark Storm Team, Cardinal, and Russian Legion allegedly breached Israeli military systems, including components of the Iron Dome defense network. While pro-Iranian and pro-Russian groups dominated the activity, a smaller wave of anti-Iranian hacktivism emerged. Anonymous – אַנונִימִי leaked personal data of Iranian Revolutionary Guard Corps members and targeted regime-affiliated news agencies, while Anonymous Syria Hackers breached an Iranian e-commerce platform, exposing user credentials and payment details. Intel 471’s analysis suggests the attacks were largely symbolic, designed to project perceived power and distract adversaries amid constrained domestic connectivity in Iran. Pro-Russian groups capitalized on the conflict to expand their influence, collaborating with pro-Iranian and pro-Palestinian collectives to amplify their reach. Despite claims of significant breaches, the actual impact of many operations was likely exaggerated for psychological and media effect. Looking ahead, Intel 471 expects continued disruptive activity primarily DDoS attacks and data breach claims targeting U.S., Israeli, and Gulf nations’ banking, government, oil and gas, and telecommunications sectors. While the volume of attacks may decline over time, state-associated adversaries are likely to persist. Mike Maddison, CEO of NCC Group, noted that the conflict demonstrates the integration of cyber operations into military strategy, with Israel and the U.S. combining digital and physical strikes to disrupt Iranian communications. He warned that global supply chains and critical infrastructure including maritime and satellite navigation systems remain vulnerable, emphasizing the need for proactive resilience strategies amid evolving threats.

Cybersecurity Alert: Threat Actor Zestix/Sentap Exploits Stolen Credentials in Major Data Breaches A threat actor known as Zestix—also linked to the online persona Sentap—has been identified as an initial access broker (IAB) behind multiple high-profile data breaches, according to cybersecurity firm Hudson Rock. Active since late 2024–early 2025, Zestix’s operations trace back to Sentap’s activities dating to 2021, with both personas leveraging stolen credentials to infiltrate enterprise networks. ### Attack Method & Victim Profile Zestix/Sentap targets organizations across aerospace, government infrastructure, legal, robotics, and defense sectors, exploiting credentials harvested from information stealers like RedLine, Lumma, and Vidar. These credentials—some freshly stolen, others lingering in logs for years—were used to breach file-transfer services such as ShareFile, OwnCloud, and Nextcloud, often due to missing multi-factor authentication (MFA). The actor has successfully compromised systems roughly 50 times, exfiltrating data for sale on Russian-language hacker forums or auctioning access to the networks themselves. ### Notable Breaches & Financial Impact Zestix has claimed responsibility for large-scale breaches, including: - Iberia (Spanish flag carrier) – 77 GB of data, listed for $150,000 - Pickett & Associates (engineering firm for energy orgs) - Intecro Robotics (aerospace/defense equipment) - Maida Health (Brazilian military police contractor) - CRRC MA (rolling stock manufacturer) - Pan-Pacific Mechanical (1.04 TB), Bradley R. Tyer & Associates (1.02 TB), and The Providence Group (1 TB) Under the Sentap alias, the actor’s victim list expands further, though Hudson Rock could not confirm all breaches stemmed from infostealer infections. ### Broader Infostealer Threat The incident underscores the persistent risk of information stealers, which Hudson Rock warns have exposed credentials for thousands of organizations using ShareFile, OwnCloud, and Nextcloud, including Deloitte, Honeywell, KPMG, Samsung, and Walmart. These attacks thrive on malware-as-a-service (MaaS), enabling even unskilled actors to deploy stealers that exfiltrate data in minutes before self-deleting, leaving minimal forensic traces. The commodification of cybercrime—where stolen credentials fuel credential stuffing, identity theft, and fraud—continues to drive large-scale breaches, with no immediate solution in sight.

Ransomware Surge in January 2026: Shifting Targets and Emerging Threats January 2026 marked a sharp rise in ransomware activity, with 711 attacks recorded down slightly from December 2025’s 783 but 33% higher than January 2025 and well above the 2025 monthly average of 620. While attacks on manufacturers plateaued, finance and tech sectors became prime targets, seeing 24% and 12% increases, respectively. ### Key Trends and Impact - Geographic Shifts: The UK saw an 83% surge in attacks (42 in January vs. 23 in December), while the US declined by 8% (329 attacks) and Germany dropped 38%. Canada and Australia also experienced increases. - New Threat Actor: A group called 0APT claimed over 80 attacks, but most were unverified and later removed from tracking databases. - Data Theft: Over 104 TB of data was stolen, with Sinobi leading in total volume (13.6 TB) and Everest claiming the largest single breach (1.4 TB from Iron Mountain). ### Sector Breakdown - Healthcare: Attacks fell 27% (36 vs. 49 in December), but confirmed incidents rose. Notable breaches included Mt. Spokane Pediatrics (LockBit) and Pecan Tree Dental (Sinobi), exposing 13,300 records. - Government: Attacks remained steady (31 vs. 30 in December), with 10 confirmed. The Gentlemen targeted Spain’s Ayuntamiento de Beniel and South Africa’s Witzenberg Municipality, while Qilin hit Tulsa International Airport. - Education: Attacks dropped 45% (16 vs. 29), with no confirmed incidents. However, delayed disclosures revealed breaches at Clackamas Community College (Medusa) and Trocaire College (INC). - Businesses: Attacks decreased 7%, but finance and tech saw spikes. The Gentlemen breached Rogers Capital Credit (Mauritius), exposing banking data, while Rhysida demanded $392,000 from Elabs AG (Germany). ### Top Ransomware Gangs - Qilin led with 108 attacks (6 confirmed), followed by Clop (90, none confirmed) and Akira (72, 3 confirmed). - The Gentlemen had the highest confirmation rate (5 of 48 claims), targeting businesses and governments. ### Notable Incidents - Iron Mountain (US): Everest claimed 1.4 TB stolen, though the breach was limited to market materials. - AZ Monica (Belgium): A ransomware attack forced operation cancellations and patient transfers via the Red Cross. - Sanxenxo (Spain): Hackers demanded $5,000, which was refused. The data underscores evolving ransomware tactics, with gangs shifting focus to high-value sectors and leveraging delayed disclosures to obscure attack timelines.