OpIsrael: Pro-Russia & Iran-Linked Hackers Form "Loose Alliance"

The digital battle lines have been redrawn. In a significant escalation of the ongoing regional conflict, researchers at Flashpoint and Unit 42 have confirmed that pro Russian threat actors have formed a "loose coalition" with Iran-nexus hacking groups. Operating under the banner #OpIsrael, this alliance has moved beyond rhetoric into coordinated, high-impact operations against Western and Israeli infrastructure.

The Coalition Hierarchy

This is not a single group, but a synchronized effort between several high-capacity entities:

  • The Russian Component: The notorious NoName057(16) group, fresh off their "DDoSia" campaign, is providing the heavy lifting for network saturation attacks.
  • The Iranian Core: The Cyber Islamic Resistance (CIR) and Handala Hack (linked to Iran's Ministry of Intelligence) are acting as the primary agents for data exfiltration and "hack-and-leak" operations.
  • The Regional Proxy: The Iraq-based FAD Team (also known as the "Resistance Hub") is focusing on global "nuisance" attacks to maximize visibility.

Confirmed Attacks (March 2 - 5)

The alliance wasted no time in proving its capability:

  1. DDoS Blitz: NoName057(16) and the CIR launched a coordinated strike that temporarily paralyzed an Israeli defense contractor and several municipal government portals.
  2. Healthcare Breach: The CIR claimed responsibility for breaching an Israeli health insurance provider, leaking internal CCTV footage to prove they had persistent access to the facility's network.
  3. Global SQL Injections: The FAD Team has claimed credit for stealing and leaking data from a wide variety of targets, including a small town in Pennsylvania, educational institutions in India, France, and Vietnam, and a virtual U.S. Air Force group.
  4. Energy Sector Sabotage: Handala Hack has claimed intrusions into an Israeli energy exploration company and gas stations in Jordan.

The "Initial Access" Warning

For the Hacklido community, the most alarming development is the role of Initial Access Brokers (IABs). Reports indicate that Russian brokers are now actively selling "pre-hacked" entry points into U.S. and Israeli systems to Iranian proxies on dark web forums like XSS and Exploit. This allows Iranian actors to bypass their domestic internet blackout (currently running at less than 4% capacity) and maintain an operational tempo from remote servers.

 Hacklido Takeaway: The "Wiper" Risk

While many of these attacks are currently DDoS or defacement-focused, analysts at Dark Reading and Sophos warn that this alliance is a precursor to more destructive activity.

  • Pseudo-Ransomware: Watch for attacks that look like ransomware but are actually designed for permanent data destruction.


Supply Chain Hooks: The targeting of "downstream" logistics and municipal services suggests the alliance is looking for the weakest links in the global supply chain.