The underground economy of stolen credentials has matured into a structured, high-volume marketplace, and Indian enterprises are at the center. What makes this trend notable is not just the scale of cyber incidents in India, but the type of data being exposed and how efficiently it is monetized on dark web credential markets India forums. This has evolved into a corporate data leak India dark web ecosystem. 

Credentials, usernames, passwords, session tokens, have become the currency that powers everything from ransomware intrusions to financial fraud. This is not an abstract risk. It is a measurable, expanding problem backed by government data and visible shifts in attacker behavior. 

A Rapidly Expanding Attack Surface 

India’s digital growth has been aggressive, but security maturity has not scaled at the same pace. According to the Indian Computer Emergency Response Team (CERT-In), the country recorded 29.44 lakh (2.94 million) cybersecurity incidents in 2025. Just four years earlier, that number stood at 14.02 lakh in 2021, effectively doubling within a short span. 

This surge is not just about more attacks; it reflects a widening attack surface and growing enterprise cybersecurity threats India. Every new digital service, cloud migration, or remote access point introduces another potential entry for attackers. More importantly, each successful intrusion increases the likelihood of credential exposure, feeding directly into dark web markets. 

Earlier data reinforces this pattern. CERT-In reported handling 13,91,457 incidents in 2022, spanning phishing, malware infections, and unauthorized access attempts. These are not isolated technical events; they are the primary pipelines through which credentials are harvested at scale. 

Why Credentials Are the Primary Target 

Unlike credit card data, which can be canceled, or systems that can be patched, credentials offer persistent value. A valid login can grant access to corporate networks, financial systems, or sensitive communications without triggering immediate alarms. 

Attackers understand this. Phishing campaigns and malware infections, both widely reported by CERT-In as dominant attack vectors, are designed not just to infiltrate systems but to extract authentication data. Once obtained, these credentials, often part of Indian company login credentials stolen sets, are packaged and sold on underground forums, often categorized by industry, privilege level, or geographic origin. 

India’s enterprise landscape makes it particularly attractive in this context. Organizations across banking, IT services, manufacturing, and government sectors manage vast amounts of sensitive and operationally critical data. This makes their credentials more valuable and more likely to be traded. 

High-Value Targets Across Critical Sectors 

Government-backed reporting highlights the concentration of attacks in sectors that naturally generate high-value credentials. CERT-In’s scope of incident response spans banking, energy, telecom, transport, and IT sectors, all of which rely heavily on identity-driven access controls. 

In 2023 alone, around 2,04,844 cybersecurity incidents were reported within government organizations. Credentials associated with such entities carry strategic value, not just financial. They can be used for espionage, disruption, or long-term access to sensitive systems. 

Similarly, sectors like BFSI and IT services face constant exposure due to their role in handling financial transactions and managing global client data. A single compromised account in these environments can provide entry into broader supply chains or interconnected systems. 

The Dark Web as a Distribution Channel 

What sets the current landscape apart is how efficiently stolen credentials are distributed. Dark web marketplaces have evolved beyond simple data dumps. They now function like structured platforms where access is categorized, reviewed, and resold. 

Credential sets originating from India are often bundled with additional context, such as organization names, roles, or VPN access details, making them more actionable for buyers. In many cases, these credentials are not used immediately. Instead, they are stored, resold, or combined with other datasets to increase their value. 

The presence of compromised access listings and credential sales across underground forums reflects a broader shift: attackers no longer need to breach systems themselves. They can simply purchase access, reducing both effort and risk. 

Weak Points: Human and Systemic 

A portion of credential exposure still traces back to preventable weaknesses. Phishing remains one of the most effective techniques because it exploits human behavior rather than technical flaws. Employees unknowingly provide login details, often bypassing sophisticated security controls. 

On the system side, unpatched vulnerabilities and misconfigured services continue to play a role. Government data consistently highlights the exploitation of vulnerable services and outdated systems as a recurring issue. These weaknesses allow attackers to extract credentials directly from compromised environments or escalate privileges once inside. 

The combination of human error and systemic gaps creates a steady supply of fresh credentials, exactly what dark web markets depend on. 

A Self-Sustaining Ecosystem 

The relationship between cyber incidents in India and dark web credential markets is not coincidental, it is cyclical. More attacks lead to more compromised credentials. More credentials increase the availability of access for other attackers. This, in turn, fuels further attacks. 

The growth from 14.02 lakh incidents in 2021 to 29.44 lakh in 2025 is not just a statistic; it signals the acceleration of this cycle. As long as credentials remain easy to obtain and difficult to monitor once exposed, Indian enterprises will continue to be a prime target. 

Rethinking the Problem 

The challenge is no longer limited to preventing breaches; it now includes understanding what happens after data leaves the network and enters underground ecosystems, where exploitation timelines can be extremely short. Indian enterprises are not uniquely vulnerable, but they are highly valuable due to their scale, sector diversity, and rapid digital adoption, making them consistent targets in an environment where access itself is the commodity.  

Breaking this cycle requires visibility into how stolen credentials are traded, reused, and weaponized, and this is where platforms like Cyble become critical, delivering AI-native threat intelligence, dark web monitoring, and attack surface visibility to help organizations move from reactive defense to proactive risk anticipation.  

With capabilities like Cyble Vision and Cyble Blaze AI, security teams can detect exposure earlier, correlate threats in real time, and respond autonomously before stolen data is exploited. To stay ahead of evolving credential-driven attacks, organizations should evaluate Cyble’s unified threat intelligence platform and request a demo to see how continuous visibility across the dark web and enterprise attack surface can materially reduce risk. 

The post Why Indian Enterprises Are a Prime Target for Dark Web Credential Markets appeared first on Cyble.

A new category is emerging in cybersecurity For years, organizations have relied on monitoring tools to detect compromised credentials and exposed data. But as identity has become the primary attack surface, those tools are no longer enough. A new category is emerging in response: Identity Risk Intelligence This isn’t just a new label. It represents […]

The post What Is Identity Risk Intelligence? (And Why It’s Replacing Monitoring) appeared first on Security Boulevard.

Russia-linked hacktivist activity has entered a noticeably different phase. While earlier campaigns leaned heavily on disruption through denial-of-service and opportunistic scanning of exposed systems, the current trajectory shows a stronger dependence on credential-based intrusions and identity-based cyber attacks. For security leaders, this evolution matters because it lowers the technical barrier to entry while increasing the blast radius of compromise.

In 2026, CISOs are no longer dealing with isolated intrusion attempts. They are facing an ecosystem where credential-based attacks, credential stuffing attacks, and stolen credentials cyber attacks are becoming the primary access vectors into operational technology (OT) and industrial environments, often followed by rapid escalation into account takeover attacks on human-machine interfaces (HMIs) and control systems.

The Shift From Exposure Hunting to Credential-Based Intrusions 

A key inflection point appears in a series of joint intelligence efforts culminating in a Dec 10, 2025, Cybersecurity Advisory. This advisory expanded upon the May 6, 2025, CISA joint fact sheet “Primary Mitigations to Reduce Cyber Threats to Operational Technology”, while also aligning with findings from the European Cybercrime Centre’s Operation Eastwood (EC3). The effort involved multiple agencies, including the FBI, CISA, NSA, Department of Energy (DOE), Environmental Protection Agency (EPA), and European partners. 

The advisory highlighted sustained targeting of industrial control systems (ICS) and OT environments across critical infrastructure sectors such as water treatment, energy, and agriculture. Earlier intrusions often relied on exposed remote services like virtual network computing (VNC) endpoints on ports 5900–5910, combined with brute-force attempts and default credentials. However, by 2026, these behaviors resemble structured credential-based intrusions, where attackers prioritize authentication weaknesses over pure network exposure. 

This evolution is significant: instead of merely scanning for open systems, adversaries are now systematically exploiting weak identity layers, reused passwords, and leaked authentication data to execute identity-based cyber attacks at scale. 

The Hacktivist Ecosystem Driving Credential-Based Attacks 

The advisory identifies a loosely connected ecosystem of pro-Russia hacktivist groups that have accelerated this shift. These include Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16. 

CARR is assessed to have had early support linked to Russia’s GRU Unit 74455, particularly in its formative stage. While initially focused on distributed denial-of-service (DDoS) activity, the group later expanded into OT intrusions involving industrial environments. 

1. NoName057(16) remains one of the most persistent actors, widely known for its DDoS tool “DDoSia,” distributed via Telegram and GitHub. Although traditionally disruption-focused, its campaigns now frequently overlap with credential exploitation activity that enables follow-on access. 
2. Z-Pentest, formed in late 2024 through the fragmentation of earlier groups, represents a turning point. It blends propaganda-driven operations with direct intrusions into OT systems. By 2025, it was already demonstrating repeated access to industrial interfaces through compromised authentication pathways, aligning closely with credential stuffing attacks and reused password exploitation patterns. 
3. Sector16, emerging in 2025, reflects a newer wave of less experienced operators who still manage to achieve access through opportunistic stolen credentials cyber attacks and weak authentication controls. 

How Credential-Based Intrusions Actually Work in OT Environments 

The mechanics behind modern credential-based intrusions are not complex, but they are effective. Attackers typically begin with broad scanning of exposed services, particularly VNC endpoints used for remote industrial monitoring. Tools such as Nmap and OpenVAS are frequently referenced in advisory reporting. 

Once exposed interfaces are identified, attackers shift toward authentication abuse: 

• Password spraying against operator accounts 

• Exploitation of default or unchanged credentials 

• Reuse of previously leaked credentials from unrelated breaches 

• Automated login attempts resembling credential stuffing attacks 

After gaining access, adversaries often reach HMIs that control industrial processes. From there, account takeover attacks become operational rather than theoretical: attackers manipulate system parameters, disable alarms, or intentionally create a “loss of view,” forcing operators into manual control. 

What makes these identity-based cyber attacks particularly dangerous is their simplicity. No advanced malware is required. In many cases, legitimate administrative interfaces are being used exactly as intended, just by the wrong user. 

Measured Impact Across Critical Infrastructure 

The scale of activity has increased steadily across 2025. Previously, Cyble reported that ICS-related attacks accounted for 25% of all hacktivist operations, nearly doubling from Q2 levels. Earlier in 2025, ICS, data leaks, and access-based intrusions collectively represented 31% of hacktivist activity, compared to just 15% for website defacements and 54% for DDoS attacks. 

This shift reflects a migration away from surface disruption toward deeper credential-based attacks and infrastructure compromises. 

Specific group activity underscores this trend: 

• Z-Pentest conducted 38 ICS attacks in Q2 2025, up from 15 in the previous quarter 

• Dark Engine was linked to 26 ICS incidents 

• Sector16 accounted for 14 attacks in the same period 

In parallel, hacktivist campaigns expanded across sectors including energy, manufacturing, transportation, and telecommunications, with Italy, the United States, and NATO-aligned countries frequently targeted. 

More advanced incidents also emerged, including claims by Cyber Partisans BY and Silent Crow of a breach involving Russian airline systems and the exfiltration of over 22TB of data, alongside operations reported by Ukrainian Cyber Alliance and BO Team against industrial environments. 

Why Credential-Based Intrusions Matter More Than Exploits 

For CISOs, the most important shift is conceptual. Traditional security models often focus on patching vulnerabilities and reducing exposed services. However, credential-based intrusions bypass much of this logic. 

If attackers already possess valid credentials, whether through phishing, reuse, leakage, or automated credential stuffing attacks, then perimeter defenses become significantly less relevant. 

This is particularly dangerous in OT environments where: 

• Identity management is inconsistent 

• Shared accounts are common 

• Multi-factor authentication is often absent 

• Legacy systems cannot easily enforce modern authentication 

In such environments, stolen credentials cyber attacks effectively collapse the security boundary. 

Strategic Implications for CISOs in 2026 

The convergence of hacktivist coordination and identity-driven access patterns creates a predictable outcome: more frequent account takeover attacks leading to operational disruption rather than traditional data theft. 

The Dec 10, 2025 advisory emphasized mitigation steps that now define baseline OT security maturity: 

• Eliminating exposed VNC services from the public internet 

• Enforcing strong authentication and eliminating default credentials 

• Segmenting IT and OT environments to contain lateral movement 

• Continuous monitoring of industrial control traffic 

• Treating any system with weak credentials as potentially compromised 

More importantly, organizations are being pushed toward identity-centric security models where identity based cyber attacks are treated as primary threat vectors, not secondary concerns. 

Credential Warfare Becomes the Default Entry Point 

The trajectory of Russia-linked hacktivist operations suggests a sustained move toward scalable, low-friction intrusion methods. While these groups may lack the sophistication of advanced persistent threats, their ability to coordinate, amplify, and reuse credential-based attacks across multiple targets makes them disproportionately impactful. 

As 2026 unfolds, the defining challenge for defenders will not be detecting exotic exploits but controlling identity exposure. In this environment, credential stuffing attacks, stolen credentials cyber attacks, and rapid account takeover attacks will continue to serve as the most reliable entry point into critical infrastructure networks. 

References: 

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/pro-russia-hacktivists-conduct-opportunistic-attacks-against-us-and-global-critical-infrastructure 

• https://cyble.com/blog/hacktivist-attacks-critical-infrastructure-q3-2025/ 

The post Inside Russia’s Shift to Credential-Based Intrusions: What CISOs Need to Know in 2026 appeared first on Cyble.

The ongoing Middle East war has evolved into a cyber battlefield, with state-sponsored operations targeting critical infrastructure and essential services. Analysts warn that the region is witnessing an unprecedented escalation in Middle East cyber warfare, with attacks affecting governments, energy networks, finance, communications, and industrial systems. These operations, often executed through proxy groups, aim to destabilize societies, disrupt supply chains, and exert geopolitical pressure. 

Despite early disruptions to Iranian command centers, Iran and its affiliated groups retain substantial cyber capabilities. Incidents already linked to these campaigns include fuel distribution delays in Jordan and interference with navigation systems, impacting over 1,100 ships near the Strait of Hormuz, posing risks to global oil and gas trade. The integration of military strikes with cyber operations, known as hybrid warfare, has become a defining feature of the conflict, making cyber threats in the Middle East a growing concern for organizations worldwide. 

Hybrid Warfare and the Rise of Middle East Cyber Attacks 

According to recent intelligence, the region entered a critical phase of hybrid warfare following an escalation between Iran, the United States, and Israel on February 28, 2026. The joint offensive, dubbed Operation Epic Fury by the U.S. and Operation Roaring Lion by Israel, combined traditional military strikes with cyberattacks, psychological operations, and information warfare. Early operations targeted Iran’s nuclear and military infrastructure, while cyber campaigns disrupted internet access, government systems, and media networks. 

Iran retaliated with missile and drone strikes across Israel, Gulf states, and U.S. bases, while cyber operations proliferated. Over 70 hacktivist groups launched campaigns including DDoS attacks, website defacements, credential theft, and disinformation. Malware and phishing campaigns also emerged, such as a fraudulent Israeli missile-alert app designed to harvest sensitive data. These events highlight how modern conflict increasingly intertwines kinetic warfare with cyber operations, amplifying Middle East cybersecurity threats for both regional and global targets. 

Iranian Cyber Capabilities and Hacktivist Involvement 

Iran remains a formidable cyber adversary, with active threat groups including Charming Kitten (APT35), APT33, MuddyWater, OilRig, and Pioneer Kitten. These groups conduct espionage, infrastructure disruption, credential theft, and target critical sectors such as energy, aviation, government, and telecommunications. Iranian-aligned hacktivists, including CyberAv3ngers, Handala, Team 313, and DieNet, further amplify risks through DDoS campaigns, industrial control system intrusions, and data leaks. 

Advisories indicate potential cooperation between Iranian and Russia-linked hacktivists, which could heighten Middle East geopolitical cyber threats. Experts emphasize that organizations must bolster cybersecurity in the Middle East, enforce multi-factor authentication, segment critical networks, and participate in information-sharing frameworks to mitigate risks. 

Cyber Retaliation and Infrastructure Disruption 

The first 72 hours of the conflict primarily involved disruption and propaganda rather than destructive attacks on infrastructure. On February 28, 2026, Israel executed one of the largest cyberattacks against Iran, causing a near-total internet blackout, with connectivity dropping to just 1–4% of normal levels. Concurrently, Iranian-aligned groups launched spear-phishing campaigns, ransomware-style attacks, data exfiltration, and malware deployment targeting energy systems, airports, financial institutions, and government networks. 

Beyond regional targets, supply chain interconnections expose countries outside the Middle East, such as India, to indirect risks. Attackers exploit vulnerabilities in VPNs, Microsoft Exchange, and other widely used technologies while deploying AI-assisted phishing, weaponized documents, and concealed command-and-control infrastructure. Organizations are urged to enhance cloud resilience, prepare for DDoS attacks, and strengthen monitoring and incident response procedures to combat the expanding wave of Middle East cyberattacks. 

Exploitation by Cybercriminals Amid Geopolitical Instability 

Cybercriminals are leveraging the heightened attention on the conflict to launch scams, misinformation, and malware campaigns. Researchers have identified over 8,000 newly registered domains tied to the crisis, many of which could later serve as vectors for attacks. Notable campaigns include: 

• Conflict-themed malware lures, including fake missile strike reports delivering backdoors like LOTUSLITE. 

• Phishing portals impersonating government or payment services. 

• Fake donation pages, fraudulent online stores, and cryptocurrency “meme-coin” schemes, sometimes containing Persian-language code comments suggesting Iran-aligned operators. 

Preparing for the Middle East Cyber War 2026 

As Middle East cyber warfare escalates, organizations must strengthen defenses, patch vulnerabilities, and enhance incident response to counter rising cyber threats in the Middle East. The events of 2026 show that modern conflicts extend beyond traditional battlefields, with cyberattacks threatening infrastructure, finance, and global supply chains. 

Cyble, the world’s #1 threat intelligence platform, provides AI-powered solutions to detect, predict, and neutralize threats in real time, helping organizations stay ahead of Middle East cybersecurity threats. 

Book a personalized demo and see how Cyble Blaze AI can protect your organization during the Middle East cyber war 2026. 

References: 

• https://cyble.com/blog/middle-east-iran-us-israel-hybrid-conflict/ 

• https://securityonline.info/zscaler-uncovers-8000-domains-and-apt-backdoors-exploiting-middle-east-tensions/ 

The post Middle East Cyber Warfare Intensifies: Rising Attacks, Hacktivist Surge, and Global Risk Exposure  appeared first on Cyble.

Cybersecurity agencies across the Pacific region are sharing concerns about the ransomware group INC Ransom's expanding activities and the growing influence of its affiliate network.

A joint advisory issued by the Australian Cyber Security Centre (ACSC), National Computer Emergency Response Team Tonga (CERT Tonga), and the New Zealand National Cyber Security Centre (NCSC) highlights how the INC Ransom ecosystem has become an active threat to organizations in Australia, New Zealand, and Pacific Island states.

The advisory from the agencies down under is designed for both technical specialists and general network defenders. It outlines how INC Ransom operates, the techniques its affiliates use, and the steps organizations can take to reduce their exposure. Officials from the three agencies are urging both government ministries and private organizations to review the mitigation measures outlined in the guidance to strengthen defenses against INC Ransom activity.

What distinguishes this campaign is not only the ransomware itself, but the operational structure behind it. The INC Ransom ecosystem relies on a distributed affiliate model, enabling a broad range of cybercriminal operators to conduct attacks using shared tools and infrastructure.

The INC Ransom Affiliate Model and the RaaS Ecosystem

The operational structure of INC Ransom, which functions as a Ransomware-as-a-Service (RaaS) platform. The model allows external affiliates to deploy ransomware against victims while the core operators manage extortion negotiations and payment collection. 

INC Ransom first emerged in mid-2023 as a financially motivated cybercriminal group believed to be based in Russia. Since then, the group has built an affiliate network that distributes ransomware to attackers targeting organizations worldwide. Within this structure, affiliates perform the technical intrusion and deployment of the malware, while the core INC Ransom operators handle victim communication and ransom demands. 

The group is also known by other threat-intelligence labels, including Tarnished Scorpion and GOLD IONIC. 

According to the advisory from ACSC, NCSC, and CERT Tonga, INC Ransom operations are particularly focused on organizations that manage sensitive or high-value information. Health care providers have become a prominent target globally, likely due to the operational pressure these organizations face when systems become unavailable. 

Although earlier activity concentrated on victims in the United States and the United Kingdom, threat intelligence collected by ACSC, NCSC, and CERT Tonga indicates that the group has shifted attention toward the Pacific region since early 2025. 

INC Ransom Incidents in Australia

In Australia, ACSC has tracked a series of incidents linked to INC Ransom affiliates. 

Between 1 July 2024 and 31 December 2025, the ACSC responded to 11 incidents attributed to the ransomware operation. These incidents primarily affected organizations in professional services and the health care sector. 

Since January 2025, analysts at the ACSC have observed INC Ransom affiliates targeting Australian health care entities through compromised user accounts. Once access is obtained, attackers typically escalate privileges by creating new administrator-level accounts. They then move laterally through internal systems to expand control within the network. 

During these operations, INC Ransom affiliates have deployed malicious payloads using filenames such as “win.exe.” Investigations conducted by the ACSC have also identified cases in which attackers exfiltrated personally identifiable information and medical records before launching the encryption phase. 

Victims typically discover ransom notes containing instructions and links to the INC Ransom Tor-based data leak site (DLS) where negotiations occur. 

Health Infrastructure Disruption in Tonga 

One of the most disruptive incidents linked to INC Ransom occurred in the Kingdom of Tonga. 

On 15 June 2025, the ICT environment of the Tongan Ministry of Health was hit by a ransomware attack that disrupted the national health care network and rendered several core services inaccessible. Investigators from CERT Tonga, working with regional partners including ACSC and NCSC, discovered a ransom note associated with INC Ransom embedded within the ministry’s file systems. 

On 26 June 2025, the INC Ransom group publicly claimed responsibility for the incident on its dark-web data leak site. 

The advisory further identifies Roman Khubov, a cybercriminal also known as “blackod,” as the individual controlling the malicious infrastructure used to exfiltrate data during the Ministry of Health breach. 

Ransomware Incident in New Zealand 

Ransomware activity remains a persistent problem in New Zealand, where multiple sectors of the economy have experienced disruptions. 

In May 2025, the NCSC received a report from a health-sector organization that had suffered a major ransomware intrusion. According to the notification, attackers encrypted a large number of servers and endpoint devices while also stealing significant volumes of data. 

The NCSC investigation determined that INC Ransom was responsible for the incident. After the organization refused to meet the extortion demand, the attackers published the stolen dataset on the INC Ransom data leak site. 

The event reinforced concerns among cybersecurity officials at NCSC, ACSC, and CERT Tonga that the group’s tactics are targeting organizations whose operations are highly sensitive to disruption. 

Technical Tactics Used by INC Ransom 

Technical analysis from ACSC, NCSC, and CERT Tonga shows that INC Ransom affiliates rely on several common intrusion techniques to gain initial access to victim networks. 

The most frequently observed entry points include: 

• Spear-phishing campaigns targeting employees 

• Exploitation of unpatched internet-facing systems 

• Purchased credentials from initial access brokers 

Once inside the network, INC Ransom affiliates often rely on legitimate software tools rather than custom malware to perform key tasks. This tactic allows malicious activity to blend into normal administrative operations. 

For example: 

• 7-Zip and WinRAR are used to compress data before theft. 

• The file synchronization tool rclone is frequently used to transfer stolen data outside the network. 

After data exfiltration, attackers deploy the encryption component of INC Ransom. A ransom note is then left on affected systems with payment instructions and contact details. 

If the targeted organization refuses to pay, INC Ransom operators initiate double-extortion tactics by publishing both the victim’s name and stolen information on the group’s leak site. 

Security analysts note that the tactics, techniques, and procedures (TTPs) used by INC Ransom share similarities with other ransomware operations such as Lynx, Nemty, Nemty X, Karma, and Nokoyawa. 

Defensive Measures Recommended by ACSC, NCSC, and CERT Tonga 

The joint advisory from ACSC, NCSC, and CERT Tonga outlines several practical security measures designed to reduce the risk of INC Ransom compromise. 

Key defensive actions include: 

• Maintain Reliable Backups: Organizations should maintain regular, tested backups of critical systems and store them securely to prevent unauthorized modification or deletion. 

• Restrict Network Traffic: Network administrators should limit inbound and outbound traffic to only what is necessary for operations. Firewalls and filtering technologies can help reduce exposure to phishing campaigns and malicious attachments. 

• Harden Remote Access: Virtual private networks (VPNs) and other remote access systems should be carefully configured to ensure only authorized users can reach sensitive resources. 

• Implement Multi-Factor Authentication: The advisory from ACSC, NCSC, and CERT Tonga emphasizes implementing phishing-resistant multi-factor authentication (MFA) for internet-facing services and privileged accounts. 

• Manage Privileged Access: Administrative privileges should be tightly controlled. Unique accounts for administrators improve accountability and reduce the impact of credential compromise. 

• Maintain Strong Vulnerability Management: Regular vulnerability scanning and rapid patching of exposed systems remain critical, particularly for internet-facing services that ransomware actors commonly target. 

Growing Regional Collaboration Against the INC Ransom 

The joint advisory reflects cooperation among cybersecurity agencies across the Pacific. By sharing intelligence and incident data, organizations such as ACSC, NCSC, and CERT Tonga are building a more coordinated response to ransomware threats like INC Ransom. 

The rise of affiliate-driven ransomware operations has significantly lowered the barrier to entry for cybercriminal activity. In this environment, the INC Ransom ecosystem demonstrates how distributed attacker networks can rapidly shift focus across geographic regions. 

For organizations in Australia, New Zealand, and the Pacific islands, the advisory from the Australian Cyber Security Centre (ACSC), New Zealand National Cyber Security Centre (NCSC), and National Computer Emergency Response Team Tonga (CERT Tonga) highlights the need to strengthen access controls, monitor network activity, and maintain a tested incident response plan to limit the impact of ransomware attacks. 

Threat intelligence from Cyble helps organizations track ransomware activity, monitor dark web exposure, and identify indicators of compromise earlier. 

Schedule a demo with Cyble to see how its threat intelligence platform supports ransomware detection and response. 

References:

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/inc-ransom-affiliate-model-enabling-targeting-of-critical-networks 

• https://www.cyber.gov.au/about-us/view-all-content/news/inc-ransom-and-affiliate-network-operating-in-australia-new-zealand-and-the-pacific-island-states 

The post Australia, New Zealand, Tonga, Warn of Rising INC Ransom Attacks Targeting Pacific Networks appeared first on Cyble.

The geopolitical landscape of the Middle East has entered one of its most volatile phases in decades. On February 28, 2026, tensions that had been simmering for years erupted into a full‑blown conflict involving the Islamic Republic of Iran, the United States, and Israel. A confluence of diplomatic stalemate, military posturing, and covert cyber preparations set the stage for what would evolve from a localized confrontation into an expansive, multi‑domain campaign.  

The conflict’s opening salvo — codenamed Operation Epic Fury by the US and Operation Roaring Lion by Israel — was not just a conventional military assault. It was a synchronized hybrid offensive in which cyber operations were integrated as a co‑equal domain with kinetic strikes, psychological messaging, and information warfare. Over the course of the first 72 hours, from February 28 to March 3, kinetic blows and digital disruptions merged in ways that revealed both the strengths and vulnerabilities of actors across the region.  

Throughout this critical period, Cyble Research and Intelligence Labs (CRIL) has been meticulously tracking the movements, attacks, claims, and associated cyber activity between Iran, Israel, and the US, providing real‑time insights into both the kinetic strikes and the evolving threat landscape.  

Prelude to Conflict: Buildup and Diplomatic Gridlock 

In the days leading up to February 28, the Middle East witnessed a massive US military buildup, the largest since the 2003 Iraq invasion. Aircraft carriers, fighter wings, and intelligence assets positioned themselves within striking range of Iran’s borders. At the same time, indirect nuclear negotiations in Geneva appeared, momentarily, to offer a diplomatic pathway, with Iran publicly agreeing to halt enrichment stockpiling under International Atomic Energy Agency (IAEA) supervision. However, distrust and strategic imperatives among the US, Israel, and Tehran rendered the diplomatic exercise insufficient to prevent escalation.  

Day 1: February 28 — Operation Epic Fury 

At approximately 06:27 GMT, the first concerted wave of strikes hit Iran. US‑Israeli forces began a broad assault across more than two dozen provinces, targeting nuclear facilities, IRGC command centers, ballistic missile launchers, and secure compounds tied to the Iranian leadership. The offensive reportedly included the targeted killing of Supreme Leader Ayatollah Ali Khamenei, a moment that marked a profound turning point in the conflict.  

What set the opening apart from traditional air campaigns was its immediate cyber component. For the first time on such a scale, network disruption was planned to coincide with a kinetic impact. Independent monitors observed Iranian internet connectivity collapse to roughly 1–4% of normal levels as cyberattacks crippled state media, government digital services, and military communications. 

Popular local services, including widely used mobile applications and prayer tools, were reportedly compromised to sow confusion and prompt defections, while defaced state news sites delivered messages contradicting official Iranian narratives.  

Before the current situation, MuddyWater, long associated with Iran‑linked cyber campaigns, remained a critical piece of the pre‑existing threat landscape. Alongside other advanced persistent threat (APT) groups — such as APT42 (Charming Kitten), Prince of Persia / Infy, UNC6446, and CRESCENTHARVEST — these campaigns had already been active before February 28, conducting phishing, exploitation of public servers, and information theft targeting Israeli, US, and regional networks.  

While Iran’s domestic internet infrastructure faltered, the US‑Israeli offensive extended psychological operations into Israeli territory. Threatening messages referencing national ID numbers and fuel shortages arrived in civilians’ inboxes, and misinformation campaigns amplified anxieties even as authorities worked to blunt digital interference. 

Day 2: March 1 — Retaliation and the Surge of Hacktivism 

Iran’s kinetic retaliation was swift and forceful. From March 1 onward, waves of ballistic missiles and drones launched at Israel, Gulf Cooperation Council (GCC) states, and US military bases reinforced that Tehran’s response would not be limited to symbolic posturing. The UAE alone intercepted hundreds of projectiles, resulting in civilian casualties and infrastructure damage, including at Dubai’s international airport and an AWS cloud data center within its mec1‑az2 availability zone.  

On the cyber front, March 1 started the dramatic expansion of hacktivist activity across the region. More than 70 groups — spanning ideological spectrums and even blending pro‑Iranian and pro‑Russian motivations — activated operations in parallel with state responses. An Electronic Operations Room organized by Iraqi‑aligned hackers, such as Cyber Islamic Resistance / Team 313 began orchestrating distributed denial‑of‑service (DDoS) attacks, website defacements, and theft of credentials across national government portals and key infrastructure systems in Turkey, Poland, and GCC states. 

One of the most technically significant artifacts of March 1 was a malicious RedAlert APK observed by Unit 42 analysts. Designed to mimic Israel’s official missile alert app, this payload was distributed via Hebrew‑language SMS links. Once installed, it collected sensitive device and user information — contacts, SMS logs, IMEI numbers, and email credentials — with encrypted exfiltration mechanisms and anti‑analysis protections, providing a rare glimpse of tradecraft resembling state‑level cyber operations at a time when Iranian domestic internet access was severely limited.  

Beyond MuddyWater and other established APTs, opportunistic cybercriminals exploited the chaos through social engineering campaigns in the UAE.  

Day 3: March 2–3 — Strikes, Blackouts, and Enduring Hybrid Threats 

The kinetic campaign broadened on March 2 with the destruction of the IRGC’s Malek‑Ashtar headquarters in Tehran. By March 3, Israeli forces had struck Iran’s state broadcaster, further constraining Tehran’s ability to manage domestic information and cyber operations. The extended internet blackout — persisting well into the third day — continued to isolate Iranian networks, allowing external campaigns to operate with limited interference.  

Several digital fronts emerged during this period: 

• Hacktivist and Propaganda Operations: Groups such as Handala Hack Team claimed exfiltration of terabytes of financial data; others like DieNet and OverFlame targeted GCC critical infrastructure portals and governmental systems in coordinated disruptive campaigns. 

• Pro‑Russian Opportunistic Convergence: Entities, including NoName057(16) and Russian Legion, shifted their focus from Ukraine‑related operations to anti‑Israel actions supportive of Iran, albeit with mixed credibility. 

• Cybercrime Opportunism: The blend of hacktivism and ransomware was exemplified by groups like INC Ransomware, which targeted industrial entities and combined extortion‑style tactics with ideological messaging. 

Throughout March 1–3, analysts noted that most observed cyber activity fell into the realm of DDoS attacks, exposed CCTV feeds, and information operations rather than destructive intrusions into industrial control systems — although unverified claims of SCADA manipulation circulated widely in pro‑Iranian forums.  

Broader Regional and Strategic Implications 

The first 72 hours of Operation Epic Fury reveal several critical insights about modern conflict dynamics in the Middle East: 

1. Cyber as a Co‑Equal Domain: Cyber operations were planned and executed in lockstep with kinetic strikes, demonstrating that modern warfare no longer segregates digital and physical arenas. 

2. Hacktivist Amplification: With over 70 groups active within days, the hacktivist ecosystem has become a force multiplier of psychological and disruptive operations that can transcend national borders. 

3. Opportunistic Exploitation: As seen in social engineering and ransomware campaigns, broader conflict can catalyze financially motivated cybercrime that piggybacks on geopolitical uncertainty. 

These dynamics suggest that defenders in the region — from government CERTs to multinational enterprises — must maintain heightened vigilance across both technical and psychological threat vectors, with particular emphasis on credential harvesting, DDoS mitigation, and proactive monitoring of emerging malware campaigns. 

Conclusion 

The events from February 28 to March 3 highlight that the US‑Israeli offensive against Iran — launched as Operation Epic Fury — is not merely a military confrontation but a hybrid engagement across kinetic, cyber, and informational domains. While Iran’s internet infrastructure remains degraded, sophisticated pre‑positioned capabilities could still be activated in the coming weeks, particularly if connectivity is restored. Meanwhile, the hacktivist theatre continues to grow in both volume and geographic scope, even as the technical sophistication of most operations remains limited. 

In this environment, security practitioners and strategic planners must be prepared for adaptive threat behavior that blends political motivations with opportunistic cybercrime — a reality that defines the 21st‑century battlespace in the Middle East and beyond. 

References: 

• https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/ 

• https://www.sophos.com/en-us/blog/cyber-advisory-increased-cyber-risk-amid-u-s-israel-iran-escalation 

• https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east 

• https://www.cybersecuritydive.com/news/iran-hackers-threat-level-us-allies/813494/ 

• https://flashpoint.io/blog/escalation-in-the-middle-east-operation-epic-fury/ 

• https://www.anomali.com/blog/cyber-threat-briefing-iran-retaliatory-posture 

• https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/ 

• https://www.khaleejtimes.com/uae/dubai-police-warn-scammers-impersonating-government-officials 

The post Middle East on the Brink: Iran-US-Israel Hostilities Trigger Cyber-Kinetic Conflict appeared first on Cyble.