Global Surge: 149 Hacktivist DDoS Attacks Target SCADA and Critical Infrastructure Across 16 Countries After Middle East Conflict

Between February 28 and March 2, 2026, a coordinated wave of 149 hacktivist-driven distributed denial-of-service (DDoS) attacks targeted 110 organizations across 16 countries, following the U.S.-Israel military campaign against Iran. The majority of attacks were concentrated in the Middle East, with Kuwait, Israel, and Jordan accounting for over 76% of incidents. Nearly half of the targeted organizations were in the government sector, with finance and telecommunications also significantly affected. The attacks were orchestrated by at least 12 hacktivist groups, with Keymous+ and DieNet responsible for nearly 70% of activity. Attack methods included volumetric DDoS, hack-and-leak operations, phishing campaigns using malicious mobile applications, credential harvesting, and wiper malware targeting industrial control systems. Pro-Russian and pro-Iranian groups claimed responsibility for several high-profile breaches, including alleged compromises of Israeli military and critical infrastructure. The technical sophistication of attacks ranged from low to medium, with most disruptions focused on public infrastructure and state-level targets. Multiple independent sources, including The Hacker News, Palo Alto Networks Unit 42, and official advisories, confirm the scope, attribution, and technical details of these incidents.

The surge in hacktivist activity was directly linked to the escalation of military conflict in the Middle East, specifically following the U.S.-Israel coordinated strikes on Iran, codenamed Operation Epic Fury and Roaring Lion. The attacks began on February 28, 2026, with the first DDoS campaign launched by Hider Nex (also known as Tunisian Maskers Cyber Force), a group supporting pro-Palestinian causes. Over the subsequent 72 hours, 149 DDoS claims were recorded, targeting 110 organizations in 16 countries, with 107 attacks focused on the Middle East (The Hacker News, 2026-03-04; Palo Alto Networks Unit 42, 2026-03-02).

The primary attack vector was volumetric DDoS, designed to overwhelm public-facing infrastructure, disrupt government services, and degrade critical digital operations. Hack-and-leak tactics were also prevalent, with groups such as Hider Nex combining DDoS with data breaches to leak sensitive information for geopolitical leverage. Phishing campaigns were observed, notably the distribution of a rogue replica of the Israeli Home Front Command RedAlert application. This malicious Android package (APK) was delivered via SMS phishing, tricking users into sideloading malware that enabled mobile surveillance and data exfiltration (The Hacker News; Unit 42).

Credential harvesting was conducted by groups such as Evil Markhors, who targeted unpatched systems and used phishing and vishing (voice phishing) to obtain sensitive credentials. The FAD Team claimed unauthorized access to supervisory control and data acquisition (SCADA) and programmable logic controller (PLC) systems in Israel and other countries, indicating a focus on industrial control system (ICS) disruption. Ransomware and wiper malware were deployed by groups like Dark Storm Team and FAD Team, aiming for permanent data destruction and operational paralysis.

Website defacement campaigns were also reported, with groups such as Handala Hack and APT Iran targeting Israeli and Western infrastructure to maximize psychological impact. Pro-Russian groups, including Cardinal, Russian Legion, and NoName057(16), claimed breaches of Israeli military networks, including the Iron Dome missile defense system, though some of these claims remain unverified.

Technical analysis confirms the use of common DDoS-for-hire platforms, open-source attack tools, and custom scripts. The RedAlert malicious APK campaign leveraged social engineering and sideloading to bypass traditional mobile security controls. Wiper malware and ransomware payloads were used to target both IT and OT (operational technology) environments, with a particular emphasis on critical infrastructure.

The attacks mapped to several MITRE ATT&CK techniques, including T1499 (Endpoint Denial of Service), T1041 (Exfiltration Over C2 Channel), T1566 (Phishing), T1476 (Deliver Malicious App via Authorized App Store), T1110 (Brute Force), T1555 (Credentials from Password Stores), T0882 (Modify Control Logic), T1485 (Data Destruction), T1491 (Defacement), and T1486 (Data Encrypted for Impact).

Attribution to specific groups is supported by public claims, technical artifacts, and historical activity patterns. The formation of the “Electronic Operations Room” on February 28, 2026, facilitated coordinated hacktivist campaigns, amplifying the scale and impact of attacks. The technical sophistication of these operations ranged from basic DDoS and phishing to more advanced ICS/SCADA targeting and wiper malware deployment.

The attacks did not exploit specific software vulnerabilities or versions but rather targeted exposed public infrastructure, web applications, mobile users, and ICS/SCADA systems across multiple sectors. The timeline of major events is as follows:

On February 28, 2026, the first DDoS attack was launched by Hider Nex immediately following the U.S.-Israel strikes on Iran. Between February 28 and March 2, 2026, 149 DDoS claims were recorded, impacting 110 organizations in 16 countries. The “Electronic Operations Room” was established on February 28, 2026, to coordinate hacktivist activity. By March 2, 2026, a surge in hacktivist operations was observed by multiple security firms, including Palo Alto Networks Unit 42.

The attacks were heavily concentrated in Kuwait (28% of claims), Israel (27.1%), and Jordan (21.5%), with the majority of incidents affecting government, finance, and telecommunications sectors. Nearly 48% of targeted organizations were in the government sector, followed by finance (12%) and telecommunications (7%). Critical infrastructure, including energy, healthcare, and digital services, was also targeted.

The threat landscape during this period was characterized by a high volume of coordinated, multi-vector attacks conducted by at least 12 hacktivist groups. Keymous+ and DieNet were responsible for nearly 70% of all attack activity, focusing on DDoS and hack-and-leak operations. Other active groups included NoName057(16), Nation of Saviors (NOS), Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro (The Hacker News; Unit 42).

Attack methods included volumetric DDoS, hack-and-leak, phishing (notably the RedAlert APK campaign), credential harvesting, ransomware, wiper malware, and website defacement. The RedAlert phishing campaign used a malicious APK to deliver surveillance and data-exfiltrating malware to mobile devices, exploiting user trust in official emergency alert systems.

Pro-Russian groups, such as Cardinal, Russian Legion, and NoName057(16), claimed responsibility for breaches of Israeli military networks, including the Iron Dome missile defense system. While some claims remain unverified, the pattern of disruptive operations aligns with historical group tactics.

State-sponsored Iranian actors, including UNC1549 (also known as GalaxyGato, Nimbus Manticore, or Subtle Snail), focused on defense, aerospace, telecommunications, and government entities. The FAD Team targeted ICS/SCADA environments, claiming unauthorized access to control systems and private devices associated with Israeli security services.

The attacks were not limited to the Middle East; Europe accounted for 22.8% of global activity, with organizations in the U.S. and allied nations also facing direct or indirect targeting. The technical sophistication of attacks varied, with most disruptions categorized as low to medium in complexity but high in operational impact due to the scale and coordination.

Mitigation strategies should be prioritized by severity:

Critical: Organizations in government, finance, telecommunications, and critical infrastructure sectors should immediately implement continuous monitoring for DDoS and hacktivist activity, update threat intelligence signatures, and conduct comprehensive exposure reviews of all connected assets. Segmentation between information technology (IT) and operational technology (OT) networks must be validated, and proper isolation of Internet of Things (IoT) devices ensured. Incident response plans should be reviewed and tested for DDoS, ransomware, and ICS/SCADA attacks (The Hacker News; Unit 42).

High: All organizations should reduce their external attack surface by disabling unnecessary services, enforcing strong authentication, and patching exposed systems. Phishing awareness training should be conducted, with a focus on mobile device security and the risks of sideloading applications. Multi-factor authentication (MFA) should be enforced for all remote access and privileged accounts.

Medium: Regularly review and update firewall and intrusion prevention system (IPS) rules to detect and block known DDoS and credential harvesting tools. Monitor for indicators of compromise (IoCs) associated with the RedAlert APK and other malware referenced in public advisories. Ensure that backup and recovery procedures are robust and tested against ransomware and wiper malware scenarios.

Low: Maintain up-to-date threat intelligence feeds and participate in information sharing with sector-specific and national cybersecurity centers. Review public-facing web applications for vulnerabilities that could be exploited for defacement or data exfiltration.

The UK National Cyber Security Centre (NCSC) and other regulatory bodies have issued advisories urging organizations to strengthen their posture against DDoS, phishing, and ICS targeting. Organizations should consult these advisories and implement recommended controls.

The Hacker News, March 4, 2026: https://thehackernews.com/2026/03/149-hacktivist-ddos-attacks-hit-110.html

Palo Alto Networks Unit 42, March 2, 2026: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/

UK NCSC advisories (referenced in both above)

Flashpoint, Nozomi Networks, CrowdStrike, SentinelOne (referenced in both above)

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor their digital supply chain for emerging threats, assess exposure to DDoS and hacktivist campaigns, and identify vulnerable assets across IT and OT environments. Our platform supports rapid incident response by integrating threat intelligence, exposure analysis, and automated risk assessments. For questions or further guidance, contact us at ops@rescana.com.

• Active Exploitation Alert