The US Department of Homeland Security (DHS) has warned that Iran might use “low-level cyber attacks” as one way to respond to attacks launched against its nuclear facilities over the weekend.
The national terrorism bulletin issued on Sunday said there is no current threat against the US that has been identified but that there is the “possibility” of threats to the US in the form of “possible cyberattacks, acts of violence, and antisemitic hate crimes," Kristi Noem, the Secretary of Homeland Security said in a statement.
The US Department of National Intelligence (DNI) considers Iran’s cyber operations to be a “major threat to the security of US networks and data,” according to a report published in March this year.
But if Iran were to retaliate against the US with cyberattacks what would be the impact?
Breaches of US government bodies, emails possible
State-sponsored Iranian groups and hacktivists regularly target “poorly secured US networks and Internet-connected devices for disruptive cyber attacks,” according to the DHS report. The US, among other countries, has designated the Islamic Revolutionary Guard Corps (IRGC) as a foreign terrorist group since 2019.
The Iranians are credited with launching attacks against “critical infrastructure sectors” such as transportation, healthcare and the public health sector, according to the US Cybersecurity and Infrastructure Agency (CISA).
Hackers sponsored by the Iranian government are credited with hacking a US-based children’s hospital, a dam in New York and compromising the vulnerabilities of a Pennsylvania water authority and others across the US.
The Federal Bureau of Investigation (FBI) said Iranian-backed actors were also linked to a series of 46 denial of service (DDoS) attacks against major American banks in 2012, such as American Express and Wells Fargo, that locked customers out of their accounts.
Some institutions are already getting ready for increased Iranian cyber attacks, such as the US Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC) and the Information Technology - Information Sharing and Analysis Center (IT-ISAC).
Both organisations released a joint statement on June 13, warning companies to prepare for “the likelihood of increased cyber attacks from Iran targeting US companies”.
Iranian state actor groups have also been accused by CISA of using “brute force such as password spraying and multifactor authentication ‘push bombing,’” with multiple phone notifications, to gain access to US organisations through programs like Microsoft 365, Azure and Citrix systems.
Some of the information gathered in previous Iranian cyber attacks against US government bodies has been sold on cybercriminal forums “to actors who may use the information… for additional malicious activity,” a 2024 CISA alert reads.
Iranian actors have also infiltrated email accounts of key government officials, the DNI threat report said. Most recently, Iranian actors breached the email of a President Donald Trump staffer on the 2024 election campaign and sent a “targeted spear-phishing email” to his employees. The group then “tried to manipulate journalists into leaking information” that they had gathered from the campaign, according to the report.
Iranian state actors have also in the past stolen information from American aerospace and satellite companies (in 2020) and universities ( in 2018).
The role of hactivists
The US-based cybersecurity firm Radware identified 100 new activist groups that sprang up in the last week since Iran's June 13 retaliation against Israel. Some of these groups, the firm said, have threatened to attack the US.
Radware reported on June 18 that a group called Mr. Hamza teamed up with DieNet and other hacktivists groups to target the US “if it joins the war against Iran”.
Mr. Hamza claimed in a June 22 post on Telegram that it had launched attacks against various branches of the US Air Force, including the department’s training platform, mission operational capabilities, and its cloud computing program. The group is also claiming to have attacked several US defence companies, such as RTX, Sierra Nevada Corporation and Aurora Flight Sciences, a Boeing subsidiary.
Euronews Next is trying to independently verify these claims.
DieNet said on its Telegram channel that it would attack again using data breaches, big [DDoS attacks] against critical infrastructure and ransomware.
Radware believes that DieNet is a new group that emerged in 2025 but has already claimed 61 attacks against 19 US organisations between March 11 and 17 this year, including one that amassed a “huge amount of data” from the International Trade Administration and the US Department of Commerce.
“DieNet’s campaigns are unmistakably political,” a Radware alert from March reads. “They openly blame… Trump for fueling their motivation, claiming their cyber offensives are acts of retaliation against US military interventions”.
Iran has a “considerable number” of state-sponsored threat groups that have targeted Israel in the past, such as Muddy Water, APT35 (OilRig), APT35 (Charming Kitten) and APT39 (Remix Kitten), the Radware report added.
