A Digital Ceasefire That May Not Hold
Following a fragile truce reached between the United States and Iran, cybersecurity researchers and executives are wrestling with a familiar question: will a pause in kinetic hostilities translate into a pause in cyberwarfare? If history is any guide, the answer is almost certainly no — and the situation may actually get worse before it gets better.
The day after the temporary ceasefire was announced, Iran's most prominent false-flag hacktivist operation, Handala, posted a notice to its Telegram channel stating that it would participate in a temporary pause in hostilities. The group conceded that, "according to the orders from the highest leadership" in Iran, it has postponed its cyber activity against the United States. But even taking that statement at face value, the cybersecurity community remains skeptical — and with good reason.
Handala: The Most Publicized Threat Actor in the Conflict
Handala has been, without question, the most widely publicized threat actor throughout this conflict. The group has claimed responsibility for a ransomware-style attack against Stryker — considered the biggest cyber operation of the war from Iran's perspective — as well as the compromise of FBI Director Kash Patel's personal email account, widely regarded as the most symbolically significant incident to date.
In its April 8 Telegram post, Handala did qualify its announced ceasefire significantly, stating: "The cyber war did not begin with the military conflict, and it will not end with any military ceasefire." The group also made clear that it would continue directing operations against Israel regardless of any agreement with the United States.
Sergey Shykevich, threat intelligence group manager at Israel-based Check Point Research, cautioned that it is too early to assess whether Handala — or Iranian advanced persistent threats (APTs) more broadly — will actually scale back activity. "I would not be surprised if, at some point over the next two weeks, they resume cyberattacks as another means of applying pressure against the US," he said.
What Intelligence and History Tell Us
Austin Warnick, director of Flashpoint's National Security Intelligence Team, is equally skeptical. "Historical data and recent intelligence analysis indicate that a military ceasefire rarely equates to a 'digital stand-down,'" he warned. "Cyber operations often remain steady or even flare up as an asymmetric pressure valve while kinetic hostilities are paused."
The pattern holds across multiple conflicts and regions:
- Following the October 7 massacres in Israel and Israel's subsequent invasion of Gaza, the two sides reached a temporary ceasefire in late November 2023. At that time, Cyber Toufan — another false-flag hacktivist operation linked to Iran's "Resistance Axis" and one of Handala's closest equivalents — indicated it was pausing operations until the war resumed. Yet between November and December 2023, the group claimed more than 100 Israeli victims on its leak site, casting serious doubt on whether any slowdown occurred at all.
- A Hamas-aligned threat actor used a 2021 ceasefire with Israel as a direct justification for launching a fresh phishing campaign across the Middle East.
- When Ukraine and Russia agreed to a Black Sea ceasefire, both sides used the downtime to carry out major cyberattacks — including strikes against the very same energy infrastructure the ceasefire was supposed to protect.
The Ukraine Precedent: Attacks During 'Peace'
Markus Mueller, field chief information security officer (CISO) for Nozomi Networks, offered a broader historical lens. "The major cyberattacks in Ukraine took place during a time when, at least on the Russian side, the war wasn't active," he explained. "It was right after Russia annexed Crimea. They hadn't really done the big push — what some folks call the second Ukraine war. That in-between period is when we saw a lot of the larger attacks."
The implication is stark: periods of reduced kinetic conflict can actually create ideal conditions for escalating cyber operations, as state actors and their proxies exploit the reduced scrutiny and diplomatic breathing room to reposition, rearm, and strike through digital means.
Low-Level Activity Continues Unabated
Even as Handala announced its ceasefire, other Iran-aligned groups demonstrated no such restraint. Warnick noted that "low-level and nuisance-level cyber activity from groups like the 313 Team and Conquerors Electronic Army has continued without pause." On April 8 — the same day Handala published its ceasefire notice — the 313 Team claimed responsibility for an attack on an Australian government authentication portal. The Conquerors Electronic Army simultaneously claimed distributed denial-of-service (DDoS) attacks against Israeli targets, as well as the US-based freelancer platform Upwork.
Warnick further explained the underlying logic: "Threat actors treat diplomatic pauses as technicalities, using the time to pivot toward secondary targets or allies to maintain pressure without technically violating military agreements."
Expect Broader Geographic Reach
Mueller also warned that the nature of cyber activity tied to this conflict is likely to shift. "I think there will be a change in cyber activity both in scope and scale," he said. "The majority of activity we've seen around this conflict so far is regionalized. We foresee — based on what we've seen with other conflicts both within the region, but also with Ukraine — that it's going to grow a little more broad, and we're going to have more activity in North America, more activity in Europe, or any country that was seen as supporting the conflict."
This geographic expansion is a hallmark of conflicts that enter a prolonged negotiation or ceasefire phase, as threat actors search for new levers of pressure beyond the immediate theater of war.
The One Notable Exception: The 2015 Iran Nuclear Deal
For all the cautionary precedents, analysts do point to one striking historical counterexample. In the lead-up to negotiations for the 2015 Iran nuclear deal, researchers observed Iran probing US critical infrastructure for vulnerabilities that could facilitate serious attacks. Yet during the actual negotiating period, malicious cyberactivity dropped from high volume to effectively zero.
According to The New York Times, security researchers found not a single instance of a malicious phishing email or critical infrastructure probe aimed by Iran at the United States during that entire negotiating window. Activity resumed a couple of weeks after negotiations concluded, but at a reduced rate — and it did not return to pre-negotiation levels until Donald Trump withdrew the United States from the agreement.
That episode remains the clearest documented case in which diplomacy produced a genuine, measurable pause in state-sponsored cyber operations. It also illustrates how rare such outcomes are, and how dependent they are on the broader geopolitical stakes involved in the negotiations themselves.
The Bigger Picture
For organizations and security teams monitoring the current situation, the message from analysts is consistent: do not treat a ceasefire announcement — particularly one that does not directly name or formally bind the threat actors in question — as a signal to lower defenses. Iran-aligned groups have shown time and again that kinetic pauses are viewed as opportunities to regroup, redirect, and in many cases intensify digital operations. The current fragile US-Iran truce is unlikely to be an exception to that rule.
Source: Dark Reading