Current Affairs Topics Quiz Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Shaky ceasefire unlikely to stop cyberattacks from Iran-linked hackers for long

April 09, 2026 5 min read Internal Security Science & Technology International Relations GS3 (Internal Security Science & Technology) GS2 (International Relations)
On This Page

What Happened

  • Despite an uncertain ceasefire between Iran and the US and Israel, cybersecurity analysts warn that Iran-linked hacker groups are unlikely to halt cyberattack operations in the near term
  • Following US-Israel coordinated military strikes (Operation Epic Fury/Roaring Lion, February 28, 2026), Iran launched a sustained multi-vector retaliatory cyber campaign targeting critical infrastructure in the US, Israel, and allied nations
  • Key Iranian Advanced Persistent Threat (APT) groups active in this campaign include MuddyWater, APT34, APT33, CyberAv3ngers (IRGC-linked), and the hacktivist persona Handala Hack (MOIS-linked)
  • CERT-In and Indian cybersecurity agencies are on alert, as Iran-linked groups have historically targeted South Asian and Gulf-region infrastructure, and India's digital ecosystem presents potential collateral or deliberate targets
  • Critical infrastructure sectors targeted include water systems, energy grids, industrial control systems (specifically Rockwell Automation and Allen-Bradley PLCs), and healthcare

Static Topic Bridges

Advanced Persistent Threats (APTs) and State-Sponsored Cyber Operations

An Advanced Persistent Threat (APT) refers to a sophisticated, long-term cyber espionage or sabotage campaign typically conducted or sponsored by a nation-state. Unlike opportunistic attacks, APTs involve sustained access to a target network — often for months or years — for intelligence gathering, data exfiltration, or pre-positioning to cause disruption. Nation-state APT groups are typically classified by the intelligence agencies or private cybersecurity firms that track them, with naming conventions like APT (followed by a number), Fancy Bear, Lazarus Group, etc.

  • Iranian APT ecosystem is divided between groups linked to the Ministry of Intelligence and Security (MOIS) and those linked to the Islamic Revolutionary Guard Corps (IRGC)
  • MOIS-linked groups: MuddyWater, APT34 (OilRig), Handala Hack — focused on intelligence gathering, hack-and-leak, and psychological operations
  • IRGC-linked groups: APT33 (Elfin), APT55, CyberAv3ngers — focused on destructive attacks on industrial control systems (ICS/OT environments)
  • Wiper malware (designed for permanent data destruction) is a signature tool of Iran-linked actors; distinct from ransomware as it has no recovery mechanism
  • PLCs (Programmable Logic Controllers) and SCADA (Supervisory Control and Data Acquisition) systems are primary targets for industrial sabotage

Connection to this news: The ceasefire between Iran and the US/Israel addresses kinetic conflict but does not dismantle the APT infrastructure — groups like Handala and CyberAv3ngers operate semi-independently and can sustain campaigns even as diplomatic channels open.

CERT-In — India's Cybersecurity Response Framework

The Indian Computer Emergency Response Team (CERT-In) is India's national nodal agency for cybersecurity incident response, established under Section 70B of the Information Technology Act, 2000. CERT-In operates under the Ministry of Electronics and Information Technology (MeitY) and is responsible for collecting, analysing and disseminating information on cyber incidents, coordinating cyber incident response activities, and issuing advisories to government and critical sector entities.

  • Established under Section 70B of the IT Act, 2000; notified as the national nodal agency via gazette notification in 2004
  • Jurisdiction covers government entities, critical infrastructure operators, and registered private entities in critical sectors
  • CERT-In Directions (April 2022): Mandated that all entities report cybersecurity incidents within 6 hours; also required ICT service providers, data centres, VPN providers, and cloud providers to maintain logs for 180 days and report certain categories of incidents
  • The 2022 Directions were controversial for requiring VPN providers to retain user logs — several international VPN companies exited India in protest
  • CERT-In coordinates with international counterparts via bilateral agreements and multilateral forums like APCERT (Asia Pacific CERT), FIRST (Forum of Incident Response and Security Teams)
  • Critical Information Infrastructure (CII) protection: Section 70 of the IT Act designates "protected systems" whose compromise could have a debilitating impact on national security

Connection to this news: CERT-In's alert posture in the context of Iran-linked attacks reflects the expanding definition of India's cyber threat perimeter — beyond domestic actors to include geopolitically motivated state-sponsored groups whose campaigns can have spillover effects.

Cyberwarfare and International Law — Emerging Framework

The application of international law to cyberspace remains contested. The UN Group of Governmental Experts (UN GGE) has, in its 2013, 2015, and 2021 reports, affirmed that existing international law — including the UN Charter, international humanitarian law (IHL), and state responsibility principles — applies to cyberspace. However, there is no binding international treaty specifically governing cyberwarfare.

  • Tallinn Manual (2013, updated Tallinn Manual 2.0 in 2017): Non-binding NATO-commissioned expert document applying international law to cyber operations; most comprehensive codification of emerging norms
  • Key norms affirmed by UN GGE: States must not knowingly allow territory to be used for cyberattacks against other states; states must not conduct or knowingly support cyber operations that violate sovereignty; principle of due diligence applies
  • Cyber Attribution: Technical attribution of state-sponsored attacks uses indicators like code signatures, C2 infrastructure, targeting patterns, and operational security failures; legal attribution requires diplomatic and intelligence confirmation — a much higher bar
  • India's position: India participates in UN GGE; advocates for a multilateral legally binding instrument on cybersecurity under UN auspices, with preference for an intergovernmental mechanism over multi-stakeholder models

Connection to this news: The Iran-linked cyberattacks highlight the attribution challenge and the absence of a credible deterrence mechanism — a ceasefire in kinetic conflict does not translate into cyber de-escalation because the legal and operational frameworks for cyber conflict are still evolving.

Key Facts & Data

  • Operation Epic Fury / Roaring Lion: US-Israel coordinated strikes on Iran, February 28, 2026 — triggered Iranian cyber retaliation
  • Key Iranian APT groups: MuddyWater, APT34 (MOIS-linked); APT33, APT55, CyberAv3ngers (IRGC-linked)
  • Handala Hack: Formally attributed to MOIS by the US DOJ (March 20, 2026) as a "fake activist persona" used for hack-and-leak operations
  • Stryker Corporation (medical tech): Confirmed cyberattack by Handala on March 11, 2026
  • Targets: Rockwell Automation and Allen-Bradley PLCs in water, energy, government services sectors
  • CERT-In established: Under Section 70B, IT Act, 2000; under MeitY
  • CERT-In 2022 Directions: 6-hour mandatory incident reporting; 180-day log retention for ICT providers
  • UN GGE Reports applying international law to cyberspace: 2013, 2015, 2021
  • Tallinn Manual 2.0: Published 2017; NATO CCDCOE-commissioned; non-binding expert document on cyber norms
  • Iran's internet connectivity dropped to 1-4% immediately post-strikes, temporarily degrading state-sponsored cyber capabilities