Iran-Backed Hackers Vow to Continue Cyberattacks Despite Ceasefire -- And They've Already Hit Kash Patel

The shaky ceasefire between Iran, the United States, and Israel isn't stopping Tehran-backed hackers from targeting American infrastructure -- and federal agencies just issued an urgent warning that these groups have already burrowed into systems controlling critical facilities across the country.

One prominent hacking collective called Handala made its intentions crystal clear after the ceasefire announcement: they're temporarily pausing attacks on the U.S. but will resume "when the time is right." In the meantime, they'll keep hitting Israeli targets. The group operates as part of a pro-Palestinian, pro-Iranian network that functions independently of Tehran's direct control.

"We did not begin this war, but we will be the ones to finish it," Handala wrote on X. "And let it be clear: The cyber war did not begin with the military conflict, and it will not end with any military ceasefire."

That's not an idle threat. Handala has already claimed responsibility for disrupting operations at Stryker, a major Michigan-based medical equipment manufacturer, and -- in what should alarm anyone concerned about national security -- hacking into FBI Director Kash Patel's personal email account. After the FBI seized four web addresses the group used to spread its message, Handala responded by leaking old photos of Patel as proof of the breach.

Critical Infrastructure Already Compromised

On Tuesday, the FBI, National Security Agency, and Cybersecurity and Infrastructure Security Agency issued a joint advisory warning that Iran-aligned hackers have penetrated internet-connected computers used to automate and control industrial technology. These programmable logic controllers run operations at ports, power plants, and water treatment facilities -- exactly the kind of infrastructure that foreign adversaries target to disrupt daily life and sow chaos.

The agencies urged organizations using this technology to immediately verify their security measures are current. CISA did not respond to questions about how the ceasefire might affect the cybersecurity threat landscape.

Cybersecurity experts say Americans should take these warnings seriously regardless of any temporary truce between governments.

Markus Mueller, a cybersecurity executive at Nozomi Networks, predicts cyberattacks on American organizations will actually increase following the ceasefire, not decrease. His reasoning: any lull in direct military hostilities frees up hacking groups to shift focus from regional conflict zones to U.S. targets that supported the war effort -- including data centers, tech companies, and defense contractors.

Mueller also warned that groups based in Iran or Russia might use the ceasefire as cover to launch a spectacular cyberattack designed to grab American public attention and demonstrate their continued capabilities despite the truce.

"With a ceasefire, we will likely see an expansion of cyber activity both in scale and scope," Mueller said. "These groups will likely try to execute a high-profile attack such as what we saw with Stryker."

High Volume, Growing Sophistication

So far, attacks attributed to pro-Iranian hackers have been high in volume but relatively low in immediate impact -- designed more to boost morale among Iran's supporters and remind opponents of ongoing vulnerabilities than to cause catastrophic damage.

But the scope of their operations keeps expanding. Beyond Handala's hits on Stryker and Patel, other pro-Iranian hacking groups have been linked to installing malware on Israelis' phones, penetrating surveillance cameras across the Middle East to improve Iran's missile targeting accuracy, and attacking data centers and industrial facilities in Israel, Saudi Arabia, and Kuwait.

The ceasefire itself already looks fragile, with both sides claiming victory and significant disagreements emerging over its terms. If it collapses, the cyber warfare that has become deeply embedded in this conflict will only intensify.

What's clear is that digital warfare doesn't pause just because diplomats announce a truce. The hackers targeting American infrastructure and officials like Patel have made their position explicit: they'll strike when and where they choose, ceasefire or not.

For critical infrastructure operators and government agencies, that means the threat level hasn't dropped -- it may have just entered a more dangerous phase.