Investigators in Poland are looking into whether Iranian threat actors were behind the cyberattack late last week on the country’s nuclear power center, which the research institution said it was able to shut down before it caused any damage.

According to a report in Reuters, Krzysztof Gawkowski, Poland’s minister for digital affairs,​ told a private broadcaster that “the first identifications of the entry vectors, i.e., those places ​from which (the center) was attacked, are related to Iran. When there is ‌final ⁠information and the services will check it, we will verify it, but there are many indications that it took place on the territory of Iran.”

That said, Gawkowski cautioned that the attack on Poland’s (NCBJ) National Centre for Nuclear Research may not have been related to Iran, and that those “first indications” may have been a false flag used by the bad actor to hide their origin and intentions.

However the investigation turns out, it’s another nod to the rapid escalation in the activity of both Iran-linked threat groups and independent, pro-Iran hacktivists in the wake of the bombing campaign waged by the United States and Israel that started February 28 and that shows little indication of slowing down.

It also shows how a country like Iran can fight back against larger countries that have greater superiority in traditional kinetic warfare but are more vulnerable in cyberspace, and how attacks on their enemies’ allies – Poland, like the United States, is a NATO member but is not participating in the current conflict – can be used to ramp up pressure on the aggressors.

Security Procedures and Systems Held

In its statement released March 13, the NCBJ attributed the lack of damage caused by the attack to its security procedures, systems, and teams. In the statement, the center’s director, Jakub Kupecki, said the security procedures blocked the attack, protecting the infrastructure and enabling the institute to continue work as normal. The operations of the center’s MARIA reactor were not disrupted and it continued to operate.

The attack comes about three months after another one on Poland’s power grid in December 2025 by Sandworm, an advanced persistent threat (APT) group linked to Russia’s GRU military intelligence agency.

The reaction to the initial U.S. and Israeli attacks in cyberspace was swift. Within hours of the first bombs falling, more than five dozen pro-Iranian hacktivist groups mobilized over Telegram, according to CloudSEK researchers.

Iranian Group Handala Jumps All the Way In

Many of the more publicized attacks are being attributed to – and claimed by – Handala, a highly active hacktivist group that reportedly has since been embraced by the Islamic Revolutionary Guard Corps (IRGC), the military regime Iran that directs many of the cyber operations run by Iran-nexus groups.

Handala also is suspected of being behind the broad attack on Stryker, a U.S. company with global operations that reported last week that massive amounts of data on corporate Windows systems – from servers down to mobile devices – were erased by data wiper malware. In all, more than 200,000 Stryker systems were targeted in the attack.

Stryker executives didn’t say in their statements who was behind the attack, but Handala in a message on Telegram took credit, claiming to have extracted 50 TB of data.

Other Attackers, Other Attacks

Flashpoint researchers, who have been issuing near-daily reports about both the kinetic and cyber sides of the war noted in its latest missive over the weekend that “multiple hacktivist groups launched a coordinated wave of cyberattacks against Israeli, Emirati, Qatari, and Kuwaiti entities.”

Among those are distributed denial-of-service (DDoS), data wiping, and ransomware attacks, the researchers wrote.

Recently, Handala claimed another data-wiping attack, this time against the Hebrew University of Jerusalem. The threat group stated it had erased more than 48 TB of data and exfiltrated 23 TB of confidential information. To corroborate its claim, Handala showed an image of multiple disconnected network drives, Flashpoint wrote.

Ransomware and DDoS Threats

Two other groups, Cyber Islamic Resistance and 313 Team, said they were responsible for a ransomware attack against an Israeli company, Meginim Data Services, claiming the network was encrypted. They demanded a ransom of $500,000 worth in Monero cryptocurrency, and to prove the legitimacy of their attack, published what appeared to be a spreadsheet holding sensitive employee information.

The 313 Team also said it ran DDoS attacks against the UAE’s Interior Ministry and defaced websites in Kuwait.

Meanwhile, the Khatam Suleiman group said it compromised Israeli military systems, accessing military files and personal data and military files related to the Israeli Ramat David Airbase.

Russian Group Joins In

The pro-Russian group NoName057, which also hustled to join the cyberwar soon after the war started, said it was behind DDoS attacks against government and insurance websites in Israel and Cyprus.

Such cyberattacks launched during a kinetic war should no longer be a surprise. In a report last week, ESET researchers noted a physical attack by Iran on three Amazon Web Services data centers in the UAE and Bahrain, but wrote that “for most organizations, however, the more immediate risk plays out in cyberspace and involves all manner of threat actors.”

“The outbreak of a kinetic conflict often broadens both the volume and the cast of cyber-actors involved,” the researchers wrote. “Hacktivist activity – noisy and often wrapped in bluster and bravado – often surges first. Advanced Persistent Threat (APT) operations involving reconnaissance and initial access run in parallel or closely behind. Once footholds are established and targets are mapped, the stage is set for whatever the operation was actually designed to accomplish, be it espionage, disruption, sabotage or other goals.”