I. Targeted Entities
- Energy Sector
- Healthcare Sector
- Transportation Sector
- Financial Services
- Critical Infrastructure
- Telecommunications
- Higher Education
II. Introduction
DieNet first emerged on March 7th, 2025. According to Radware, a global cybersecurity and application provider, they have claimed 61 attacks against 19 United States organizations. DieNet has also claimed 17 attacks against many organizations in countries such as Iraq, Netherlands, Egypt, and Israel. DieNet is known to target critical infrastructure particularly in the sectors of transportation, energy, finance, telecommunications, and healthcare. DieNet has been seen carrying out Distributed Denial of Service (DDoS) attacks against organizations to gain headline attention as a form of protest. They have targeted military and government entities around the time of political decisions.
- This hacktivist group has many political and social motives. They have stated to be anti-Trump and anti-Zionist. Some pro-Palestinian hacktivist groups have endorsed DieNet, sharing the same ideologies and frameworks. It appears any organizations or groups in support of the United States President Donald Trump or receiving federal funding are targets. These cyber criminals often frame their attacks around retaliation for military actions or political decisions.
- This group includes bold and aggressive messages, threats, and taunts within their attacks. These bold and aggressive messages include statements such as “We are watching you”. These attacks are strategically carried out to maximize visibility. It has been noted that the persistence seen within these DDoS attacks would be near impossible for most botnets. These attacks are short but fierce, taking down and defacing websites and services.
III. Additional Background Information
- Hacktivists are individuals or groups that conduct cyber-attacks to bring awareness to specific political, social, religious, or global causes. These actions are carried out to gain visibility or make a statement, supporting a cause they are promoting. Hacktivism is carried out in many forms such as Distributed Denial of Service (DDOS) attacks, doxing, or defacement of websites. DDoS attacks work by using multiple botnets which can be scattered across various geographic locations and flood an organizations server infrastructure with traffic making the resources unavailable. This can cause large disruptions in service. Botnets are networks of computers that have been infected with malware, hijacked, and now carry out various cyberattacks. These are specifically important when it comes to large Distributed Denial of Service (DDoS) attacks as they require heavy computing power.
- DieNet stated on Telegram, a messaging service commonly used by this group’s members, that DieNet v2 has begun service, which includes larger botnets and increased membership. Currently, a report from the Center for Internet Security stated another Telegram message from DieNet was released on March 21st that told the public they had breached a United States Federal Government agency and acquired government employees Personally Identifiable Information (PII). If this claim becomes verified, it could result in a large escalation of DieNet’s Tactics, Techniques, and Procedures (TTPs).
- At the time of this being written, Recorded Future, a leading cyber threat intelligence platform, has seen DieNet carry out suspected attacks in the United States against the Port of Los Angeles, Chicago Transit, Lumen Technologies, the North American Electric Reliability Corporation, U.S. Department of Commerce, International Trade Administration, Nasdaq, Inc., Northeastern University, Meditech, Pacific Gas and Electric Company, WaterOne, CoinBase, the National Emergency Medical Services Information System, U.S. Postal Service, Epic Systems, NASA, Veterans of Foreign Wars, FBI Crime Data Explorer, X, Axos Bank, Lyft, ProductionHUB, and Azure.
- Although there is currently limited information, as this group was established less than 3 weeks ago at the time this advisory was written, the exploit seems to use exploit tactics that are defined in the MITRE ATT&CK framework, such as T1498, Network Denial of Service, and T1491.002, Defacement: External Defacement.
- Previous DDoS attacks that involve hacktivists bring major concern to the target industries as these attacks can cause service interruptions, societal concern, and financial losses.
- Organizations are strongly urged to maintain proper security practices. These practices should include security awareness training, applying the latest patches and monitoring for indicators of compromise (IoC). Failure to follow these procedures could result in severe disruptions and possible data breaches.
IV. MITRE ATT&CK
- T1498-Network Denial of Service
This type of attack involves the adversary blocking the availability of targeted resources to users of a system. In this case, the adversary exhausts the network bandwidth, rendering websites and services unavailable. - T1491.002-Defacement: External Defacement
This type of sub attack is used to deface external systems of a group or organization in an attempt to display a message. In this case, DieNet is using this as a way to intimidate the organizations and gain visibility.
V. Recommendations
- Implement a Defense-In-Depth Strategy
- Implement many different layers of security. This can include reducing your organization’s DDoS attack surface by restricting access to areas and blocking communication on unused or unsecure ports, protocols, and services. Other layers include configuring Endpoint Detection and Response (EDR) software, firewalls, and robust Anti-Virus (AV) to all devices and systems. Always perform both online and offline backups. Preforming both will ensure that copies of data are in various locations, one of which being inaccessible to the attacker.
- Apply Rate Limiting and Load Balancers
- Rate limiting puts a threshold on how often an action can be repeated in a certain timeframe. Implementation of rate limiting through network configuration settings can help prevent botnet activity. Load Balancers are the first line of defense against DDoS attacks. Having proper load balancers in place will also make sure your websites and services stay available during a DDoS attack. In the event of a DDoS attack, load balancers can distribute traffic across multiple servers, allowing the ability for services to remain available in some cases.
- Implement a Web Application Firewall (WAF)
- A WAF works dynamically using custom policies based on your organizations environment to filter and analyze network traffic. The WAF can change and add new policies to combat any emerging attacks by continuously monitoring network traffic for changes.
- Establish an Incident Response Plan
- Create or revise an incident response plan that includes steps for handling a Denial of Service or Distributed Denial of Service attack. The reaction team should be equipped and trained to deal with any possible breaches as well.
VI. Indicators of Compromise (IOCs)
The attacks being carried out by DieNet are constantly evolving, have botnets that span across the globe, use encrypted traffic, and employ the use of legitimate IP addresses making it incredibly difficult to find reliable IoCs.
| Type | Indicator |
|---|---|
| Telegram Forum | hxxps://t[.]me/D1eNet |
| Telegram Forum | hxxps://t[.]me/DIeNlt |
| Ally Telegram User | hxxps://t[.]me/blackopmrhamza2 |
| Ally Telegram User | hxxps://t[.]me/LazaGrad |
| Ally Telegram User | hxxps://t[.]me/sylhetgangsgofficial01 |
| Hacker Forum | hxxps://t[.]me/ghostsforum/28129 |
VII. Additional OSINT Information
Image 1 of DDoS Attack on the Nasdaq Stock Exchange
Image 2 of Anti-Trump Verbage
Recorded Future Threat Intelligence Platform
Image 3 of DieNet v2 DDos Attack on Azure
Recorded Future Threat Intelligence Platform
Image 4 of DieNet Website Defacement
Recorded Future Threat Intelligence Platform
Image 5 of DieNet DDoS Affecting Login Pages
Recorded Future Threat Intelligence Platform
Associated Hacktivist Groups:
-Mr Hamza: Pro-Palestinian, pro-Russian, pro-Iranian hacktivist group promoting DieNet.
-LazaGrad Hack: Pro-Palestinian, pro-Russian hacktivist group promoting DieNet.
-Sylhet Gang-SG: Hacktivist group targeting allies of Zionist entities.
VIII. References
Baker, K. (2025). Indicators of compromise (IOC) security. CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/indicators-of-compromise-ioc/#:~:text=As%20cyber%20criminals%20become%20more,which%20makes%20detection%20more%20difficult.
Center for Internet Security (CIS). (2025, March 26). Threat Actor Profile – Emerging Hacktivist Group DieNet Claims Distributed Denial-of-Service Attacks against U.S. Critical Infrastructure.
CyberKnow (@cyberknow20). X. (2025). https://twitter.com/Cyberknow20
Defacement: External defacement. Defacement: External Defacement, Sub-technique T1491.002 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1491/002/
DieNet Activity Escalates Against US Organizations. Radware. (2025, March 18). https://www.radware.com/security/threat-advisories-and-attack-reports/dienet-activity-escalates-against-us-organizations/
DieNet Organization. Recorded Future. (2025). https://app.recordedfuture.com/portal/intelligence-card/sMCKdQ/overview
Dos attack vs ddos attack: Key differences? Fortinet. (n.d.-a). https://www.fortinet.com/resources/cyberglossary/dos-vs-ddos#:~:text=What%20Is%20The%20Difference%20Between,to%20flood%20a%20targeted%20resource.
Goldman, L. (2023, March 17). Why load balancers should be part of your security architecture. Spiceworks Inc. https://www.spiceworks.com/it-security/network-security/guest-article/load-balancers-security-architecture/#:~:text=Load%20balancers%20offer%20an%20extra,the%20importance%20of%20load%20balancers.
How to prevent ddos attacks | methods and tools. Cloudflare. (n.d.-a). https://www.cloudflare.com/learning/ddos/how-to-prevent-ddos-attacks/
Network denial of service. Network Denial of Service, Technique T1498 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1498/
What is API rate limiting and how to implement it on your website. DataDome. (2020). https://datadome.co/bot-management-protection/what-is-api-rate-limiting/
What is hacktivism? meaning, types, and more. Fortinet. (n.d.-b). https://www.fortinet.com/resources/cyberglossary/what-is-hacktivism
What is load balancing? | how load balancers work. Cloudflare. (n.d.-b). https://www.cloudflare.com/learning/performance/what-is-load-balancing/
What is rate limiting? | rate limiting and bots . Cloudflare. (n.d.-c). https://www.cloudflare.com/learning/bots/what-is-rate-limiting/
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analyst(s): Tim Kircher