The Theater of Cyber War: How Russian "Hacktivists" Are Performing for Iran Without Actually Hacking Anything

Profero IRT

April 10, 2026

Executive Summary

Since the Iran-Israel conflict escalated in early March 2026, Russian-aligned hacktivist groups have flooded Telegram with claims of breaching Israeli critical infrastructure. Groups called Cardinal (now rebranded as Monarch), Russian Legion, and RuskiNet claim access to everything from Israel’s Iron Dome to IDF personnel databases to nuclear facility control panels.

Every single claim is fake. The “evidence” consists of AI-generated graphics of fictional systems, government documents signed by people who left office years ago, and recycled data from old breaches repackaged as fresh leaks.

This doesn’t reflect declining Russian cyber capability. Russia’s state-sponsored apparatus remains among the world’s most advanced. It reveals a calculated decision to do the bare minimum: signal to Iranian counterparts that “we are here for you” while avoiding any real compromise of Israeli or Western infrastructure.

The Actors

Cardinal / Monarch / Russian Legion

Cardinal formed on January 27, 2026, taking a leading role in the newly created Russian Legion alliance. The group later rebranded to Monarch (“WE ARE RUSSIAN LEGION / WE ARE MONARCH” is their Telegram sign-off).

Orange Cyberdefense’s investigation¹ describes Cardinal/Monarch as “state-aligned yet operating with notable independence” and “a specialist in narrative strikes, blending disinformation, NLP tactics, and media framing to shape public perception.” Their operations “focus less on technical disruption and more on psychological destabilization, amplifying spectacular yet often unverifiable claims.”

RuskiNet

RuskiNet surfaced in mid-2025, claiming Russian affiliation and operating from Eastern Europe. Their recent activity is almost entirely target lists (Israeli universities, healthcare sites, radio stations, telecom providers) and OpIsrael recruitment messages with no technical substance.

The Claims vs. Reality: A Case-by-Case Breakdown

Claim 1: “We Disabled the Iron Dome Over Tel Aviv”

Date: March 16, 2026 | Channel: Russian Legion

Cardinal’s Iron Dome claim posted on the Russian Legion Telegram channel Screenshot from the Russian Legion Telegram channel

Cardinal posted a bilingual message claiming the group “showed how we disabled the Iron Dome over Tel Aviv” and that the U.S. was rushing a C-17 with 950 Tamir missiles as emergency resupply. They cited a Pentagon document, DLA-TRANS-2026-0892-S, allegedly classified SECRET/NOFORN and signed by Mark Esper.

Why it’s fabricated: Mark Esper was removed as Secretary of Defense in November 2020. He’s held no government position since. A March 2026 Pentagon logistics document wouldn’t bear his signature. The document reference number follows no known DLA naming convention, and no resupply operation was reported by any credible defense source.

Claim 2: “David’s Sling Is No Longer a Shield” (Ballistic Missile Database)

Date: April 2, 2026 | Channel: Russian Legion

Cardinal’s David’s Sling claim with AI-generated terminal screenshot Screenshot from the Russian Legion Telegram channel

Cardinal claimed to be “inside Israel’s missile defense C2 panel” with a “ballistic threat database fully exported, 1.27 GB.” They posted a screenshot of a “Secure Terminal” showing a “Ballistic Missile Database (Live)” with entries for Yemen, Iran, Syria, and other countries.

Why it’s fabricated: The screenshot is AI-generated. The “terminal” uses a stylized red/black color scheme with a globe overlay that looks like video game graphics, not real military C2 systems. The column headers (Origin, C-RAM Status, Intercept Probability, Last Updated, Data Status) don’t match how actual BMC systems categorize threats. And the text mentions “transferred to remote node (cardinal.sec)” — Cardinal branding itself inside what should be a classified military system.

Claim 3: Nuclear Facility “SharePoint” Breach

Date: Various | Channel: Russian Legion

Cardinal’s fabricated nuclear facility SharePoint breach showing shalepoint.com in the URL bar Screenshot from the Russian Legion Telegram channel

The most telling example. Cardinal claimed to have breached a nuclear facility’s SharePoint, posting a screenshot of a document library for “Incident Response - Dimona” with a PowerShell window showing SCADA event logs and a file explorer pointing to \\fs-02\forensics\dimona.

But the URL bar reads https://w.shalepoint.com/incident-Response-dimona/ instead of sharepoint.com. Note the L instead of R.

That’s not a typo in Cardinal’s infrastructure. It’s a fabrication error, likely from someone who doesn’t use SharePoint regularly or whose first language handles Latin characters differently. A real breach would show a URL under the target’s Microsoft 365 tenant domain, not a misspelled external domain.

Claim 4: IDF Personnel Database Leak (5,234 Records)

Date: March 17, 2026 | Channel: Russian Legion

Cardinal’s IDF personnel database claim Screenshot from the Russian Legion Telegram channel

Cardinal’s most detailed claim: access to an “IDF MANPOWER DATABASE” with 5,234 records containing names, ranks, units, phone numbers, bases, and clearance levels. They named Unit 8200, Golani, Shayetet 13, and IAF pilots.

Why it’s likely fabricated or recycled: Zero verifiable samples. Instead of posting redacted data rows as proof, Cardinal wrote “Full database is out there. Find it. Or find yourself.” This mirrors a pattern Group-IB analysts² identified: RuskiNet-affiliate “YK3” previously claimed a leak of 38,000 Israeli SAP employees’ data. That data matched a known leak from October 2023. Real data breaches follow a recognizable pattern where threat actors post samples to establish credibility. Cardinal skips this entirely.

Claim 5: Starlink NOC Breach / Drone Spoofing

Date: March 17, 2026 | Channel: Russian Legion

Cardinal’s Starlink NOC breach claim Screenshot from the Russian Legion Telegram channel

Cardinal claimed to have breached Starlink’s Network Operations Center with drone GPS spoofing capabilities.

Why it’s fabricated: SpaceX/Starlink’s NOC is one of the most hardened environments in commercial space, operating under ITAR restrictions. No corroborating evidence from Starlink, SpaceX, or any third-party researcher has surfaced. GPS spoofing of military drones requires physical RF equipment in proximity, not network access to a satellite ISP’s NOC.

Why This Matters: The “Bare Minimum” Strategy

What Russia Can Actually Do

Consider what Russian state-sponsored cyber operations look like when Moscow actually decides to act:

NotPetya (2017): $10 billion+ in global damage via a supply chain attack on Ukrainian accounting software. Maersk, FedEx, Merck, and hundreds of others crippled.
SolarWinds/SUNBURST (2020): Compromised a major IT management company’s build process, accessing 18,000 organizations including the U.S. Treasury and DHS.
Colonial Pipeline (2021): DarkSide ransomware (operating from Russia with implicit state tolerance) shut down the largest U.S. fuel pipeline.
Viasat KA-SAT (2022): Hours before invading Ukraine, GRU disabled satellite communications across Europe using AcidRain wiper malware.
Sandworm’s Power Grid Attacks (2015-2016): GRU Unit 74455 caused physical power outages in Ukraine by remotely manipulating SCADA systems, requiring months of patient reconnaissance and deep ICS/OT expertise.

These operations require real initial access, real lateral movement, real exploitation. They produce real, verifiable damage. No one involved needs to post AI-generated screenshots on Telegram.

What Cardinal and Russian Legion Are Actually Doing

Compare that to Cardinal/Russian Legion:

Posting AI-generated terminal screenshots on Telegram
Citing documents “signed” by officials who left office six years ago
Misspelling “SharePoint” as “Shalepoint” in their fabricated evidence
Spamming four identical messages about Iron Dome BMC data
Referencing their own branding (“cardinal.sec”) inside supposedly classified military systems
Telling victims to “find the database yourself” instead of providing samples

The gap between Russia’s actual cyber capability and what these groups produce isn’t a capability gap. It’s an intent gap.

The Strategic Calculus

Russia’s calculation is straightforward. Have “independent” hacktivist groups claim attacks against Israel to signal support to Tehran without provoking a cyber response from Israel, the U.S., or NATO. Actual compromise of Israeli defense systems would constitute a war-level provocation, and Russia has no interest in opening a cyber front with Israel while still engaged in Ukraine.

These groups are officially “state-aligned but independent.” If claims get debunked (as all of them have), Moscow bears no responsibility. Even fake claims generate headlines and momentary panic. For an influence operation, the claim itself is the product.

On March 3, 2026, pro-Russian hacktivist clusters formally joined the pro-Iran coalition³. It was a political gesture. The quality of operations that followed confirms it was never intended to be more.

As CrowdStrike’s Adam Meyers noted⁴: “At this stage, much of the activity being publicized appears to be claim-driven rather than evidence-backed.”

Contradictions with Historical Russian Operations

Every pattern established by real Russian cyber operations, from GRU Units 26165 and 74455 to SVR’s APT29, is absent here. Months of patient reconnaissance: none. Real damage verified by victims: none. Extreme operational security: the opposite, Cardinal brands itself inside supposedly classified terminals. Verifiable data samples: “find the database yourself.”

GRU operators don’t announce themselves on Telegram. SVR doesn’t generate screenshots with AI. FSB-linked groups don’t misspell the names of the systems they claim to have breached.

Conclusion

Cardinal, Russian Legion, Monarch, RuskiNet, and their allied groups aren’t demonstrating weakness. They’re demonstrating restraint, with theater.

Russia’s actual cyber operators, the units that built NotPetya, compromised SolarWinds, and took down power grids, are absent. What we see instead are front groups producing made-for-Telegram content: AI-generated terminals, Pentagon documents signed by people who left office in 2020, misspelled URLs that betray the forgery.

The message to Iran: “We are here for you.” The message to Israel and the West, read between the lines: “We are not actually here for this fight.”

For now.

Related posts