Full Report
Pro-Iran hackers who have claimed attacks on multiple Western websites throughout the U.S.-Israel conflict with the Islamic Republic said they were behind the outage of an incident response platform that alerts residents and response teams during disasters, attacks, public health emergencies and more. The D.C. Homeland Security and Emergency Management Agency announced on Facebook Friday…
Analysis Summary
# Incident Report: Pro-Iran Hacker Attack on Everbridge Emergency Platform
## Executive Summary
In late June 2026, the pro-Iran threat group "Islamic Cyber Resistance in Iraq – 313 Team" launched a distributed denial-of-service (DDoS) attack against Everbridge, a critical incident response platform. The attack resulted in a nationwide outage of emergency notification services across several U.S. cities, including Washington D.C., Fairfax County, and San Francisco. While internal notification systems were disrupted, federal Wireless Emergency Alerts (WEA) remained operational.
## Incident Details
- **Discovery Date:** June 26, 2026
- **Incident Date:** June 26–27, 2026
- **Affected Organization:** Everbridge (and municipal clients like DC HSEMA)
- **Sector:** Critical Infrastructure (Emergency Services / Communications)
- **Geography:** United States (Nationwide impact)
## Timeline of Events
### Initial Access
- **Date/Time:** Friday, June 26, 2026 (Evening)
- **Vector:** Distributed Denial of Service (DDoS)
- **Details:** Attackers flooded Everbridge servers with traffic, targeting the login interface and alert issuance modules.
### Lateral Movement
- **Details:** No lateral movement was reported; the attack focused on external-facing infrastructure availability.
### Data Exfiltration/Impact
- **Details:** No data exfiltration was reported. The impact was purely operational: a nationwide outage of the Everbridge platform, disabling the "AlertDC" system and similar services in other jurisdictions.
### Detection & Response
- **Friday Evening:** DC HSEMA and other agencies detected the outage and posted public notices on social media.
- **Friday Night:** 313 Team claimed responsibility via Telegram, stating they disabled the login interface to prevent alert issuance.
- **Saturday Morning:** Everbridge resolved the outage; municipal agencies began monitoring for stability.
## Attack Methodology
- **Initial Access:** Network Layer/Application Layer DDoS.
- **Persistence:** Not applicable (Transient disruption).
- **Defense Evasion:** Use of "sophisticated" traffic patterns to bypass standard rate limiting.
- **Impact:** Resource exhaustion aimed at shutting down the website and login interface, specifically to prevent "urgent alerts and warnings to the population."
## Impact Assessment
- **Financial:** Unspecified, but intermittent technical issues for clients often lead to service credit demands.
- **Data Breach:** None reported.
- **Operational:** Severe. Multiple U.S. cities were unable to send routine emergency alerts (crime, weather, traffic) for approximately 4+ hours.
- **Reputational:** High. The 313 Team successfully demonstrated the ability to disrupt public safety communications during a period of geopolitical tension.
## Indicators of Compromise
- **Network Indicators:** High-volume traffic originating from diverse IP ranges (standard DDoS profile).
- **Behavioral Indicators:** Sudden spike in error rates for the Everbridge login portal and API endpoints.
## Response Actions
- **Containment:** Agencies redirected residents to alternative communication channels (e.g., San Francisco DEM directed users to WhatsApp).
- **Eradication:** Everbridge implemented traffic filtering and load balancing to mitigate the DDoS.
- **Recovery:** Full service restored by late Saturday morning; system performance monitoring initiated.
## Lessons Learned
- **Redundancy is Vital:** Because the outage was limited to the vendor (Everbridge), agencies that utilized FEMA’s IPAWS/WEA system remained able to send life-safety alerts.
- **Communication Silos:** Third-party dependencies represent a significant single point of failure for municipal "Smart City" infrastructures.
- **Hacktivist Motivation:** The 313 Team is specifically targeting U.S. critical infrastructure as "revenge" for geopolitical conflicts, indicating a shift from simple website defacement to operational disruption.
## Recommendations
- **Multi-Vendor Strategy:** Municipalities should ensure they have secondary notification platforms or direct access to federal alert systems that do not rely on a single commercial vendor.
- **DDoS Mitigation:** Infrastructure providers for emergency services must employ advanced "Always-On" DDoS protection services capable of handling sophisticated, rapid-fire assaults.
- **Public Education:** Continue to educate the public on the difference between municipal alerts (subscription-based) and federal WEA alerts (automatic) so residents know which systems to trust during an outage.