US–Israel Cyber Operations Against Iran and Expected Iranian Retaliation
Reporting described a major escalation in cyber warfare tied to US and Israeli military operations against Iran, with claims of widespread disruption inside Iran alongside information operations. One account said Iran experienced a near-total digital blackout (connectivity dropping to ~4% of normal), outages affecting government services and communications, and media/PSYOPS-style intrusions (e.g., defacements/injections on pro-regime sites, hijacked messaging via a widely installed prayer app, and interference with broadcast feeds). The same narrative framed the activity as part of a coordinated campaign (described as Operation Roaring Lion / Epic Fury) and positioned it as a continuation of long-running US–Israel vs. Iran cyber escalation.
Threat intelligence and security firms warned that Iran-linked actors were already mobilizing for reprisal activity against Israel and potentially Western/allied targets. Cited reporting said Anomali assessed multiple Iranian groups (including MuddyWater, APT42, and APT33) as “activated and retooling,” while noting an unusual lack of visibility into APT34 that it interpreted as possible covert pre-positioning rather than inactivity. Flashpoint was cited as observing Iran-linked Handala Group activity targeting Israeli industrial control systems (ICS) and claiming disruption to manufacturing/energy distribution, alongside claims of data theft affecting an Israeli healthcare organization; the overall guidance was to expect heightened Iranian cyber operations in the wake of kinetic strikes.
Timeline
Mar 1, 2026
Iran-linked actors reported targeting Israeli ICS and Western networks
Threat reporting said Iran-linked actors, including the Handala Group and allied coalitions, were targeting Israeli industrial control systems and claiming disruptions. The same reporting described DDoS activity, data-wiping, and attempted wiper deployments against U.S., Israeli, and broader Western targets as early signs of escalation.
Mar 1, 2026
Threat intelligence firms warn of broader Iranian cyber retaliation
By 2026-03-01, multiple security firms assessed that Iranian state-aligned and proxy cyber activity was likely to intensify against U.S., Israeli, and other Western organizations. The warnings cited activation and retooling of groups including MuddyWater, APT42, and APT33, as well as the possibility of covert pre-positioning by APT34.
Mar 1, 2026
Hacktivist targeting of Israel and Gulf states surges after strikes
In the 24 hours following the strikes, pro-Iranian and pro-Palestinian hacktivist activity increased sharply, with Israel becoming the top reported target and Gulf states entering the top five. Reported activity included mostly low- to medium-sophistication DDoS attacks and website defacements, alongside claims of more serious breaches and initial-access sales involving CCTV, RDWeb, and SCADA/PLC environments.
Feb 28, 2026
Iran experiences near-total internet blackout during strikes
Around the start of the 2026-02-28 strikes, Iran suffered a major internet connectivity drop or near-total blackout. One source says the outage was likely a self-imposed shutdown by Iranian authorities, while another notes claims it may have related to attacks on communications infrastructure, with attribution unclear.
Feb 28, 2026
PSYOPS compromises hit Iranian media and communications platforms
Coinciding with the launch of Operation Roaring Lion, pro-regime Iranian news sites were reportedly compromised to inject psychological-operations content, and the BadeSabaa prayer app was allegedly hijacked to display surrender messages. Iranian national TV Channel 3 satellite streams on IntelSat were also reportedly hijacked to broadcast speeches by Donald Trump and Benjamin Netanyahu.
Feb 28, 2026
Operation Roaring Lion begins against Iranian targets
On 2026-02-28, the U.S. and Israel launched Operation Roaring Lion, a joint military campaign targeting Iranian military, nuclear, and government assets. The operation marked the trigger for the cyber and information activity described in the references.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
Cyber and information operations intensify amid US-Israel strikes on Iran under “Operation Epic Fury”
US and Israeli military action against Iran under **“Operation Epic Fury”** has been accompanied by heightened cyber activity and public acknowledgment of offensive cyber operations. Reporting indicated a surge of pro-Iranian activity including **DDoS attacks**, attempted compromises, and targeting of **critical infrastructure**, with researchers warning that Iranian state-linked actors tied to the **IRGC** and **MOIS**, as well as aligned hacktivists, are likely to sustain retaliatory operations aimed at economic, reputational, and potentially physical disruption. Separately, reporting alleged Israeli intelligence conducted long-running surveillance by compromising **Tehran traffic cameras**, exfiltrating encrypted video and telemetry to servers outside Iran to build “pattern of life” intelligence on senior leadership movements. The Pentagon also elevated the visibility of cyber as a warfighting domain, with the Chairman of the Joint Chiefs describing coordinated **space and cyber** effects used to “disrupt, degrade, and blind” Iranian communications and sensor networks, though without operational detail. In parallel but unrelated to the Iran conflict, Russia’s internet regulator **Roskomnadzor** and the Russian Defense Ministry reported a “complex multi-vector” **DDoS** incident that temporarily disrupted multiple government sites, with traffic attributed to botnets and servers across several countries and continued user-reported instability after initial containment.
1 months ago
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
2 weeks ago
Iran Retaliation Cyber Risk After U.S. and Israeli Strikes
Coordinated U.S. and Israeli strikes on Iranian targets have raised expectations of **Iranian state-aligned cyber retaliation** against U.S., Israeli, and allied interests. Reporting and vendor intelligence assessments warn that Iran has historically paired kinetic escalation with cyber operations ranging from *low-level disruption* (website defacements and DDoS) to *higher-impact activity* (ransomware-style disruption, hack-and-leak operations, espionage, and destructive/wiper malware), with likely targeting pressure on government, critical infrastructure, defense, financial services, academia, and media. The situation is described as fast-moving, with no definitive public attribution yet tying major new cyber campaigns directly to the latest strikes. Separately, multiple reports highlight **unrelated** security issues: GreyNoise observed large-scale reconnaissance and SSL VPN enumeration against **SonicWall SonicOS** devices via commercial proxy infrastructure—activity consistent with precursor targeting that often precedes credential attacks and ransomware intrusions. CISA also issued updated technical details on **RESURGE**, a stealthy implant used in zero-day exploitation of **Ivanti Connect Secure** via `CVE-2025-0282`, including passive C2 behavior and TLS-fingerprint-based authentication/evasion; Mandiant linked the exploitation to China-nexus activity (UNC5221). Other items in the set include a generic IoT security pitfalls article, a weekly security roundup, and a conference write-up, none of which materially advance the Iran-retaliation storyline.
2 weeks ago