Cyber and Technological Warfare
Digital Battlespace, Information Operations, and Technology Dimensions
Last Updated: March 3, 2026
Opening Cyber Operations
The first hours of Operation Epic Fury were accompanied by a comprehensive cyber offensive that targeted Iran's digital infrastructure in parallel with kinetic strikes. The scale and coordination of these operations suggest extensive pre-positioning of cyber capabilities well before the kinetic campaign began.
Near-Total Internet Blackout Verified [Source]
Within the opening hours of the military campaign, Iran experienced a near-total internet blackout. Connectivity monitoring services recorded a precipitous drop in Iranian internet traffic, effectively cutting the country off from global communications. This disruption targeted backbone infrastructure and international gateway nodes, preventing both civilian communication and military coordination through digital channels.
Prayer App Compromise
Widely-used Iranian prayer apps were compromised and repurposed to deliver messages directly to the Iranian civilian population. This operation bypassed state-controlled media channels and demonstrated deep pre-conflict penetration of Iranian mobile ecosystems. The messaging sought to undermine confidence in the regime and shape civilian perceptions during the opening hours of the conflict.
Verified [Source]State News Website Hijacking
Iranian state-controlled news websites were hijacked, with content replaced or altered to disrupt the regime's ability to control the domestic narrative. This denied the Iranian government its primary digital propaganda channels at the moment it most needed to communicate with its population and project an image of resilience.
Verified [Source]Telecommunications Targeting
Iran's telecommunications infrastructure was systematically targeted, degrading both civilian and military communications networks. Combined with the internet blackout, this created a communications vacuum that severely hampered Iranian command-and-control during the critical opening phase of the conflict.
Verified [Source]Hacktivist Surge
Approximately 60 hacktivist groups mobilized in the days following the opening strikes, conducting operations against various targets on both sides of the conflict. This surge in non-state cyber activity adds an unpredictable dimension to the digital battlespace and complicates attribution efforts.
Verified [Source]Reported Cyber Events
| Date | Actor | Target | Method | Impact |
|---|---|---|---|---|
| Feb 28 | US / Israel / Allied | Iran internet infrastructure | Network disruption | Near-total internet blackout across Iran |
| Feb 28 | US / Israel / Allied | Iranian prayer apps | App compromise | Mass messaging delivered to civilian population |
| Feb 28 | US / Israel / Allied | State news websites | Website defacement / hijack | Regime narrative control disrupted |
| Feb 28 – Mar 3 | ~60 hacktivist groups | Various targets | Multiple vectors | Surge in decentralized hacktivist activity |
| Ongoing | Pro-Russian groups | Western targets | Various | Retaliatory operations against coalition nations |
| Ongoing | Iranian APT groups | US / Israeli infrastructure | Targeted campaigns | Potential escalation against critical infrastructure |
Iran's Cyber Capabilities
Iran has developed significant offensive cyber capabilities over the past decade, primarily through the IRGC Cyber-Electronic Command. While not on par with US or Israeli capabilities, Iran has demonstrated both the willingness and ability to conduct destructive cyber operations against critical infrastructure targets.
Historical Precedent: Destructive Attacks High Concern
Iran demonstrated its willingness to conduct destructive cyber operations with the 2012 Shamoon attack on Saudi Aramco, which wiped data from approximately 30,000 workstations. Between 2012 and 2013, Iranian actors also launched sustained DDoS attacks against the US financial sector. These precedents suggest that retaliatory cyber operations against Western critical infrastructure are a near-certainty in the current conflict.
Known Iranian Cyber Threat Groups
IRGC Cyber-Electronic Command
The primary military cyber organization responsible for both offensive and defensive operations. Directly subordinate to the IRGC leadership structure and believed to coordinate with intelligence services for espionage operations. The decapitation of IRGC leadership may temporarily disrupt command-and-control but is unlikely to eliminate operational capability.
APT33 (Elfin / Magnallium)
Historically targets aerospace, aviation, and energy sectors. Associated with destructive operations including deployment of Shamoon-variant wiper malware. Assessed to have pre-positioned access in multiple Western networks that could be activated for retaliatory operations.
APT34 (OilRig)
Focuses on government organizations, financial institutions, and energy companies. Known for sophisticated spear-phishing campaigns and custom malware development. Operates primarily in the Middle East and has targeted Gulf state allies of the US coalition.
APT35 (Charming Kitten)
Specializes in espionage and influence operations. Known for social engineering campaigns targeting government officials, journalists, and policy researchers. Likely to increase information warfare operations during the current conflict to shape international narratives.
Iranian Cyber Toolkit
- Destructive malware: Shamoon-style wiper variants capable of rendering systems inoperable
- DDoS capabilities: Distributed denial-of-service campaigns targeting financial and government services
- Website defacement: Propaganda-driven operations targeting high-profile public-facing sites
- Data theft and exfiltration: Espionage campaigns targeting defense, energy, and government data
- Supply chain compromise: Targeting managed service providers and software supply chains for broader access
Potential Iranian Cyber Targets
Critical Infrastructure at Risk High Likelihood
- US energy grid and oil/gas infrastructure: Natural retaliation vector given strikes on Iranian energy assets
- Financial systems: Banking networks, stock exchanges, and payment processing systems
- Defense contractor networks: Companies involved in strike planning and munitions supply
- Allied nation infrastructure: Gulf state, Israeli, and European systems supporting the coalition
- Industrial control systems (SCADA/ICS): Water treatment, power generation, and manufacturing systems
Palo Alto Networks Unit 42 Threat Brief Verified [Source]
Palo Alto Networks Unit 42 issued a specific threat brief addressing the March 2026 escalation, assessing Iranian cyber retaliation as highly likely and advising organizations with exposure to the energy, defense, and financial sectors to elevate their security posture immediately. The brief highlighted pre-positioned access as a key concern.
US / Israeli Cyber Capabilities
The coalition brings the most advanced offensive cyber capabilities in the world to this conflict. The opening cyber operations demonstrate a level of preparation and sophistication that reflects years of intelligence collection and capability development against Iranian targets.
NSA / US Cyber Command
The most advanced offensive cyber capabilities globally. Cyber Command's dual-hat relationship with NSA provides seamless integration of signals intelligence and offensive operations. The opening internet blackout and telecommunications disruption demonstrate full-spectrum network warfare capability against a nation-state adversary.
Unit 8200 (Israel)
World-class signals intelligence and cyber operations unit within the Israel Defense Forces. Unit 8200 has decades of operational experience against Iranian targets and is credited with some of the most sophisticated cyber operations in history. Deep integration with US Cyber Command for this campaign.
Historical Precedent: Stuxnet Verified [Source]
The joint US-Israeli Stuxnet operation (discovered 2010) against Iranian nuclear centrifuges at Natanz remains the benchmark for state-sponsored cyber-physical attacks. Stuxnet demonstrated the ability to cause physical destruction of industrial equipment through cyber means. The current operations against Iran's internet and telecommunications infrastructure represent a significant evolution of this capability, now applied at national scale.
Demonstrated Coalition Cyber Capabilities
- National-scale network disruption: Ability to achieve near-total communications blackout of a nation-state
- Mobile ecosystem penetration: Compromise of widely-used civilian applications for information operations
- Media infrastructure control: Seizure and manipulation of state media digital platforms
- Full-spectrum information operations: Coordinated messaging campaigns across multiple channels and languages
- Pre-positioned access: Years of intelligence preparation enabling rapid execution at conflict onset
Information Warfare
The information domain has emerged as a critical battlespace running parallel to kinetic and cyber operations. Both sides are engaged in competing narrative campaigns, with the coalition holding a significant advantage due to its disruption of Iranian communications infrastructure.
Coalition Information Operations
- Compromised prayer apps used to reach Iranian population with targeted messaging
- State media websites hijacked to deny regime narrative control
- Social media campaigns promoting “liberation” and regime change narratives
- Psychological operations targeting Iranian military morale and civilian resistance
Iranian / Aligned Information Operations
- Framing of strikes as “unprovoked aggression” against a sovereign nation
- Amplification of civilian casualty reporting (787+ killed, 148 students)
- Proxy media networks broadcasting Iranian resistance messaging
- Russian and Chinese state media supporting anti-coalition narratives
Narrative Competition
Two competing master narratives have emerged: the coalition frames operations as “regime change and liberation” of the Iranian people from theocratic rule, while Iran and its allies frame the conflict as “unprovoked Western aggression” against a sovereign state. The information battle over international public opinion will shape diplomatic support and alliance cohesion on both sides.
International Advisories
- UAE: Issued misinformation warning to citizens, advising caution with unverified conflict reporting
- UK NCSC: Advised organizations to take immediate protective action against cyber threats
- Social media platforms facing surge in conflict-related disinformation from all sides
- Deepfake and AI-generated content complicating verification of battlefield claims
Technology Dimensions
AI-Enabled Targeting
Artificial Intelligence in the Battlespace
This conflict represents a significant milestone in the use of AI for military operations at scale. Advanced AI systems are being employed across the kill chain, from target identification through damage assessment.
- Target identification: Machine learning algorithms processing ISR feeds to identify and classify military targets
- Damage assessment: AI-powered analysis of post-strike imagery for rapid battle damage assessment
- Defense sector response: Palantir and other defense AI companies seeing significant stock surges as markets price in expanded military AI adoption
- Autonomous drone operations: Increasingly important role for AI-guided unmanned systems in strike and reconnaissance missions
- Signals intelligence processing: Machine learning accelerating the processing of intercepted Iranian communications
Satellite and Space
Space-Based ISR
Space-based intelligence, surveillance, and reconnaissance assets are critical for strike planning in the current campaign. Military and commercial satellite constellations provide persistent coverage of Iranian territory, enabling real-time targeting and battle damage assessment. The coalition's overwhelming advantage in space-based ISR is a key asymmetric capability.
GPS and Navigation
GPS disruption risks in the conflict zone pose challenges for both precision-guided munitions and civilian aviation. Iran possesses limited GPS jamming capabilities that could degrade precision strike accuracy. Commercial satellite imagery from providers like Maxar and Planet Labs is providing independent conflict documentation to the international community.
Electronic Warfare
GPS Jamming and Spoofing
Electromagnetic operations in the Persian Gulf region include GPS jamming and spoofing attempts that affect both military and civilian navigation systems. Coalition electronic warfare aircraft are providing jamming support for strike packages while protecting friendly GPS-dependent systems.
Communications Disruption
Beyond the cyber-enabled internet blackout, electronic warfare operations are disrupting Iranian military communications across multiple frequency bands. This compounds the command-and-control degradation caused by leadership decapitation strikes.
Radar Suppression
Suppression of enemy air defenses (SEAD) operations targeted Iranian radar systems during the opening strikes. Electronic countermeasures continue to degrade any reconstituted air defense capability, ensuring coalition air superiority.
Missile Defense EW
Electronic countermeasures are being employed to support missile defense operations against Iranian retaliatory strikes. These systems complement kinetic intercept capabilities and are critical for protecting coalition assets and allied nations.
Cyber Risk Assessment
The following assessment reflects the current threat landscape as Iranian cyber actors are expected to shift from intelligence collection to retaliatory and destructive operations against coalition and allied targets.
Threat Levels by Sector
| Sector | Threat Level | Primary Threat Actor | Likely Method | Impact Potential |
|---|---|---|---|---|
| Energy / Oil & Gas | CRITICAL | Iranian APTs (APT33) | ICS / SCADA attacks | Physical damage, supply disruption |
| Financial Services | HIGH | Iranian state hackers | DDoS, data destruction | Market disruption, economic instability |
| Government Networks | HIGH | Multiple actors | Espionage, disruption | Intelligence compromise |
| Healthcare | MEDIUM | Hacktivist groups | Ransomware | Service disruption, patient safety risk |
| Transportation | MEDIUM | Iranian / proxy actors | Infrastructure targeting | Safety risks, logistics disruption |
| Telecommunications | HIGH | State actors | Network attacks | Communications disruption |
NCSC and Industry Advisories
Multiple government cybersecurity agencies and private sector threat intelligence firms have issued advisories specific to the Iran conflict, reflecting the elevated risk to Western critical infrastructure.
UK National Cyber Security Centre (NCSC)
The NCSC issued guidance advising all UK organizations to take immediate protective action in response to the heightened cyber threat environment. Specific recommendations include reviewing access controls, patching known vulnerabilities, and increasing monitoring of network traffic for indicators of Iranian APT activity.
Verified [Source]Palo Alto Networks Unit 42
Unit 42 published a specific threat brief addressing the March 2026 Iran escalation. The brief assesses that Iranian cyber retaliation is highly likely and identifies energy, defense, and financial sectors as the primary targets. Organizations are urged to review their exposure to Iranian threat actors and activate incident response plans.
Verified [Source]SecurityWeek Reporting
SecurityWeek has been documenting the bilateral cyber exchange between coalition and Iranian actors, providing near-real-time reporting on the evolving digital conflict. Their analysis highlights the unprecedented scale of opening cyber operations and the potential for retaliatory escalation.
Verified [Source]Critical Infrastructure Monitoring
Western critical infrastructure operators have been placed on heightened alert with increased monitoring across energy, water, transportation, and financial systems. CISA (US Cybersecurity and Infrastructure Security Agency) is coordinating cross-sector threat information sharing to enable rapid detection and response.
Verified [Source]Key Takeaways
- The opening cyber offensive against Iran was unprecedented in scale, achieving near-total communications disruption of a nation-state in coordination with kinetic strikes — a first in modern warfare.
- Iran possesses significant retaliatory cyber capabilities through APT33, APT34, APT35, and the IRGC Cyber-Electronic Command. Historical precedents (Shamoon, US financial DDoS) demonstrate willingness to target critical infrastructure.
- The energy sector faces the highest cyber risk, given Iran's established capability against oil and gas infrastructure and the natural symmetry of retaliating against the sector most central to the conflict's geopolitical stakes.
- Information warfare is a co-equal dimension of this conflict, with both sides competing aggressively to shape domestic and international narratives through compromised channels, social media, and state-aligned media outlets.
- AI-enabled targeting, autonomous drones, and space-based ISR represent a generational leap in military technology employment, making this conflict a proving ground for next-generation warfare capabilities.
- The surge of approximately 60 hacktivist groups adds an unpredictable non-state dimension to the cyber conflict that complicates attribution and expands the attack surface on all sides.
Indicators to Watch
- Iranian cyber retaliation timeline: Whether and when destructive cyber attacks are launched against US, Israeli, or allied critical infrastructure — the most significant near-term cyber risk
- ICS/SCADA targeting indicators: Any evidence of Iranian APT activity against industrial control systems, particularly in the energy sector, would signal imminent destructive operations
- Internet restoration in Iran: Whether Iranian connectivity is restored and through what channels — this will determine Iran's ability to coordinate military and cyber operations
- Hacktivist group alignment: Whether the ~60 active hacktivist groups coalesce around specific targets or escalate from nuisance-level to destructive operations
- Pro-Russian cyber escalation: Whether Russian-aligned cyber groups expand retaliatory operations beyond opportunistic attacks to coordinated campaigns against NATO infrastructure
- CISA/NCSC advisory escalation: Additional government advisories would signal intelligence community detection of imminent threat activity
- Defense AI company disclosures: Contracts and capability announcements from Palantir and peers may reveal the extent of AI integration in ongoing operations