A significant escalation in the Middle East has entered a hybrid phase, combining military strikes with extensive cyber operations. This development raises concerns for organizations both in the region and globally.
The situation escalated following joint military strikes by Israel and the United States on Iran on February 28, 2026. These actions were accompanied by what is being described as one of the largest cyber campaigns in history.
Cyber Operations Intensify Alongside Military Strikes
The coordinated strikes by Israel and the US targeted key Iranian leadership and military and nuclear sites over the past few days. According to reports, a sweeping cyber operation simultaneously disrupted Iran's digital infrastructure, leading to internet connectivity plummeting to around 4% of normal levels. The exact reason behind this shutdown remains unconfirmed at the time of this report.
Government services, official media, and parts of the energy and aviation sectors experienced severe disruptions. This cyber assault coincided with retaliatory missile and drone attacks by Iran against Israeli territory and US bases in the region.
Security experts predict that cyber retaliation from Iran is likely to escalate. Cynthia Kaiser, Senior Vice President at Halcyon and a former FBI cyber executive, stated, "Iran will likely respond in cyberspace, possibly through cybercrime and ransomware."
She noted, "Our Halcyon intel team is already observing increased activity in the Middle East, including calls to action from the DDoS botnet HydraC2, the hacktivist group Handala, and the ransomware group Sicarii."
Between February 28 and March 1, over 150 hacktivist incidents were recorded across various channels. These operations primarily involved DDoS attacks, website defacements, and unverified data breach claims, targeting sectors such as government, banking, aviation, and telecommunications.
Ransomware and Obfuscation Tactics Highlighted
Kaiser pointed out that Iran's past actions demonstrate a consistent pattern of using cyber operations as retaliation for perceived political grievances. From disabling US financial websites between 2011 and 2013 to erasing data from the Las Vegas Sands Casino in 2014, and defacing websites following the death of Iranian military commander Qasem Soleimani, Tehran's approach has been aggressive and adaptive.
These activities underscore how Iran might employ obfuscation tactics, utilize multiple actors, and destructive tools against US networks in the coming weeks. Possible methods include:
- Deploying ransomware before erasing an organization's data.
- Leveraging long-term espionage access and data exfiltration from various threat actors for destructive attacks.
- Concealing operations behind fictitious cybercriminal groups.
- Engaging in online harassment of victims, including releasing stolen data.
Recommendations for Organizations
The UK's National Cyber Security Centre (NCSC) has stated that there is currently no significant change in the direct cyber threat from Iran to the UK. However, they caution that the situation remains fluid and there is an increased indirect risk for organizations with offices or supply chains in the Middle East.
Organizations are encouraged to review their risk posture, enhance monitoring, enforce multi-factor authentication (MFA), and ensure that offline backups are established.
Operators of critical national infrastructure are also advised to revisit contingency plans and adhere to established guidelines for managing severe cyber threats.
The NCSC concluded, "Organizations should assess their risk posture, take appropriate action, and report any concerning activity to our Incident Management team."
