Cybersecurity analysts are carefully observing the evolving threat landscape following recent joint US-Israeli airstrikes against Iran. Reports indicate a notable increase in hacktivist attacks, while Iranian state-sponsored actors have remained relatively silent.
The conflict escalated on February 28, 2026, when US and Israeli airstrikes targeted various sites in Iran, including military bases, missile production facilities, nuclear-related locations, and key leadership positions.
These operations, known as Operation Epic Fury for the US and Operation Roaring Lion for Israel, led to the deaths of significant figures including Supreme Leader Ayatollah Ali Khamenei.
In response, Iran launched a barrage of missiles and drones at US military installations in the Persian Gulf and conducted direct strikes against Israel. Although this retaliation resulted in casualties and damage to both military and civilian targets, the overall impact appears to be limited.
The cyber operations executed by the US and Israel in conjunction with these airstrikes were reportedly precise and impactful. According to media sources, the attacks targeted Iranian systems, affecting state media outlets like IRNA, communications networks within the IRGC, government digital services, as well as crucial infrastructure in the energy and aviation sectors. Pro-Western hackers even compromised a widely used prayer application to send messages indicating external intervention.
General Dan Caine, the chairman of the Joint Chiefs of Staff, stated during a Pentagon briefing that “coordinated space and cyber operations effectively disrupted communications and sensor networks across the area, leaving the adversary without the ability to see, coordinate, or respond effectively.”
Iranian Attacks Observed by the Cybersecurity Industry
Major cybersecurity firms have been sharing insights on recent cyber activities related to the ongoing conflict, particularly those carried out by Iranian and pro-Iranian hackers.
CrowdStrike reported on March 2 that it had not identified any large-scale cyber campaigns from state-sponsored actors. However, it observed a spike in hacktivist activities by pro-Iran groups engaged in website defacements, DDoS attacks, and claims of interference. The firm specifically noted the actions of Hydro Kitten, a group targeting the financial sector.
Adam Meyers, head of counter adversary operations at CrowdStrike, explained that “much of the activity being publicized appears to be claim-driven rather than evidence-backed. During periods of geopolitical tensions, it is common to see an increase in opportunistic hacktivism and low-level disruptive activities aimed at generating attention.”
Palo Alto Networks also noted a rise in hacktivist attacks from outside Iran but emphasized that state-sponsored hacking has not increased. This is likely due to limited internet connectivity caused by an ongoing blackout that has persisted for several days.
“State-aligned cyber units may be acting in operational isolation, which could lead to variations from established patterns. Additionally, degradation of Iranian command and control may result in tactical autonomy for groups outside Iran. However, their ability to conduct sustained sophisticated cyber operations is likely diminished due to operational disruptions,” the report stated.
“For Iran-aligned threat actors located outside the region, we anticipate that hacktivist groups will target organizations perceived as adversaries, although the impact is expected to be low to medium. Other nation-state actors may try to exploit the situation to further their own agendas.”
Flashpoint, a threat intelligence company, reported “alarming claims” of breaches into industrial control systems (ICS) and national grain supply logistics.
They also indicated that a coalition of pro-Iran and pro-Russia groups initiated OpIsrael, a campaign aimed at data exfiltration and attacks on critical infrastructure.
The group NoName057(16) has executed extensive DDoS attacks against an Israeli defense contractor and municipal governments. Additionally, the Cyber Islamic Resistance group claimed to have hacked into the systems of an Israeli health insurance provider. FAD Team has reportedly conducted SQL injection attacks to steal data from a virtual US Air Force group as well as educational institutions in France, India, and Vietnam. They are also alleged to have taken control of firewall monitoring dashboards in Saudi Arabia.
Fatimion Cyber Team has targeted Arab states viewed as US allies, disrupting the Bahrain News Agency and launching DDoS attacks against the Qatari oil firm Gasco and Qatar Radio.
Cisco Talos has also been tracking the cyberattacks involving the US, Israel, and Iran. As of Monday, they reported no significant impacts.
“Currently, there does not appear to be any substantial increase in cyber activity associated with state-sponsored or state-affiliated groups,” Talos noted.
They further added, “Any potential impacts will likely come from sympathetic groups such as hacktivists, who have already initiated website defacements and DDoS campaigns supporting Iran. Furthermore, cybercriminals may seek to exploit the conflict to increase their operations through various deceptive tactics.”
Sophos reported on March 2 that it has observed a rise in hacktivist activity, yet not an escalation in risk across platforms such as Telegram, X, and underground forums, especially from pro-Iran groups including the Handala Hack team and APTIran.
They have seen instances of DDoS attacks and website defacements, but the claims made by hacktivists regarding critical infrastructure being compromised have not been verified and may be overstated.
While security firms have not detected an upsurge in activity from Iranian state-sponsored groups, Check Point reported that some government actors, such as Cotton Sandstorm and Void Manticore, have revived old hacktivist personas, claiming successful hacks on various websites and infrastructures.
Hudson Rock, a specialist in infostealer malware intelligence, reported that many of the data breaches claimed by hackers recently are likely fabricated.
Although some reports of cyber disruptions or damages may be exaggerated, the capability of state-linked actors to execute sophisticated intrusions alongside military operations underscores a real and escalating threat, necessitating ongoing vigilance and robust defenses.
The UK’s National Cyber Security Centre stated that while there is likely no significant change in the direct cyber threat from Iran to the UK, they advise organizations to reassess their risk posture and take appropriate measures.
