US–Israel Cyber Operations Against Iran and Expected Iranian Retaliation
Reporting described a major escalation in cyber warfare tied to US and Israeli military operations against Iran, with claims of widespread disruption inside Iran alongside information operations. One account said Iran experienced a near-total digital blackout (connectivity dropping to ~4% of normal), outages affecting government services and communications, and media/PSYOPS-style intrusions (e.g., defacements/injections on pro-regime sites, hijacked messaging via a widely installed prayer app, and interference with broadcast feeds). The same narrative framed the activity as part of a coordinated campaign (described as Operation Roaring Lion / Epic Fury) and positioned it as a continuation of long-running US–Israel vs. Iran cyber escalation.
Threat intelligence and security firms warned that Iran-linked actors were already mobilizing for reprisal activity against Israel and potentially Western/allied targets. Cited reporting said Anomali assessed multiple Iranian groups (including MuddyWater, APT42, and APT33) as “activated and retooling,” while noting an unusual lack of visibility into APT34 that it interpreted as possible covert pre-positioning rather than inactivity. Flashpoint was cited as observing Iran-linked Handala Group activity targeting Israeli industrial control systems (ICS) and claiming disruption to manufacturing/energy distribution, alongside claims of data theft affecting an Israeli healthcare organization; the overall guidance was to expect heightened Iranian cyber operations in the wake of kinetic strikes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Iran-linked actors reported targeting Israeli ICS and Western networks
Threat reporting said Iran-linked actors, including the Handala Group and allied coalitions, were targeting Israeli industrial control systems and claiming disruptions. The same reporting described DDoS activity, data-wiping, and attempted wiper deployments against U.S., Israeli, and broader Western targets as early signs of escalation.
Threat intelligence firms warn of broader Iranian cyber retaliation
By 2026-03-01, multiple security firms assessed that Iranian state-aligned and proxy cyber activity was likely to intensify against U.S., Israeli, and other Western organizations. The warnings cited activation and retooling of groups including MuddyWater, APT42, and APT33, as well as the possibility of covert pre-positioning by APT34.
Hacktivist targeting of Israel and Gulf states surges after strikes
In the 24 hours following the strikes, pro-Iranian and pro-Palestinian hacktivist activity increased sharply, with Israel becoming the top reported target and Gulf states entering the top five. Reported activity included mostly low- to medium-sophistication DDoS attacks and website defacements, alongside claims of more serious breaches and initial-access sales involving CCTV, RDWeb, and SCADA/PLC environments.
Iran experiences near-total internet blackout during strikes
Around the start of the 2026-02-28 strikes, Iran suffered a major internet connectivity drop or near-total blackout. One source says the outage was likely a self-imposed shutdown by Iranian authorities, while another notes claims it may have related to attacks on communications infrastructure, with attribution unclear.
PSYOPS compromises hit Iranian media and communications platforms
Coinciding with the launch of Operation Roaring Lion, pro-regime Iranian news sites were reportedly compromised to inject psychological-operations content, and the BadeSabaa prayer app was allegedly hijacked to display surrender messages. Iranian national TV Channel 3 satellite streams on IntelSat were also reportedly hijacked to broadcast speeches by Donald Trump and Benjamin Netanyahu.
Operation Roaring Lion begins against Iranian targets
On 2026-02-28, the U.S. and Israel launched Operation Roaring Lion, a joint military campaign targeting Iranian military, nuclear, and government assets. The operation marked the trigger for the cyber and information activity described in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber and information operations intensify amid US-Israel strikes on Iran under “Operation Epic Fury”
US and Israeli military action against Iran under **“Operation Epic Fury”** has been accompanied by heightened cyber activity and public acknowledgment of offensive cyber operations. Reporting indicated a surge of pro-Iranian activity including **DDoS attacks**, attempted compromises, and targeting of **critical infrastructure**, with researchers warning that Iranian state-linked actors tied to the **IRGC** and **MOIS**, as well as aligned hacktivists, are likely to sustain retaliatory operations aimed at economic, reputational, and potentially physical disruption. Separately, reporting alleged Israeli intelligence conducted long-running surveillance by compromising **Tehran traffic cameras**, exfiltrating encrypted video and telemetry to servers outside Iran to build “pattern of life” intelligence on senior leadership movements. The Pentagon also elevated the visibility of cyber as a warfighting domain, with the Chairman of the Joint Chiefs describing coordinated **space and cyber** effects used to “disrupt, degrade, and blind” Iranian communications and sensor networks, though without operational detail. In parallel but unrelated to the Iran conflict, Russia’s internet regulator **Roskomnadzor** and the Russian Defense Ministry reported a “complex multi-vector” **DDoS** incident that temporarily disrupted multiple government sites, with traffic attributed to botnets and servers across several countries and continued user-reported instability after initial containment.
Mar 21, 2026
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
May 6, 2026
Iran Retaliation Cyber Risk After U.S. and Israeli Strikes
Coordinated U.S. and Israeli strikes on Iranian targets have raised expectations of **Iranian state-aligned cyber retaliation** against U.S., Israeli, and allied interests. Reporting and vendor intelligence assessments warn that Iran has historically paired kinetic escalation with cyber operations ranging from *low-level disruption* (website defacements and DDoS) to *higher-impact activity* (ransomware-style disruption, hack-and-leak operations, espionage, and destructive/wiper malware), with likely targeting pressure on government, critical infrastructure, defense, financial services, academia, and media. The situation is described as fast-moving, with no definitive public attribution yet tying major new cyber campaigns directly to the latest strikes. Separately, multiple reports highlight **unrelated** security issues: GreyNoise observed large-scale reconnaissance and SSL VPN enumeration against **SonicWall SonicOS** devices via commercial proxy infrastructure—activity consistent with precursor targeting that often precedes credential attacks and ransomware intrusions. CISA also issued updated technical details on **RESURGE**, a stealthy implant used in zero-day exploitation of **Ivanti Connect Secure** via `CVE-2025-0282`, including passive C2 behavior and TLS-fingerprint-based authentication/evasion; Mandiant linked the exploitation to China-nexus activity (UNC5221). Other items in the set include a generic IoT security pitfalls article, a weekly security roundup, and a conference write-up, none of which materially advance the Iran-retaliation storyline.
May 14, 2026