DDoS and Cyber Operations Escalate Amid Israel–U.S. Strikes on Iran
Threat monitoring and situation reporting tied a surge in distributed denial-of-service (DDoS) activity and broader cyber disruption to the escalation of the Israel–U.S. conflict with Iran in late February 2026. NSFOCUS reported sustained DDoS targeting of Iranian IP space following internal unrest and rising U.S.–Iran nuclear tensions, describing both botnet-driven floods and reflection/amplification techniques against 259 Iranian IPs, including government, news, and network-infrastructure entities. As kinetic events intensified—particularly after Israel announced strikes on Iran—reporting described a sharp increase in DDoS activity and subsequent Iranian network control measures, including an internet shutdown intended to reduce exposure to anticipated cyberattacks.
CloudSEK characterized the period as a shift into hybrid conflict, citing coordinated Israeli–U.S. strikes (described as Operation Roaring Lion/Epic Fury) alongside what it called a major cyber campaign contributing to a near-total Iranian internet blackout and disruption to government services, media, and parts of energy and aviation. In parallel, Russia’s internet regulator Roskomnadzor and the Russian Defense Ministry reported a separate “complex multi-vector” DDoS incident that briefly disrupted access to multiple Russian government websites and related infrastructure (including the Main Radio Frequency Center), with traffic attributed to servers/botnets across several countries; no actor claimed responsibility. While DDoS is a common tactic in geopolitical crises, the Russian incident appears operationally and geographically distinct from the Iran-focused escalation reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
19 events from the most recent confirmed update back to the earliest known activity.
Symantec and Carbon Black cite suspicious MuddyWater-linked activity in North America
By March 6, Symantec and Carbon Black said the Iran-linked group MuddyWater remained active and pointed to suspicious activity affecting a US bank, a software company, an airport, and NGOs in the US and Canada. Another firm reported related infrastructure appeared to go quiet shortly before the war began.
Security firms warn Iran-linked groups are targeting internet-connected cameras
Check Point reporting highlighted intensified Iran-nexus targeting of internet-connected IP cameras across multiple Middle East locations. The activity was assessed as supporting missile targeting and battle-damage assessment rather than direct disruption.
US officials disclose cyber operations supported the assault on Iran
US officials publicly said cyber operations by US Cyber Command and US Space Command underpinned the opening phase of the strike campaign by disrupting Iranian defenses and communications. Reporting also said cyber-enabled intelligence collection helped identify targets.
Vendors report no confirmed large-scale Iranian state cyber campaign yet
By March 3, several firms including CrowdStrike and Recorded Future said they had not confirmed a major independently verified Iranian state-sponsored cyber offensive despite heightened risk and extensive public claims. Analysts warned that destructive or disruptive retaliation could still follow.
Malicious RedAlert Android app campaign targets Israelis
Researchers reported an SMS phishing campaign distributing a malicious Android APK masquerading as Israel's RedAlert missile warning app. The malware was designed to exfiltrate device and user data and included anti-analysis features.
Pro-Iran actors claim breach of Jordanian grain silo control systems
Flashpoint and other sources noted claims by pro-Iranian hacktivists that they had breached a Jordanian grain silo company's ICS/SCADA environment. The legitimacy of the claimed control-system intrusion remained unverified.
Researchers identify surge of coordinated hacktivist claims
By March 2, multiple intelligence firms reported a sharp increase in claimed activity by Iran-aligned and sympathetic hacktivist groups, including DDoS, defacements, and unverified hack-and-leak operations. Large-scale independently verified state-sponsored intrusions had not yet been confirmed.
Hacktivist campaign expands across countries and sectors
Between February 28 and March 2, hacktivist activity spread across the Middle East and beyond, with Radware counting 149 DDoS claims against 110 organizations in 16 countries. Government and public infrastructure organizations were the most heavily targeted.
Iran launches missile and drone retaliation under Operation Truthful Promise 4
Beginning March 1, Iran responded to the US-Israeli assault with missile and drone attacks against Israel, Gulf states, and US-linked bases. Sources describe this as the immediate kinetic retaliation phase of the conflict.
UAE and Gulf states report and foil cyberattack waves
Authorities in the UAE and other Gulf states reported waves of sophisticated cyberattacks in late February as the regional crisis escalated. The attacks were reportedly detected and blocked, allowing essential services to remain online.
DDoS activity against Iranian infrastructure surges after strike announcement
NSFOCUS recorded a major DDoS spike on February 28 after Israel announced strikes on Iran. The attacks hit Iranian government agencies, state media, universities, and national internet infrastructure.
Hacktivist retaliation wave begins after the strikes
Pro-Iran and aligned hacktivist groups began claiming DDoS attacks, defacements, and breaches immediately after the February 28 strikes. Orange Cyberdefense identified Hider Nex as an early actor launching one of the first DDoS attacks that day.
Cyber operations disrupt Iranian state services and media during strikes
Reports said the opening phase included large-scale cyber disruption affecting Iranian government services, state media outlets such as IRNA and ISNA, and military or communications systems. These non-kinetic effects were described as synchronized with the military assault.
Iran suffers near-total internet blackout during opening phase of conflict
Following the February 28 strikes, Iranian internet connectivity reportedly collapsed to roughly 1% to 4% of normal levels. Multiple sources assessed the outage as a regime-imposed shutdown or network-control measure amid fears of cyberattack and wartime disruption.
US and Israel launch coordinated strikes on Iran under Operation Epic Fury
On February 28, the United States and Israel began a joint strike campaign against Iran, described across sources as Operation Epic Fury and also as Operation Lion's Roar/Roaring Lion. Multiple reports say cyber and space operations supported the opening phase by disrupting Iranian defenses and communications.
Iranian threat actors stage malware and pre-position access before strikes
Security firms including Check Point and Binary Defense assessed that Iran-nexus actors conducted preparatory intrusions and staged malware ahead of the coming kinetic escalation. Activity included operations linked to Cotton Sandstorm and related tooling.
Iran-linked actors probe government APIs and mobile apps before conflict
Approov reported a surge of sophisticated probing against APIs and mobile applications used for government-related communications in the weeks before the war. The activity was assessed as infrastructure mapping and vulnerability reconnaissance.
DDoS attacks spike around Iranian protest milestone
NSFOCUS observed a notable spike in DDoS activity targeting Iranian assets around January 9, indicating the campaign was intensifying well before the later military confrontation. Targets included state-linked and national infrastructure systems.
DDoS activity against Iranian targets begins amid domestic unrest
NSFOCUS reported sustained event-driven DDoS activity against Iranian government, media, and internet infrastructure starting with domestic unrest in Iran. The campaign later expanded as geopolitical tensions increased.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
Cyberattacks and Unpredictable Targeting Remain an Iran Risk
govinfosecurity.com
Open sourceNews brief: Strikes on Iran put cybersecurity teams on alert | TechTarget
techtarget.com
Open sourceCyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks
blog.polyswarm.io
Open sourceCyberattacks and Unpredictable Targeting Remain an Iran Risk
bankinfosecurity.com
Open sourceDigital Outposts: Evaluating the Role of DDoS Attacks in US-Iran Conflict - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
nsfocusglobal.com
Open sourceSituation Report: Middle East Escalation (February 27-1st March, 2026) | CloudSEK
cloudsek.com
Open sourceOngoing Iran Conflict: What You Need to Know
recordedfuture.com
Open sourceIran's cyberwar has begun • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber and information operations intensify amid US-Israel strikes on Iran under “Operation Epic Fury”
US and Israeli military action against Iran under **“Operation Epic Fury”** has been accompanied by heightened cyber activity and public acknowledgment of offensive cyber operations. Reporting indicated a surge of pro-Iranian activity including **DDoS attacks**, attempted compromises, and targeting of **critical infrastructure**, with researchers warning that Iranian state-linked actors tied to the **IRGC** and **MOIS**, as well as aligned hacktivists, are likely to sustain retaliatory operations aimed at economic, reputational, and potentially physical disruption. Separately, reporting alleged Israeli intelligence conducted long-running surveillance by compromising **Tehran traffic cameras**, exfiltrating encrypted video and telemetry to servers outside Iran to build “pattern of life” intelligence on senior leadership movements. The Pentagon also elevated the visibility of cyber as a warfighting domain, with the Chairman of the Joint Chiefs describing coordinated **space and cyber** effects used to “disrupt, degrade, and blind” Iranian communications and sensor networks, though without operational detail. In parallel but unrelated to the Iran conflict, Russia’s internet regulator **Roskomnadzor** and the Russian Defense Ministry reported a “complex multi-vector” **DDoS** incident that temporarily disrupted multiple government sites, with traffic attributed to botnets and servers across several countries and continued user-reported instability after initial containment.
Mar 21, 2026
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
May 6, 2026
Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint **U.S.–Israel strikes on Iran** (described as *Operation Epic Fury*), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early **DDoS campaigns against Israeli government sites** expanding into a wider coalition of **pro-Iranian, pro-Palestinian, and Russian-aligned** groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on **critical infrastructure**; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links. U.S. state and local governments were separately warned by **MS-ISAC** to expect heightened “low-level” activity—particularly **DDoS**—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Apr 22, 2026