Cyber and electronic-warfare activity escalates amid US–Israeli strikes on Iran
Regional conflict following U.S.–Israeli strikes on Iran has been accompanied by heightened cyber and electronic-warfare activity affecting both military operations and civilian infrastructure. U.S. officials publicly acknowledged that U.S. Cyber Command, alongside space capabilities, conducted “non-kinetic” operations to disrupt Iranian communications and sensor networks in support of Operation Epic Fury, describing effects intended to degrade Iran’s ability to coordinate and respond; reporting also noted follow-on hack-and-leak style activity against Iranian-facing online properties (e.g., news sites and an app) and warned of potential retaliatory cyber activity by Iranian-aligned actors.
In parallel, maritime intelligence reporting described a sharp increase in GPS/AIS disruption (jamming/spoofing) impacting shipping around the Strait of Hormuz, with vessels appearing in false locations and maritime authorities warning of elevated risk to navigation and safety. Iran’s domestic crypto ecosystem also showed signs of stress consistent with conflict conditions and connectivity constraints: observers reported internet outages, exchanges moving into risk-containment modes (e.g., batching/suspending withdrawals), and temporary restrictions on the USDT–toman trading pair under central bank direction—collectively reducing liquidity and market activity rather than clearly indicating capital flight. Separate reporting on Pakistan’s TV broadcast hijacks and a DDoS incident affecting Russian government sites appear unrelated to the Iran conflict-driven activity described above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Iranian media claims foreign network gear failed during nuclear-site strikes
On or before 2026-03-02, Iranian state media reported that Cisco, Juniper, MikroTik, and Fortinet equipment malfunctioned or disconnected during U.S. strikes on Iranian nuclear facilities. The report suggested possible hidden backdoors, implanted malware, malicious packet delivery, or supply-chain tampering as explanations for the failures.
US publicly acknowledges Cyber Command's role in the campaign
On March 2, 2026, Joint Chiefs Chairman Gen. Dan Caine publicly described Cyber Command and Space Command as 'first movers' in the operation against Iran. The remarks were characterized as the clearest public acknowledgement so far of Cyber Command's role in the second Trump administration's major military operations.
Jordan says it thwarted an Iranian cyberattack on wheat storage
Jordan reported blocking an Iranian cyberattack that targeted its wheat storage systems during the regional escalation. The disclosure highlighted spillover cyber activity beyond the immediate U.S.-Iran-Israel conflict.
Israeli-linked hacks target Iranian websites and app
After the attacks began, apparent Israeli digital operations defaced Iranian news websites and a religious calendar app with messages encouraging defections and resistance. The activity was described as part of the broader pressure campaign accompanying military strikes.
US Cyber Command and Space Command disrupt Iranian networks
As part of the U.S.-Israeli campaign, U.S. Cyber Command and U.S. Space Command conducted coordinated cyber and space operations against Iranian communications and sensor networks. According to Gen. Dan Caine, these non-kinetic actions degraded Iran's ability to detect, coordinate, and respond ahead of kinetic strikes.
GPS and AIS interference surges across Gulf shipping lanes
Since February 28, more than 1,100 ships across Iranian, UAE, Qatari, and Omani waters experienced GPS or AIS disruption, with some vessels falsely appearing inland on tracking maps. Windward identified about 21 new AIS jamming clusters, and shipping through the Strait of Hormuz nearly halted amid the interference.
Iranian exchanges temporarily halt USDT-toman trading
Under direction from Iran's Central Bank, multiple Iranian exchanges temporarily suspended the USDT-toman trading pair to slow fiat repricing during peak volatility. When trading resumed, thin order books and brief price dislocations were observed.
Iran's internet connectivity collapses and crypto activity drops
Following the February 28 strikes, internet connectivity in Iran fell by roughly 99%, and domestic crypto transaction volume dropped by about 80% between February 27 and March 1. Major exchanges stayed online but reduced withdrawals, thinned liquidity, and issued user risk guidance.
New Persian-language numbers station V32 begins broadcasting
About 12 hours after U.S. and Israeli strikes on Iran began, a new Persian-language numbers station designated V32 reportedly started transmitting nearly twice daily. The broadcasts used a classic covert-communications format, with a male voice reading random numbers after repeating the Persian word "tavajjoh" three times.
US and Israeli strikes on Iran begin
On February 28, 2026, the United States and Israel initiated strikes on Iran, marking the start of a broader military campaign that coincided with cyber, electronic, and economic disruption across the region.
Israel-Iran missile exchanges trigger major GPS jamming in the Gulf
During missile exchanges between Israel and Iran in June 2025, significant GPS interference was reported in the Gulf region, establishing a prior pattern of wartime navigation disruption affecting maritime traffic.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Iran claims US exploited networking equipment backdoors during strikes - says devices from Cisco and others failed despite blackout in attack that 'indicates deep sabotage' | Tom's Hardware
tomshardware.com
Open sourceIran alleges US cyberattacks; China amplifies claims | brief | SC Media
scworld.com
Open sourceفارس: طی اتفاقی عجیب و هشدار دهنده، "جعبههای سیاه" آمریکایی در ساعت صفر حمله به اصفهان از کار افتادند/ این اختلال در شرایطی رخ داد که گیتویهای بینالملل عملاً مسدود بودند، بنابراین فروپاشی مذکور نشان از یک خرابکاری عمیق دارد/ سناریوی خطرناک، دستکاری در مبدأ تولید است؛ اگر فایلهای نصبی قبل از ورود به ایران آلوده شده باشند، حتی تعویض سیستم عامل هم مشکل را حل نمیکند | سایت انتخاب
entekhab.ir
Open sourceSomeone is jamming a mysterious Persian shortwave spy signal - Boing Boing
boingboing.net
Open sourceCyberwarfare during the 2026 Iran war - Wikipedia
en.wikipedia.org
Open sourceCisco, Juniper gear ‘malfunctioned’ just as US bunker busters hit Iranian nuclear sites: report - SDxCentral
sdxcentral.com
Open sourceAttacks on GPS Spike Amid US and Israeli War on Iran | WIRED
wired.com
Open sourceHow Iran’s Crypto Market is Reacting to Conflict | TRM Blog
trmlabs.com
Open sourceCyber Command disrupted Iranian comms, sensors, top general says | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber and information operations intensify amid US-Israel strikes on Iran under “Operation Epic Fury”
US and Israeli military action against Iran under **“Operation Epic Fury”** has been accompanied by heightened cyber activity and public acknowledgment of offensive cyber operations. Reporting indicated a surge of pro-Iranian activity including **DDoS attacks**, attempted compromises, and targeting of **critical infrastructure**, with researchers warning that Iranian state-linked actors tied to the **IRGC** and **MOIS**, as well as aligned hacktivists, are likely to sustain retaliatory operations aimed at economic, reputational, and potentially physical disruption. Separately, reporting alleged Israeli intelligence conducted long-running surveillance by compromising **Tehran traffic cameras**, exfiltrating encrypted video and telemetry to servers outside Iran to build “pattern of life” intelligence on senior leadership movements. The Pentagon also elevated the visibility of cyber as a warfighting domain, with the Chairman of the Joint Chiefs describing coordinated **space and cyber** effects used to “disrupt, degrade, and blind” Iranian communications and sensor networks, though without operational detail. In parallel but unrelated to the Iran conflict, Russia’s internet regulator **Roskomnadzor** and the Russian Defense Ministry reported a “complex multi-vector” **DDoS** incident that temporarily disrupted multiple government sites, with traffic attributed to botnets and servers across several countries and continued user-reported instability after initial containment.
Mar 21, 2026
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
May 6, 2026
Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint **U.S.–Israel strikes on Iran** (described as *Operation Epic Fury*), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early **DDoS campaigns against Israeli government sites** expanding into a wider coalition of **pro-Iranian, pro-Palestinian, and Russian-aligned** groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on **critical infrastructure**; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links. U.S. state and local governments were separately warned by **MS-ISAC** to expect heightened “low-level” activity—particularly **DDoS**—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Apr 22, 2026