Operation Epic Fury Escalation Drives Heightened Iranian-Linked Cyber Risk Warnings
Arctic Wolf reported that Operation Epic Fury—a U.S. campaign coordinated with Israel against Iran involving air, missile, naval, and cyber strikes on Iranian military and nuclear targets—has increased the likelihood of retaliatory and spillover cyber activity affecting organizations beyond the immediate conflict zone. The advisory warned that organizations in North America, the Middle East, the Schengen Area, and the Indo-Pacific should expect elevated risk, particularly in sectors historically targeted by Iranian threat groups: energy, defense, transportation, healthcare, and government. It also highlighted potential collateral impacts via interconnected systems and third-party dependencies, including possible internet-service disruption and supply-chain compromise.
The same reporting emphasized that Iranian-linked operations have historically included destructive wiper malware, DDoS, and targeted intrusions—especially against energy and utility environments—and may at times be indiscriminate, impacting countries not directly involved (including prior activity affecting U.S. water/wastewater and industrial control environments). Other items in the set were largely leadership/career commentary, awards, and general risk-management or workforce pieces and did not provide additional substantiated details on Operation Epic Fury or specific, attributable cyber incidents tied to the escalation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CSO Online publishes opinion piece on Epic Fury enterprise risk
On 2026-03-03, CSO Online published the opinion article "Epic Fury introduces new layer of enterprise risk." The piece framed the operation as creating additional enterprise risk but did not disclose a new incident, victim, or technical development.
Arctic Wolf warns of heightened Iran-linked cyber risk
On 2026-03-02, Arctic Wolf published an alert warning that the February 2026 U.S./Israel-Iran escalation increased the likelihood of Iran-affiliated cyber activity. The advisory highlighted elevated risk for organizations in North America, the Middle East, the Schengen Area, and the Indo-Pacific, especially in critical infrastructure and other sensitive sectors.
Iran retaliates with missile and drone attacks
Following Operation Epic Fury on 2026-02-28, Iran responded with ballistic missile and drone attacks against Israel and U.S. installations in the region. This retaliation signaled a broader escalation likely to spill into cyberspace.
U.S. and Israel launch Operation Epic Fury against Iran
On 2026-02-28, the United States and Israel conducted Operation Epic Fury, combining air, missile, naval, and cyber strikes against Iran. The operation marked the triggering event for the subsequent cyber risk escalation described in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber and information operations intensify amid US-Israel strikes on Iran under “Operation Epic Fury”
US and Israeli military action against Iran under **“Operation Epic Fury”** has been accompanied by heightened cyber activity and public acknowledgment of offensive cyber operations. Reporting indicated a surge of pro-Iranian activity including **DDoS attacks**, attempted compromises, and targeting of **critical infrastructure**, with researchers warning that Iranian state-linked actors tied to the **IRGC** and **MOIS**, as well as aligned hacktivists, are likely to sustain retaliatory operations aimed at economic, reputational, and potentially physical disruption. Separately, reporting alleged Israeli intelligence conducted long-running surveillance by compromising **Tehran traffic cameras**, exfiltrating encrypted video and telemetry to servers outside Iran to build “pattern of life” intelligence on senior leadership movements. The Pentagon also elevated the visibility of cyber as a warfighting domain, with the Chairman of the Joint Chiefs describing coordinated **space and cyber** effects used to “disrupt, degrade, and blind” Iranian communications and sensor networks, though without operational detail. In parallel but unrelated to the Iran conflict, Russia’s internet regulator **Roskomnadzor** and the Russian Defense Ministry reported a “complex multi-vector” **DDoS** incident that temporarily disrupted multiple government sites, with traffic attributed to botnets and servers across several countries and continued user-reported instability after initial containment.
Mar 21, 2026
Iran–Israel–U.S. Escalation Drives Heightened Iranian-Linked Cyber Threats to Healthcare and Critical Infrastructure
Security experts warned that the escalating **U.S./Israel conflict with Iran** could spill into increased cyber activity by Iranian sympathizers, proxies, and hacktivist groups, with **healthcare** highlighted as a particularly exposed target due to its operational sensitivity and historically weaker security posture. Expected activity includes **DDoS**, **ransomware**, **wiper/destructive malware**, and **data theft**, with the risk extending beyond Iran’s own connectivity because many hacktivist operations rely on globally distributed infrastructure. A separate critical-infrastructure-focused advisory tied the heightened risk to the outbreak of open conflict and referenced *Operation Lion’s Roar* strikes on Iranian military and nuclear sites, warning that **Iranian state-affiliated APTs** may increase **espionage and disruptive attacks** against foreign networks and **industrial control systems (ICS/OT)** as part of a broader hybrid campaign. The guidance emphasized that defenders should plan for both opportunistic and state-directed activity affecting civilian infrastructure (e.g., energy and transportation) and prioritize resilience measures appropriate for critical infrastructure environments.
May 4, 2026
Iran Retaliation Cyber Risk After U.S. and Israeli Strikes
Coordinated U.S. and Israeli strikes on Iranian targets have raised expectations of **Iranian state-aligned cyber retaliation** against U.S., Israeli, and allied interests. Reporting and vendor intelligence assessments warn that Iran has historically paired kinetic escalation with cyber operations ranging from *low-level disruption* (website defacements and DDoS) to *higher-impact activity* (ransomware-style disruption, hack-and-leak operations, espionage, and destructive/wiper malware), with likely targeting pressure on government, critical infrastructure, defense, financial services, academia, and media. The situation is described as fast-moving, with no definitive public attribution yet tying major new cyber campaigns directly to the latest strikes. Separately, multiple reports highlight **unrelated** security issues: GreyNoise observed large-scale reconnaissance and SSL VPN enumeration against **SonicWall SonicOS** devices via commercial proxy infrastructure—activity consistent with precursor targeting that often precedes credential attacks and ransomware intrusions. CISA also issued updated technical details on **RESURGE**, a stealthy implant used in zero-day exploitation of **Ivanti Connect Secure** via `CVE-2025-0282`, including passive C2 behavior and TLS-fingerprint-based authentication/evasion; Mandiant linked the exploitation to China-nexus activity (UNC5221). Other items in the set include a generic IoT security pitfalls article, a weekly security roundup, and a conference write-up, none of which materially advance the Iran-retaliation storyline.
May 14, 2026