Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint U.S.–Israel strikes on Iran (described as Operation Epic Fury), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early DDoS campaigns against Israeli government sites expanding into a wider coalition of pro-Iranian, pro-Palestinian, and Russian-aligned groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on critical infrastructure; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links.
U.S. state and local governments were separately warned by MS-ISAC to expect heightened “low-level” activity—particularly DDoS—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Iran-linked hackers threaten destructive attacks on U.S. water systems
By 2026-03-27, major Iranian-linked hacker groups were reported to have coordinated public threats warning of 'irreparable damages' to U.S. water systems. The development marked a more explicit and focused escalation toward U.S. critical infrastructure beyond earlier general OT/ICS rhetoric.
MS-ISAC warns U.S. state and local governments of possible Iran-linked intrusions
On 2026-03-10, the Center for Internet Security's MS-ISAC warned U.S. state and local governments to expect heightened low-level cyber activity from Iran, including possible DDoS intrusions, following the conflict escalation. It urged rapid remediation of critical and cloud infrastructure, use of firewalls and CDNs, and reduction of publicly exposed organizational data.
Governments and industry issue warnings on Iran-related cyber risk
By early March 2026, public warnings about elevated Iran-linked cyber threats were issued by authorities including the UK, Canada, Europol, and the U.S. Department of Homeland Security, alongside private-sector alerts. The advisories emphasized risks to government, critical infrastructure, cloud-dependent services, and organizations with Middle East exposure.
Hacktivist targeting expands across Middle East, Europe, and North America
In the days following the initial strikes, Telegram-based hacktivist activity spread beyond Israel to targets in Kuwait, Jordan, Saudi Arabia, Qatar, Oman, Cyprus, the UK, and the U.S. Reported operations included DDoS attacks, defacements, hack-and-leak claims, and increasing rhetoric around OT/ICS targeting of water, energy, and food systems.
Jordan reportedly foils Iranian OT attack on wheat silo system
A government-confirmed Iranian operational technology attack targeting Jordan's wheat silo management system was reportedly foiled during the early days of the conflict. The incident was cited as a notable example of attempted critical infrastructure targeting tied to the escalation.
Iranian drone strikes hit AWS facilities in UAE and Bahrain
On 2026-03-01, reported Iranian drone strikes targeted three AWS facilities in the UAE and Bahrain, disrupting cloud-dependent services across the Gulf and beyond. The incident highlighted the conflict's spillover from cyber activity into attacks affecting digital infrastructure availability.
Iran's national internet reportedly drops to about 1% connectivity
During the immediate aftermath of the strikes, Iran reportedly experienced a major internal internet disruption, with national connectivity falling to roughly 1% according to one source. Despite the outage, cyber operations and aligned online activity were said to continue via external infrastructure and proxy actors.
Iran-linked groups surge after joint U.S.-Israeli strikes on Iran
Joint U.S.-Israeli strikes on Iran on 2026-02-28 were followed within hours by a sharp rise in cyber activity, including service disruptions, influence messaging, hacktivist mobilization, and numerous incident claims. Multiple sources describe this as the opening cyber escalation phase of the conflict.
MuddyWater reportedly pre-positions access in North American organizations
Public reporting cited by multiple sources says MOIS-linked MuddyWater had been conducting pre-strike espionage and persistence activity since early February 2026, allegedly targeting organizations including a U.S. bank, a U.S. airport, a U.S./Canada nonprofit, and a software company operating in Israel. The activity reportedly involved previously undocumented backdoors including Dindoor and Fakeset.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Iran-Israel/US Cyber War 2026: Iranian Hackers, APT Groups & Cyber Attacks
socradar.io
Open sourceMajor Iranian hackers unite, threaten ‘irreparable damages’ to U.S. water systems - Threat Beat
threatbeat.com
Open sourceIran Hacktivists Make Noise but Have Little Impact on War
darkreading.com
Open sourceISMG Editors: Iran Conflict Expands Into Cyber Warfare
govinfosecurity.com
Open sourceIran’s Cyber Playbook in the Escalating Regional Conflict
rapid7.com
Open sourceTelegram Hacktivist Activity Timeline of Iran - Israel & US War
socradar.io
Open sourceUS state, local governments warned of Iran war-related cyber intrusions | brief | SC Media
scworld.com
Open sourceUkraine, Iran, and the New Sequencing of Hybrid War | by SIMKRA | Mar, 2026 | OSINT Team
osintteam.blog
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
May 6, 2026
DDoS and Cyber Operations Escalate Amid Israel–U.S. Strikes on Iran
Threat monitoring and situation reporting tied a surge in **distributed denial-of-service (DDoS)** activity and broader cyber disruption to the escalation of the **Israel–U.S. conflict with Iran** in late February 2026. NSFOCUS reported sustained DDoS targeting of Iranian IP space following internal unrest and rising U.S.–Iran nuclear tensions, describing both botnet-driven floods and reflection/amplification techniques against **259 Iranian IPs**, including government, news, and network-infrastructure entities. As kinetic events intensified—particularly after Israel announced strikes on Iran—reporting described a sharp increase in DDoS activity and subsequent Iranian **network control measures**, including an internet shutdown intended to reduce exposure to anticipated cyberattacks. CloudSEK characterized the period as a shift into **hybrid conflict**, citing coordinated Israeli–U.S. strikes (described as *Operation Roaring Lion/Epic Fury*) alongside what it called a major cyber campaign contributing to a near-total Iranian internet blackout and disruption to government services, media, and parts of energy and aviation. In parallel, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a separate “complex multi-vector” DDoS incident that briefly disrupted access to multiple Russian government websites and related infrastructure (including the **Main Radio Frequency Center**), with traffic attributed to servers/botnets across several countries; no actor claimed responsibility. While DDoS is a common tactic in geopolitical crises, the Russian incident appears operationally and geographically distinct from the Iran-focused escalation reporting.
Mar 21, 2026
Heightened Cyber Risk to US Financial Services and Critical Infrastructure Amid Iran-US Conflict
US financial services and critical infrastructure operators have moved to heightened vigilance amid escalating **Iran–US conflict**, with industry groups and analysts warning that geopolitical shocks often correlate with increased cyber activity. Reuters reporting cited by *teiss* says US intelligence assesses **Iran-aligned hacktivists** could conduct **low-level attacks** against US networks—particularly **DDoS**—and that banks are increasing monitoring and resilience measures given the sector’s role in payments, clearing/settlement, and market infrastructure. Separate threat research argues the conflict environment increases the likelihood of **ICS/OT-focused** activity, emphasizing that US critical infrastructure presents an attractive retaliation surface due to civilian impact and a large internet-exposed OT footprint. CloudSEK highlights rapid activation of numerous hacktivist groups after late-February 2026 strikes and points to prior public reporting on long-dwell intrusions and campaigns affecting ICS devices; a SecuritySenses episode similarly describes state-linked hacktivist activity targeting OT (including **Unitronics PLCs**) and broader spillover effects beyond the region. Other items in the set—an ISC/SANS guest diary on opportunistic scanning and a Dark Reading piece on higher attack volumes in Latin America—do not describe the Iran-related escalation and are not directly part of this specific event narrative.
Mar 30, 2026