Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on February 28, 2026 were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread DDoS attacks, website compromises, defacements, and breach claims, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting IRNA, while Tasnim News was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as government, aerospace and defense, and technology, and regional states including Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE saw elevated cyber pressure.
The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as travel, hospitality, and energy. One cited example was a March 11 claim by Handala, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale data-wiping attack against medical technology company Stryker, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of geopolitically motivated cyber operations acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
SOCRadar says conflict enters persistence and reconnaissance phase
By April 17, 2026, SOCRadar reported 1,357 verified cyber incidents in the first month of the Iran war across more than 25 countries, 15 sectors, and over 40 threat groups. The firm assessed that the campaign had moved beyond overt disruption into a quieter phase marked by reconnaissance, pre-positioned access, and latent destructive risk if the ceasefire breaks down.
Underground markets offer allegedly authentic stolen Iranian datasets
By March 25, 2026, ZenoX reported underground sales of allegedly stolen Iranian banking, civil, health, exchange, and business datasets linked to the conflict. The company said reviewed sample data appeared likely authentic, indicating monetization of compromised Iranian information beyond disruptive attacks.
Stryker disruption reported as week-two escalation
On March 12, 2026, reporting described disruption at Stryker as a key second-week development in the conflict. The incident was framed as retaliation by Handala and as evidence of escalation toward more destructive operations.
Handala claims large-scale data-wiping attack on Stryker
On March 11, 2026, the hacktivist group Handala claimed it had carried out a destructive data-wiping attack against Stryker. The claim said several terabytes of critical data were destroyed, and later reporting characterized the incident as a shift toward wiper-style attacks on a global enterprise.
Regional cybercrime and proxy activity broadens beyond state actors
By early March, reporting highlighted additional opportunistic activity tied to the conflict, including vishing scams in the UAE, ransomware extortion against an Israeli industrial machinery company, and intimidation campaigns by Handala Hack against Iranian-American and Iranian-Canadian influencers. This showed the conflict drawing in cybercriminal and proxy actors beyond traditional state-linked operations.
Malicious fake RedAlert app used in phishing campaign
Unit 42 identified an active phishing campaign using a malicious replica of Israel's Home Front Command RedAlert Android application. The app was designed to deliver mobile surveillance and data-exfiltration malware to targets.
Internet connectivity inside Iran drops to 1-4%
Severe internet disruption inside Iran reduced national connectivity to roughly 1-4%, according to Unit 42. The disruption was assessed as likely constraining the ability of Iran-based state-aligned actors to coordinate sophisticated cyber operations in the near term.
More than 150 cyber incidents claimed in first two days
Within the first 48 hours of the conflict, more than 150 cyber incidents were reportedly claimed by participating groups. The activity reflected a rapid surge in disruptive operations against government, finance, telecom, aviation, and critical infrastructure targets.
Retaliatory cyber campaign expands across the Middle East
Following the February 28 strikes, Iran-aligned actors and hacktivist/proxy groups began a multi-vector retaliatory cyber campaign. Reports describe DDoS attacks, hack-and-leak activity, destructive operations, and intrusions affecting targets in Israel and other regional states.
U.S. and Israel launch joint military operations against Iran
On February 28, 2026, the United States and Israel began joint military operations against Iran. Multiple sources describe this as the trigger for a broader cyber escalation tied to the conflict.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Middle East Cyber Battle Field Broadens — Especially in UAE
darkreading.com
Open sourceThreat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)
unit42.paloaltonetworks.com
Open sourceIran War Cyber Threat Outlook: Conflict Phases and What Comes Next
socradar.io
Open sourceKitten Had the Map all Along : RAISING GCC TENSIONS & THE PRE-POSITIONING MAP | CloudSEK
cloudsek.com
Open sourceThreat Intelligence: How Cybercrime Behaves in Geopolitical Conflict Scenarios - ZenoX - Artificial Intelligence for Cyber Security
zenox.ai
Open sourceMiddle East Conflict: Cyber Operations Surge - TheCyberThrone
thecyberthrone.in
Open sourceFortify Your Network Security from Emerging Geopolitical Cyberthreats | Akamai
akamai.com
Open source149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber and information operations intensify amid US-Israel strikes on Iran under “Operation Epic Fury”
US and Israeli military action against Iran under **“Operation Epic Fury”** has been accompanied by heightened cyber activity and public acknowledgment of offensive cyber operations. Reporting indicated a surge of pro-Iranian activity including **DDoS attacks**, attempted compromises, and targeting of **critical infrastructure**, with researchers warning that Iranian state-linked actors tied to the **IRGC** and **MOIS**, as well as aligned hacktivists, are likely to sustain retaliatory operations aimed at economic, reputational, and potentially physical disruption. Separately, reporting alleged Israeli intelligence conducted long-running surveillance by compromising **Tehran traffic cameras**, exfiltrating encrypted video and telemetry to servers outside Iran to build “pattern of life” intelligence on senior leadership movements. The Pentagon also elevated the visibility of cyber as a warfighting domain, with the Chairman of the Joint Chiefs describing coordinated **space and cyber** effects used to “disrupt, degrade, and blind” Iranian communications and sensor networks, though without operational detail. In parallel but unrelated to the Iran conflict, Russia’s internet regulator **Roskomnadzor** and the Russian Defense Ministry reported a “complex multi-vector” **DDoS** incident that temporarily disrupted multiple government sites, with traffic attributed to botnets and servers across several countries and continued user-reported instability after initial containment.
Mar 21, 2026
Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint **U.S.–Israel strikes on Iran** (described as *Operation Epic Fury*), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early **DDoS campaigns against Israeli government sites** expanding into a wider coalition of **pro-Iranian, pro-Palestinian, and Russian-aligned** groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on **critical infrastructure**; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links. U.S. state and local governments were separately warned by **MS-ISAC** to expect heightened “low-level” activity—particularly **DDoS**—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Apr 22, 2026
US–Israel Cyber Operations Against Iran and Expected Iranian Retaliation
Reporting described a major escalation in **cyber warfare tied to US and Israeli military operations against Iran**, with claims of widespread disruption inside Iran alongside information operations. One account said Iran experienced a near-total digital blackout (connectivity dropping to ~4% of normal), outages affecting government services and communications, and media/PSYOPS-style intrusions (e.g., defacements/injections on pro-regime sites, hijacked messaging via a widely installed prayer app, and interference with broadcast feeds). The same narrative framed the activity as part of a coordinated campaign (described as *Operation Roaring Lion* / *Epic Fury*) and positioned it as a continuation of long-running US–Israel vs. Iran cyber escalation. Threat intelligence and security firms warned that **Iran-linked actors were already mobilizing for reprisal activity** against Israel and potentially Western/allied targets. Cited reporting said Anomali assessed multiple Iranian groups (including **MuddyWater**, **APT42**, and **APT33**) as “activated and retooling,” while noting an unusual lack of visibility into **APT34** that it interpreted as possible covert pre-positioning rather than inactivity. Flashpoint was cited as observing Iran-linked **Handala Group** activity targeting Israeli **industrial control systems (ICS)** and claiming disruption to manufacturing/energy distribution, alongside claims of data theft affecting an Israeli healthcare organization; the overall guidance was to expect heightened Iranian cyber operations in the wake of kinetic strikes.
Mar 21, 2026