Shadows in the Code: The Cyber Dimension of the 2026 US-Israel-Iran Conflict
- 1 day ago
- 5 min read
The conflict that erupted on February 28, 2026, with joint US-Israeli strikes on Iran—codenamed Operation Epic Fury by the US and Operation Roaring Lion by Israel—has rapidly evolved into a full-spectrum hybrid war. While missiles, drones, and airstrikes dominate headlines (including the reported killing of Supreme Leader Ayatollah Ali Khamenei), cyberspace has emerged as a parallel battlefield of equal strategic weight. Cyber operations have disrupted communications, sown psychological chaos, and targeted critical infrastructure across the region.
This blog draws from real-time threat intelligence reports, government advisories, and open-source monitoring to deliver a comprehensive summary. It covers direct cyber attacks tied to the conflict, key threat actors, the role of AI, impacts on the US, Iran, Israel, UAE, and Qatar, plus underground and dark web signals. Sources are named inline for transparency.
The Allied Cyber Offensive: Disrupting Iran from Within
From the opening hours of the strikes, cyber actions underpinned the kinetic campaign. US military cyber operations “underpinned” the initial assault, disrupting Iranian command-and-control, sensor networks, and communications, according to statements from the Chairman of the Joint Chiefs of Staff.
Israel is credited with what multiple outlets describe as “the largest cyberattack in history” against Iran. This campaign contributed to a near-total internet blackout, with nationwide connectivity plummeting to just 1-4% of normal levels. Fiber optic damage, combined with regime-imposed restrictions, isolated government services, media outlets, energy systems, and aviation infrastructure.
High-profile influence operations amplified the chaos:
Hackers compromised BadeSaba, a popular Iranian prayer-times app with over 5 million downloads. Users received anti-regime messages warning that “the Iranian regime will pay for their cruel actions” and offering amnesty to defectors. Attribution leans toward Israel, though unconfirmed.
State-run sites like the IRNA news agency were defaced with anti-regime content, and Iranian TV stations reportedly broadcast videos of US and Israeli leaders.
Israel also claimed to have struck Iran’s cyber warfare headquarters, though its long-term impact on Tehran’s offensive capabilities remains unclear.
These moves align with a broader strategy of blending kinetic strikes with cyber and psychological operations to degrade Iran’s ability to coordinate responses.
Iran’s Retaliatory Cyber Campaign: Hacktivists Fill the Gap
Iran’s conventional military has been degraded, but its cyber ecosystem—state APTs plus a vast proxy network—has mobilized quickly. However, the domestic internet blackout has severely limited operations by groups based inside Iran, shifting the burden to geographically dispersed hacktivists and proxies operating from abroad.
Unit 42 (Palo Alto Networks) reports a surge in activity from roughly 60 pro-Iran hacktivist groups coordinated via an “Electronic Operations Room” established on February 28. Over 150 hacktivist incidents were logged in the first days, primarily low-to-medium sophistication DDoS, defacements, data leaks, and wiper malware.
Notable examples include:
Handala Hack (MOIS-linked): Compromised an Israeli oil and gas exploration company, disrupted Jordanian fuel distribution systems and gas stations, and targeted Israeli healthcare to create domestic pressure. The group has also sent death threats with doxxed personal data to Iranian-American and Canadian critics.
Cyber Islamic Resistance umbrella: Coordinated DDoS, wipers, and defacements; claimed hits on Israeli payment systems and drone defenses.
Other groups like DieNet, 313 Team, FAD Team, and Dark Storm Team hit Gulf airports (Bahrain, UAE, Sharjah), banks (Riyadh, Jordan), and Kuwaiti government sites. Claims also surfaced against Aramco facilities and an AWS data center in the UAE.
Pro-Russian actors (e.g., NoName057(16), Cardinal) have joined, targeting Israeli systems and amplifying narratives.
No confirmed large-scale destructive attacks on US critical infrastructure have materialized as of March 6, but experts warn of an imminent pivot. CISA, FBI, and Canadian Centre for Cyber Security have issued alerts on expected disruptive ops against utilities, finance, and healthcare.
Key Threat Actors and Intelligence Findings
Iran’s cyber apparatus blends IRGC- and MOIS-affiliated APTs with hacktivist proxies for deniability:
MuddyWater / Seedworm / APT34 (MOIS): Active since February 2026 on US networks (banks, airports); espionage-focused with credential theft and custom malware. Overlaps with “Operation Olalampo” targeting the META region.
APT33 / Elfin (IRGC): Destructive focus on critical infrastructure and OT/ICS.
APT35, APT39, APT42: Espionage and dissident tracking via telecoms and medical data.
Hacktivist personas: Handala, Cyber Fattah, RipperSec, etc.
Techniques include AI-enhanced spear-phishing, vulnerability exploitation, living-off-the-land, SCADA/PLC access, and wiper/pseudo-ransomware blends.
CTI firms like Check Point, CloudSEK, and Nozomi Networks note blurred lines between state, criminal, and hacktivist activity, with monetized access for extortion providing cover.
AI: The Invisible Engine Reshaping the Battlefield
This conflict is being called potentially “the first AI war.” Both the US and Israel have integrated AI deeply into operations:
US Side:
Claude (Anthropic) powers Project Maven at CENTCOM for intelligence summarization, drone footage analysis, and operational planning—despite Anthropic’s usage restrictions.
Autonomous systems like the Replicator program (swarm drones) and LUCAS suicide drones operate with minimal human input.
AI accelerates target-to-strike timelines and coordinates massive air operations.
Israeli Side:
Habsora (“Gospel”) and Lavender generate target recommendations from vast data (imagery, comms, social graphs).
Bina—the IDF’s new AI division—integrates these for the current campaign.
AI hacks traffic cameras and processes real-time tracking of Iranian leadership.
In cyber, AI enables automated vulnerability scanning (e.g., crippling Iranian banking in parallel ops), anomaly detection, and scaled phishing. Experts note Iran has the intent and growing tools for AI-powered attacks on US/Gulf infrastructure, though current blackout limits execution. UAE authorities foiled multiple AI-enhanced campaigns (phishing, malware) in the weeks prior.
Regional Ripples: UAE, Qatar, and Beyond
The Gulf has been directly hit. Iran launched missiles and drones at US bases and civilian sites in the UAE (heavy damage in Dubai/Abu Dhabi), Qatar, Bahrain, Kuwait, and Saudi Arabia. Cyber-wise, hacktivists targeted airports, banks, and energy in these states.
UAE reported foiling sophisticated AI-backed attacks pre-strikes and now faces credential scams plus claimed AWS disruptions. Qatar saw DDoS on interior ministry services and gas infrastructure claims. GPS/AIS jamming has disrupted over 1,100 ships in Gulf waters, affecting all parties.
Spillover risks extend to global energy, finance, shipping, and IT supply chains, with second-order effects on India, Europe, and East Asia.
Dark Web and Underground Signals
Public dark web visibility remains limited amid the blackout, but monitoring firms like CloudSEK track credential leaks, compromised accounts, and tool sharing on Telegram/deep web channels used by hacktivists. No massive new state-linked dumps have surfaced, but ransomware listings (e.g., Tarnished Scorpius targeting Israeli firms with ideological symbols) and breach brokerage by groups like Blackswamp appear. General underground activity includes vishing scams in the UAE and shared exploit kits.
Threat intelligence emphasizes verifying hacktivist claims, as exaggeration for propaganda is rampant.
Outlook and Recommendations
Iranian state-sponsored sophistication is temporarily hobbled, but hacktivist volume will likely sustain pressure for weeks. US and allies face elevated risks to critical infrastructure; experts urge patching, air-gapping OT, phishing training, and offline backups.
The conflict underscores cyber’s role as an accessible, deniable, and escalatory domain—amplified by AI. As one CSIS analysis notes, proxies and blurred attribution risk cyber disruptions outpacing kinetic operations.
This is a fast-moving story. Organizations should monitor CISA/FBI/NCSC advisories and maintain heightened vigilance. In the digital shadows of this war, code may yet prove as decisive as steel.
Comments