Iranian Cyber Attacks 2026: Digital Warfare in the Iran-Israel-US Conflict

The Iranian cyber attacks in 2026 have emerged as a defining feature of the ongoing conflict between Iran, Israel, and the United States. What began as coordinated military strikes on February 28 has evolved into a parallel digital war, with Iranian and allied hackers launching sustained campaigns against critical infrastructure, government networks, and private sector targets across the Middle East and beyond. This article provides a comprehensive overview of the cyber escalation, key incidents, threat actors involved, and what organizations need to know to protect themselves.

The Digital Battlefield: A New Front in Modern Warfare

Since February 28, 2026, cyber operations have played a central role alongside conventional military action in the conflict, and in some cases, have outpaced it in scale and reach . As fighter jets and cruise missiles struck IRGC command centers, a parallel front reportedly paralyzed the Islamic Republic from within .

The cyber domain has become a critical battleground for several reasons:

Disruption of Command and Control: Cyber attacks targeted Iranian communications and critical infrastructure to sever command and control channels within Iran's military and government .
Isolation of the Regime: The digital assault aimed to isolate the Iranian public from outside information and prevent coordination of counterattacks .
Psychological Warfare: Hacked applications were used to broadcast messages to millions of Iranians, demonstrating the power of cyber tools for influence operations .

Timeline of Major Cyber Operations

February 28, 2026: The Opening Salvo

On the day of the US and Israeli military strikes, a massive coordinated cyberattack accompanied Operation "Roar of the Lion" .

Key Impacts:

Internet Blackout: Internet connectivity in Iran plunged to just 4% of normal levels—an almost total shutdown of nationwide access .
Government Sites Down: Official government websites went dark, and the state news outlet IRNA was taken offline for an extended period .
IRGC Media Hacked: Tasnim News Agency, affiliated with the IRGC, was hacked to display anti-Khamenei messages .
Psychological Operations: The popular prayer time app "BadeSaba," used by over 5 million Iranians, was hacked to broadcast messages in Persian including "The time of judgment has come" and "For a free Iran" .

Western intelligence sources said the damage to the IRGC's communications infrastructure was meant to prevent coordination of counterattacks and disrupt the ability to launch drones and ballistic missiles .

March 1-11, 2026: Iranian-Led Counter-Cyber Campaigns

In response, Iranian-aligned actors launched sustained cyber campaigns targeting foreign networks across the Middle East and beyond. Between March 1 and March 11, SOCRadar's cyber intelligence team noted multiple hacktivist groups, proxy actors, and state-linked units were active .

Key Incidents by Date

Date	Incident	Targets
March 1	Cyber Islamic Resistance consolidated multiple hacktivist groups into a joint Electronic Operations Room. Gulf governments faced DDoS attacks.	Jordan, Kuwait
March 2-3	Pro-Iranian and pro-Russian actors escalated attacks on energy, transportation, and government infrastructure. Large-scale OT claims surfaced.	Qatar, Bahrain, UAE, Saudi Arabia
March 4	APT Iran claimed a month-long intrusion into Jordanian grain storage systems. Z-Pentest posted screenshots suggesting control over Israeli water systems.	Jordan, Israel
March 5-6	MuddyWater's pre-planted backdoors in US banks, airports, and defense-adjacent firms were uncovered. 313 Team launched coordinated assault on 26 Kuwaiti government domains.	US, Kuwait
March 7-9	SOCRadar recorded 368 cyber incidents across 12 countries, with Israel absorbing roughly half. OT and ICS systems frequently targeted.	Hotels, water systems, banks, universities
March 10-11	FSociety attacked Israeli energy, defense, and commercial targets. NoName057 disrupted telecom, water, and transportation networks.	Israel, Cyprus

March 11, 2026: The Stryker Attack

An Iran-linked hacking group claimed responsibility for a significant cyberattack on US medical technology giant Stryker .

Attack Details:

Group Responsible: Handala
Impact: Claimed to have wiped more than 200,000 systems and extracted 50 terabytes of data
Timing: Outages began shortly after 0400 GMT on March 11; Windows devices remotely wiped
Motivation: Retaliation for "the brutal attack on the Minab school" in Iran, where authorities said more than 150 people were killed

Handala issued a warning: "This is only the beginning of a new chapter in cyber warfare" .

Stryker confirmed it was "experiencing a global network disruption to our Microsoft environment as a result of a cyberattack" but stated the incident was contained with no ransomware or malware .

Key Iranian Cyber Threat Actors in 2026

State-Sponsored Actors

Iran has institutionalized offensive cyber capabilities through the IRGC and Ministry of Intelligence, blending espionage, disruption, data theft, and influence operations .

Group	Characteristics	Recent Activity
MuddyWater	Pre-placed backdoors; espionage	Uncovered in US banks, airports, defense firms
APT Iran	Long-term intrusions	Claimed month-long intrusion into Jordanian grain storage
Cotton Sandstorm (Emennet Pasargad)	Reactivated hacktivist personas	Website and infrastructure hacks

Hacktivist and Proxy Groups

Pro-Iran hacktivists conduct cyber threat activity against Iran's rivals, but often overstate their impact . They primarily use DDoS attacks, data leaks, defacements, doxxing, and broadcast hijacks, with Telegram remaining the primary coordination and amplification platform .

Group	Characteristics	Recent Activity
Handala (Void Manticore)	Most notorious group affiliated with Iranian regime; hack-and-leak operations, doxxing	Stryker attack (200K systems wiped, 50TB data); claimed "full access" to Jerusalem's security cameras
Cyber Islamic Resistance	Consolidated multiple groups into joint Electronic Operations Room	Paralyzed gas stations in Jordan; attacked US/Israeli military suppliers
NoName057(16)	Massive DDoS campaigns	Disrupted Israeli telecom, water, transportation networks; extended to Cyprus; attacked Kuwaiti government domains
Z-Pentest	Industrial control system targeting	Posted screenshots suggesting control over Israeli water systems; disrupted US networks including CCTV
313 Team	Coordinated government domain attacks	Assault on 26 Kuwaiti government domains
FSociety	Energy, defense, commercial targeting	Attacked Israeli energy, defense, and commercial targets
DieNet	Data theft, government targeting	Accessed employee payroll data from Jordan's electricity company; struck Qatari government sites

Targets and Sectors at Risk

Primary Targets

According to the Canadian Centre for Cyber Security, Iranian state-sponsored cyber threat actors opportunistically target poorly secured critical infrastructure networks and internet-connected devices around the world, particularly in the water and energy sectors .

US Targets

Pro-Iranian hackers are starting to stretch into the United States, raising the risk of American defense contractors, power stations, and water plants being swept into a wave of digital chaos .

Likely US Targets Going Forward:

Defense contractors
Government vendors
Businesses that work with Israel
Critical infrastructure (hospitals, ports, water plants, power stations, railways)

Geographic Expansion

By March 7-9, geographic targeting expanded to Cyprus, the UK, and Saudi Arabia .

Sophistication and Methods

Iranian cyber threat groups are particularly sophisticated in combining social engineering with spear phishing, targeting public officials to gain access to government networks and private sector organizations globally . They also exploit known vulnerabilities to gain initial access, then leverage this access for follow-on operations such as data exfiltration, ransomware, and extortion .

Government Warnings and Advisories

US Department of Homeland Security

The DHS has warned law enforcement agencies of the potential for isolated "lone-wolf" attacks and cyber intrusions linked to the ongoing military strikes in Iran .

Key Points from DHS Bulletin:

While a large-scale physical attack is considered unlikely, Iran and its proxies likely pose a sustained threat of targeted operations
Officials are particularly concerned about cyber activity by Iran-aligned hacktivists, including low-level attacks such as website defacements and DDoS operations targeting US networks
Retaliatory actions would "almost certainly" escalate if reports confirming the Ayatollah's death prove accurate

Canadian Centre for Cyber Security

The Cyber Centre assessed that Iran will very likely use its cyber program to respond to the joint US and Israel combat operations .

Possible Responses Include:

Cyber attacks against critical infrastructure
Cyber-enabled information operations
Online harassment of military personnel
Harassment and repression of diaspora and activist communities

UK National Cyber Security Centre

The NCSC stated that while "there is likely no current significant change in the direct cyber threat from Iran to the UK," it urged organizations in the country to review their risk posture and take action .

Expert Analysis and Unverified Claims

Skepticism About Hacktivist Claims

Several cybersecurity firms have noted that many claims made by hacktivist groups remain unverified or exaggerated .

Firm	Assessment
CrowdStrike	"Much of the activity being publicized appears to be claim-driven rather than evidence-backed"
Cisco Talos	"Currently there does not appear to be any significant increase in cyber activity associated with state-sponsored or state-affiliated groups"
Sophos	Claims of critical infrastructure compromise made by hacktivists have not been verified and may be exaggerated
Hudson Rock	Many of the data breaches claimed by hackers in recent days are fake

The "Command and Control" Factor

With Iran's leadership effectively decimated and internet connectivity severely disrupted, the cyberattack command structure has collapsed . Kathryn Raines, a former US National Security Agency officer, told Fortune: "It's in the hands of 19-year-old hackers in Telegram rooms with no supervision or instructions" .

This means that while state-sponsored activity remains low, individual hacker groups on Telegram and internet communities are expected to launch indiscriminate attacks .

Protective Measures and Recommendations

For Organizations

Shaun Williams, a former FBI and CIA officer now at SentinelOne, advises:

"Patch your systems. Ensure your firewalls and security solutions are up to date. Remove your stale accounts. All the cyber hygiene that you should be doing, it's more critical now than ever. Prepare for disruption" .

Key Recommendations from Cybersecurity Experts

Patch Known Vulnerabilities: Iranian actors exploit known vulnerabilities to gain initial access
Implement Multi-Factor Authentication: Weak or default passwords are a primary attack vector
Monitor for Social Engineering: Iranian groups are sophisticated in combining social engineering with spear phishing
Prepare for Disruption: DDoS attacks and website defacements are likely, even if sophisticated intrusions are not
Review Risk Posture: Organizations in allied countries should review their cybersecurity posture

Critical Infrastructure Operators

Canadian critical infrastructure operators and other possible targeted entities should remain vigilant to threats posed by cyber actors aligned with Iranian interests . This is particularly important for the water, energy, transportation, and healthcare sectors .

Future Outlook

What Experts Are Watching

Cybersecurity experts are closely monitoring several factors:

Potential Escalation: If Russia, China, or hacking groups allied with either country provide hacking assistance to Iran, attacks could become more sophisticated
Command Structure Recovery: As Iran restores internet connectivity and command structures, state-sponsored attacks may resume
Opportunistic Crime: Cyber criminals are likely to take advantage of the war to increase infections through lures and social engineering
Critical Infrastructure Focus: Local water plants or health care facilities that lack robust security remain favorite targets

The Long View

Iran has invested heavily in its offensive cyber capabilities while cultivating ties to hacking groups . The goal, according to experts, is to wear down the American war effort, drive up energy costs, strain cyber resources, and cause as much pain as possible for American companies that depend on the defense industry .

As Kevin Mandia, founder of cybersecurity companies Mandiant and Armadin, stated: "Something is going to happen because the gloves are off" .

Conclusion

The Iranian cyber attacks in 2026 represent a new chapter in cyber warfare—one where digital operations run alongside kinetic strikes, where hacktivists act with autonomy when state command structures are disrupted, and where critical infrastructure on both sides becomes a legitimate target.

From the unprecedented digital blackout that plunged Iran into isolation to the Stryker attack that wiped 200,000 systems, the conflict has demonstrated the awesome power of cyber weapons. Yet it has also revealed limitations: many claims remain unverified, state-sponsored actors have been notably quiet, and the chaos of war extends to the digital realm where 19-year-olds in Telegram rooms can claim to bring down nations.

For organizations in the US, Israel, and allied countries, the message from cybersecurity experts is clear: the threat is real, the gloves are off, and now is the time to ensure your cyber hygiene is up to date. In this new era of warfare, the next battle may not be fought with missiles—but with lines of code.