The Opening Salvo: From Military Strikes to Online Conflict
On February 28, 2026, the US and Israel launched coordinated military strikes against Iran, unleashing a wave of retaliation that rapidly spilled into the digital domain. As conventional fighting swept across the Middle East, the cyber war emerged as a concurrent, critical front. Iranian responses included a multi-pronged campaign led by both official state-backed cyber units and independent hacktivist groups. However, the effectiveness of traditional Iranian state operators was quickly hampered: nationwide internet outages reduced connectivity to between one and four percent, severely limiting real-time coordination and command communication. As a result, Iranian cyber actors within the country had diminished capabilities, while cells and proxies operating outside Iran gained greater autonomy. These external groups surged in activity, launching attacks against US, Israeli, and allied infrastructure. Their operations ranged from distributed denial-of-service attacks and website defacements to information operations and data exfiltration. Despite the increase in volume, most hacktivist-driven disruptions were judged as low to medium in significance and often overstated their achievements.
The Playbook: Iranian State and Proxy Tactics
State-sponsored Iranian cyber groups leveraged advanced techniques such as AI-assisted spear phishing, exploitation of known software vulnerabilities, ransomware deployment, and destructive wiper malware. Their primary targets were poorly secured critical infrastructure, particularly in sectors like water, energy, and banking. Social engineering continued as a favored attack vector, with Iranian operators forging professional contacts on social media to compromise public officials and infiltrate sensitive organizational networks. While aimed at disruption, these actions also served strategic intelligence goals and were used to intimidate political opponents, journalists, and members of the Iranian diaspora advocating for regime change.
US Defenses Under Strain
Meanwhile, the US cyber defense apparatus faced its own challenges. The Cybersecurity and Infrastructure Security Agency (CISA) struggled with staffing shortages and leadership turmoil brought on by a partial government shutdown. Routine assessments and cybersecurity training were canceled, exacerbating vulnerabilities at a time when the risk from Iranian cyber retaliation was escalating. Security experts warned that Iran’s global network of proxies and hacktivists could exploit these weaknesses, and that even moderately sophisticated attacks posed real threats to the financial sector and national infrastructure.
A New Norm: The Digital Battlefield
Both sides now see cyber operations as a fundamental weapon in modern conflict. Digital attacks are used in tandem with kinetic strikes to achieve disruption, sow confusion, and influence public sentiment. The Iranian government’s domestic information blackout aimed to limit exposure and control external narratives, but it failed to stop a decentralized web of Iran-aligned groups using proxies and VPNs to sustain their operations. These cyber campaigns—whether retaliatory, opportunistic, or strategic—show how the digital battlefield is shaping the strategy and outcomes of contemporary warfare more than ever before.
Internet Blackout and Its Effects
- Iran’s national connectivity dropped to 1-4%, limiting the coordination of sophisticated state-backed cyberattacks
- Iranian cyber cells outside the country have gained more autonomy, acting independently and ramping up hacktivist activities targeting US, Israeli, and allied infrastructure
Surge in Hacktivist and Proxy Attacks
- Over 60 Iran-aligned hacktivist and proxy groups have become active, with attacks ranging from DDoS, website defacement, and hack-and-leak operations to direct targeting of US financial institutions and critical infrastructure
- Despite the lack of major coordinated state-led attacks, these groups are able to disrupt logistics, hospitals, banks, and government services across the US and GCC countries
CISA and US Defense Challenges
- The US Cybersecurity and Infrastructure Security Agency (CISA) is under strain due to a partial government shutdown, staff losses, and leadership turmoil, impacting its assessment and readiness to counter major cyber threats
- Experts warn that this administrative disruption may increase vulnerabilities in US critical infrastructure just as Iranian groups escalate operations
Iranian Tactics and Patterns
- Activities include phishing, ransomware, wiper malware, social engineering, exploitation of unpatched systems, and targeting influential critics abroad
- Iranian-affiliated groups have exaggerated claims, but recent evidence points to real impacts (e.g., compromised apps and critical system disruptions)
Recommendations for Defense
- Keep critical data air-gapped/offline
- Verify inbound requests via trusted, separate channels
- Patch and harden internet-facing assets
- Train staff against phishing and social engineering
- Consider geographic IP blocking from high-risk regions
Cyberattacks linked to Iran in the wake of the 2026 conflict are now driven by decentralized groups acting globally, with the internet blackout limiting state command-and-control. US defenses and critical sectors face heightened risk at a time of administrative strain, making multilayered cyber hygiene and vigilance vital.
Sources and Expert Analysis
This article draws on real-time updates and analysis from Unit 42 by Palo Alto Networks, the Canadian Centre for Cyber Security, and breaking news coverage by CNBC. These sources include cybersecurity experts, official incident reports, and frontline observations from major infrastructure and threat intelligence providers. Their contributions have been essential in understanding the evolving cyber dimension of the 2026 US-Iran conflict and the broader security implications for governments and organizations worldwide.