Iran Cyber Offensive: How a Military Strike Unleashed a Digital War. Researchers at Unit 42 are tracking more than 60 active threat groups.
When U.S. and Israeli forces attacked Iran on February 28, 2026, the military strikes were matched almost immediately by a second campaign — one fought through keyboards, malware, and hacked infrastructure. Within hours of the initial bombardment, Iran and a constellation of aligned threat actors initiated a multi-vector cyber offensive that has since expanded across the region.
Iran’s domestic internet connectivity collapsed to between one and four percent on the morning of the strikes — a near-total blackout that paradoxically constrained Tehran’s own most sophisticated cyber units. Researchers at Unit 42 assess that the degradation of Iranian leadership and command structures has reduced the capacity of state-based actors to coordinate and execute advanced operations in the short term. State-aligned units may now be functioning in operational isolation, deviating from established playbooks and acting with tactical autonomy.
The immediate burden of Iran’s cyber response has therefore fallen on a sprawling network of proxy groups, hacktivists, and foreign-aligned collectives operating outside Iranian territory — many coordinated through a newly formed “Electronic Operations Room” established on the day the strikes began.
The Hacktivist Surge
Unit 42 has identified at least 60 active threat groups, ranging from pro-Iranian hacktivists to pro-Russian collectives who have seized on the conflict to further their own agendas. The most prominent Iranian persona is Handala Hack, linked to Iran’s Ministry of Intelligence and Security (MOIS). The group combines data exfiltration with targeted operations against Israeli political and defense entities. It has claimed responsibility for breaches at an Israeli energy exploration company, Jordan’s fuel infrastructure, and Israel’s largest healthcare network — the latter targeted to generate domestic political pressure before the kinetic campaign began.
Handala Hack’s operations have also moved into physical threat territory. The group reportedly sent direct death threats by email to Iranian-American and Iranian-Canadian influencers, claiming to have leaked their home addresses to operatives in the United States and Canada — a documented escalation from digital disruption to personal intimidation.
Other active collectives include APT Iran, which has claimed sabotage of Jordanian critical infrastructure; the Cyber Islamic Resistance, an umbrella network coordinating synchronized DDoS campaigns, data-wiping operations, and website defacements; and the FAD Team (Fatimiyoun Cyber Team), which focuses on destructive wiper malware and has claimed unauthorized access to SCADA and industrial control systems in Israel and other countries.
The geographic breadth is notable. DieNet has targeted airports in Bahrain and the UAE, as well as banks in Riyadh and Jordan. The 313 Team, based in Iraq, has directed operations against Kuwait’s armed forces, defense ministry, and government websites. The Sylhet Gang has targeted Saudi Arabia’s interior ministry systems — a pattern consistent with efforts to destabilize governments hosting U.S. military assets.
Russia Enters the Cyber Theater
Pro-Russian hacktivist groups have moved quickly to exploit the conflict. Cardinal claims to have infiltrated Israeli Defense Forces networks and published a document purportedly related to Operation Northern Shield, containing movement details and command approvals. NoName057(16) has claimed disruptive operations against Israeli municipal, telecom, and defense-related targets. The Russian Legion collective has gone further, asserting control over components of Israel’s Iron Dome missile defense system. Security researchers have yet to corroborate this claim, and hacktivist groups are known to overstate the scale of their access.
Mobile Malware and Social Engineering
Unit 42 has identified a targeted phishing campaign distributing a malicious Android application disguised as the Israeli Home Front Command’s RedAlert emergency notification app. The counterfeit package deploys mobile surveillance software and exfiltrates data from infected devices — a reflection of established Iranian tradecraft: embedding malware in contextually credible applications during periods of public anxiety.
Opportunistic criminal actors have also entered the field. In the UAE, cybercriminals are impersonating the Ministry of Interior to harvest Emirates Identification Numbers. Separately, the ransomware-as-a-service group Tarnished Scorpius has listed an Israeli industrial machinery firm on its leak site, replacing the company logo with a swastika.
Assessment and Outlook
The current phase is characterized by medium-to-low sophistication attacks — DDoS campaigns, data leaks, defacements, and credential theft — carried out at high volume across a wide geographic range. As operational disruption within Iran eases, the threat calculus is expected to shift toward more targeted intrusions. Organizations in energy, finance, healthcare, and logistics with ties to U.S. or Israeli interests face elevated risk.
The conflict has illustrated a pattern increasingly visible in modern warfare: kinetic action now reliably triggers a parallel digital campaign, conducted not only by state actors but by a distributed ecosystem of proxies, criminal opportunists, and geopolitically aligned collectives. Defending against it requires the same vigilance applied to the physical domain.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de