In the ongoing conflict between the United States and Iran, cyber operations have emerged as a significant component alongside conventional military actions. Operation Epic Fury, initiated on 28 February 2026, involved coordinated strikes that targeted key Iranian leadership and infrastructure, with digital disruptions playing a crucial role in limiting the adversary's response capabilities. Iranian connectivity fell by at least 46% during the strikes, signaling intense cyber involvement.[1]
The operation followed closely after nuclear negotiations in Geneva on 26 February 2026, where both sides had agreed to further discussions. Despite this, US forces proceeded with attacks that resulted in the deaths of Iran's Supreme Leader Ayatollah Ali Khamenei, the president, the military chief of staff, and other officials, alongside strikes on extensive military sites.
US Central Command commenced the operation at 0115 local time on 28 February 2026, under presidential direction, aiming to dismantle the Iranian regime's security apparatus and address imminent threats. Over 1,700 targets were struck, including command centers, air defense systems, ballistic missile sites, and naval assets.
Joint Chiefs of Staff Chairman General Dan Caine, in a press briefing on 2 March 2026, described US Cyber Command and Space Command as initial actors in applying non-kinetic effects. He stated: “Coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively.”
Following the strikes, Iran's internet connectivity plummeted to between 1% and 4% of normal levels in two major waves. This decline was attributed to a regime-imposed blackout, possibly with limited access maintained via a government whitelisting system for select users. Physical damage to fiber optic cables from the attacks may have contributed to the disruption. The blackout has raised concerns about increased misinformation, as authentic Iranian sources are largely silenced online.
Several platforms faced breaches during the operation. The BadeSaba calendar prayer app, with over 5 million downloads on Google Play, was hacked to send push notifications in Persian urging members of the armed forces to defect. Messages included phrases like “help has arrived” and calls for the regime to “pay for their cruel and merciless actions against the innocent people of Iran.”
State-affiliated news websites, such as the IRNA news agency, were hijacked to display anti-government messages referencing the strikes. These incidents highlight the use of digital channels for information warfare.
Cybersecurity experts have cautioned about escalating retaliatory actions from Iran-aligned groups. Possible tactics include distributed denial-of-service attacks, ransomware, destructive wiper malware, phishing, and website defacements. Past operations by such actors have featured credential theft and data leaks. Groups like APT33, MuddyWater, and Fox Kitten pose risks to US firms in sectors such as healthcare and energy. The United Arab Emirates has warned that sharing unverified war-related information could lead to fines of $27,000 to $272,000 or imprisonment under its cybercrime laws.
The conflict has prompted cyber insurers to reassess exposures linked to Iranian hacking groups. A potential large-scale attack could test war exclusions in policies, drawing parallels to the 2017 NotPetya incident, which caused over $10 billion in global damage.
See: https://redskyalliance.org/xindustry/notpetya-us-law
Defense agencies view cyber operations, information control, and infrastructure resilience as essential elements of contemporary warfare, with digital assets serving dual roles as strengths and weaknesses. As the operation continues, with US officials indicating no fixed timeline, the digital front remains a critical arena in the US-Iran confrontation.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/cyber-operations-are-integral-to-us-strikes-on-iran-9192.html
Comments