Cyberwarfare during the 2026 Iran war
Use of electronic warfare during the 2026 Iran war
From Wikipedia, the free encyclopedia
Cyberwarfare during the 2026 Iran war is the digital and information operations conducted by Israel, the United States, Iran, and affiliated hacktivist groups as part of the ongoing 2026 Iran war that began on 28 February 2026.
The cyber domain played a supporting role in the initial kinetic strikes, with coordinated U.S.–Israeli operations reportedly disrupting Iranian command, control, and sensor networks ahead of airstrikes.[1] Israel also conducted large-scale information operations, including the compromise of a popular Iranian prayer app and state broadcasting channels. Iran and pro-Iran hacktivists threatened and claimed retaliatory cyberattacks, though widespread internet blackouts inside Iran limited their effectiveness.[2][3]
Background
The 2026 Iran war erupted on 28 February 2026 when Israel and the United States launched coordinated airstrikes (codenamed Operation Roaring Lion and Operation Epic Fury) targeting Iranian leadership, nuclear facilities, and military sites, including the assassination of Supreme Leader Ali Khamenei. Cyber and electronic-warfare capabilities were integrated into the opening phase to disrupt Iranian command-and-control, communications, and sensor networks.[1][4]
Iran has maintained an active state-sponsored cyber program for years, and has previously been both perpetrator and victim of state-sponsored cyber operations (notably Stuxnet in 2010) with documented capabilities in wiper malware, distributed denial-of-service (DDoS) attacks, and espionage against critical infrastructure.[4] Prior to the 2026 conflict, Iran had conducted cyberattacks on financial institutions and election-related targets, and maintained proxy hacktivist networks for plausible deniability.[4]
Operations by Israel and the United States
On 28 February 2026, as airstrikes began, coordinated cyberattacks targeted Iranian infrastructure, state media outlets, and mobile applications. U.S. Chairman of the Joint Chiefs of Staff Gen. Dan Caine stated that "coordinated space and cyber operations effectively disrupted communications and sensor networks" in Iran prior to the main kinetic strikes, with the explicit goal of leaving the adversary "disrupted, disoriented and confused."[1]
Israeli operators compromised the popular Iranian prayer app BadeSaba Calendar (more than five million downloads). Users received push notifications in Persian urging military personnel and civilians to defect, lay down arms, or join opposition forces. Messages included phrases such as "Help has arrived," "It's time for reckoning," and "For the freedom of our Iranian brothers and sisters … lay down your weapons or join the forces of liberation.""[4][5]
Several official Iranian news websites, including state-run IRNA, were defaced with anti-regime messages. Additional intrusions targeted government services and military systems to hinder coordinated responses.[4] Electronic warfare components included GPS and automatic identification system (AIS) disruptions affecting over 1,100 ships in the Gulf region.[4]
Israeli intelligence reportedly maintained long-term access to Tehran traffic camera networks and mobile-phone infrastructure, using the feeds to support targeting of senior Iranian leaders, including the strike that killed Khamenei.[1] After Israeli airstrikes damaged offices of state broadcaster IRIB, hackers hijacked at least two channels and aired recorded speeches by U.S. President Donald Trump and Israeli Prime Minister Benjamin Netanyahu calling on Iranians to rise against the regime.[1]
These operations coincided with a near-total internet blackout across Iran. Connectivity fell to 1–4 % of normal levels for more than 60 hours, severely impairing government communications, state media, and public services. NetBlocks and other monitors attributed the outage to a combination of physical strikes on data centers and large-scale cyber disruption described by some Israeli sources as "the largest cyberattack in history."[6][4][7][8]
Attacks on Pakistani media
Several leading Pakistani television news channels were hacked on the evening of 1 March 2026, during the early phase of cyber operations linked to the US-Israeli strikes on Iran. Broadcasts on Geo News, ARY News and Samaa TV were interrupted after Iftar, with unauthorised messages displayed that supported Israel's Mossad intelligence agency and urged viewers to "stand up to" the Pakistan Armed Forces and its leadership.[9][10] Geo News management immediately stated that the channel had faced repeated hacking attempts on its PakSat satellite feed for the previous 24 hours and that the aired message had no connection with the broadcaster. The channel called on authorities to investigate and take immediate action.[11]
In tandem with the broadcast disruptions, Google advertisement campaigns promoting Mossad appeared on multiple Pakistani news websites. The campaigns were reported to have targeted users in Pakistan as well as in Iran and other Asian countries.[9][12] Pakistani authorities, including the Pakistan Telecommunication Authority and PakCERT, launched investigations and implemented counter-cyber measures.[10]
In retaliation, the following day, a group calling itself “Pakistan Cyber Force” hacked the Indian news channel ABP News and broadcast pro-Pakistan Army content.[13][12]
Iranian responses and hacktivist activity
Iranian state-sponsored actors and pro-Iran hacktivist collectives threatened retaliatory cyberattacks on U.S., Israeli, and allied critical infrastructure, including distributed-denial-of-service (DDoS) attacks, data wipers, and information operations.[2][4] However, the domestic internet blackout and degradation of Iranian leadership structures severely limited state actors' ability to coordinate sophisticated operations in the first days of the conflict.[3]
A surge in hacktivist activity was observed, with more than 60 groups claiming actions by 2 March 2026. Notable claims included: Handala Hack (linked to Iran's Ministry of Intelligence) compromising Israeli energy firms, Jordanian fuel systems, and healthcare targets. Cyber Islamic Resistance, Dark Storm Team, FAD Team, conducted low-level DDoS attacks, website defacements, and phishing campaigns, primarily targeting entities in the Middle East, Israel, and the United States. Analysts noted that Iran's own blackout limited large-scale state-directed operations from within the country, shifting activity toward external proxies.[4][14][3]
On 15 March, Iran likely executed the biggest wartime cyberattack against the U.S. in history, and experts warned that more such attacks are likely.[15]
Impact and reactions
The cyber operations contributed to psychological pressure on the Iranian government and temporarily blinded parts of its command network. Regionally, electronic warfare affected maritime navigation, and cloud outages impacted businesses across the Middle East. U.S. and allied financial institutions raised alerts for potential follow-on Iranian cyberattacks.[14] The US Cybersecurity and Infrastructure Security Agency (CISA) faced resource constraints amid leadership changes and a partial government shutdown.[16]
The cyber operations disrupted Iranian government and military coordination in the early hours of the conflict and amplified information warfare aimed at encouraging internal dissent.[4]