Iran War: The Convergence of Cyber and Kinetic Warfare

Cyber activity has been crucial to US-Israeli operations in Iran, while the nation has launched its own cyber campaigns against perceived threats

By Rithula Nisha

An operation as precise as taking out Iran's Supreme Leader would have been almost impossible without cyber and intelligence supremacy. 

But these capabilities – which Iran also wields, Europol warns – could have “immediate repercussions” for EU nations in the form of cyber attacks.

Iran still lies in total internet blackout as the war enters day 10, with Netblocks’ data showing connectivity at 1% of regular levels. It has faced hostile cyber activity, including the hacking of its BadeSaba religious calendar app.

The country is also mounting its own cyber campaigns, as Check Point Software notes: “During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on 28 February, originating from infrastructure we attribute to Iranian threat actors.”

The company adds that Iranian exploitation attempts against Qatar, Bahrain, Kuwait, the UAE and Cyprus have surged since the conflict began.

Cyber warfront

The initial wave of US and Israeli attacks on Iran included coordinated cyber actions which targeted mobile towers in and around Pasteur Street, where key government institutions are located to disrupt any warnings of the strike. 

Intelligence was gathered through hacked cameras, as a Financial Times report notes: “Nearly all the traffic cameras in Tehran had been hacked for years, their images encrypted and transmitted to servers in Tel Aviv and southern Israel, according to two people familiar with the matter.”

The report also says that Israel has complicated algorithms that automates the previously laborious process of tracking priority individuals. 

Israel downs cyberwarfare HQ

According to a post by Israel Defense Forces, a strike in early March targeted a “large Iranian terror regime military compound in eastern Tehran,” which the IDF says includes the “Cyber Warfare headquarters” of the Islamic Revolutionary Guard Corps and elements of its intelligence directorate among others. 

While the full impact on Tehran’s digital capabilities remains unclear, cybersecurity researchers note that Iranian-linked cyber activity has continued across the region despite damage to infrastructure and widespread internet disruption inside the country.

“Unit 42 is seeing a surge in activity from a growing number of hacktivist groups,” says Sam Rubin, SVP of Consulting and Threat Intelligence at Palo Alto Networks' Unit 42.

“However, we expect that internet disruption in Iran will mitigate more sophisticated state-aligned cyberattacks while infrastructure is degraded. 

“Organisations must remain highly vigilant, as state-aligned actors are anticipated to continue opportunistically targeting perceived adversaries.” 

By early March, dozens of pro-Iranian hacktivist groups were active online, claiming disruptive attacks against Israeli and regional targets.

Among the most visible actors is a persona known as Handala Hack, believed to be linked to Iran’s Ministry of Intelligence and Security. The group has claimed responsibility for breaches affecting an Israeli energy exploration firm, Jordanian fuel systems and attempts to target Israeli healthcare networks just days before the kinetic conflict started. 

Other networks such as Cyber Islamic Resistance, Dark Storm Team and the Fatimiyoun Cyber Team coordinate distributed denial-of-service campaigns, data-wiping attacks and website defacements against government agencies, financial institutions and infrastructure across the Middle East.

Some groups have also claimed access to industrial control systems and drone defence technologies.

These campaigns illustrate how Iran’s cyber ecosystem blends state interests with loosely affiliated activist networks that amplify disruption and political messaging.

Tactics shaping Iran’s cyber operations

Iranian cyber operations typically combine espionage with disruptive tactics designed to pressure adversaries. Unit 42 researchers have observed campaigns ranging from phishing and credential harvesting to destructive malware and data leaks.

One recent operation involved distributing a fake Android version of Israel’s RedAlert emergency warning application. The malicious software was used to gather surveillance data and exfiltrate information from compromised devices.

More broadly, Iran-aligned groups often exploit unpatched systems, use targeted spear-phishing campaigns and conduct hack-and-leak operations intended to embarrass political opponents or influence public opinion.

Analysts say these tactics aim not only to disrupt infrastructure but also to create psychological pressure during periods of geopolitical tension.

A fragmented but persistent cyber capability

The apparent strike on Iran’s cyber headquarters highlights the growing integration of cyber and kinetic warfare. Yet experts caution that destroying a physical facility may not significantly weaken Iran’s cyber reach.

This is because, Iran's digital capability relies on geographically-distributed networks of operators, pre-positioned malware and external proxies that can continue functioning even when domestic infrastructure is disrupted. 

For governments and organisations across the Middle East and beyond, the digital dimension of the war is likely to persist long after the immediate military exchanges subside.