Cyber Threat Overview
Iran-Linked Cyber Attacks Since Feb 28
Dozens of pro-Iran hacktivist groups have launched cyberattacks since the war began on February 28. Targets include critical infrastructure, defense contractors, government vendors, and Israel-linked businesses. Notably, Iran's state-sponsored cyber groups have been less active than expected due to the near-total internet blackout inside Iran. Instead, geographically dispersed proxy groups are operating autonomously from outside Iran.
Verified [NBC News] Stryker Corporation — First Significant US Company Cyberattack
Target: Stryker, a major US medical technology company
Impact: Operations disrupted by Iran-aligned hackers
Significance: Described as the first significant cyberattack on a US company since the war started. This marked an escalation from targeting government and infrastructure systems to disrupting private-sector operations in the healthcare technology supply chain.
Verified [Axios] Israeli Payment Systems Attacked
Target: Israeli payment processing systems
Impact: Payment systems disrupted by Iran-linked hackers, targeting Israel's financial infrastructure as part of the broader cyber campaign accompanying the kinetic conflict.
Verified [PBS] Kuwaiti Government Websites & Airport Services
Targets: Kuwaiti government websites and airport online services
Impact: Government websites shut down; airport online services disrupted. Kuwait, already a target of Iranian ballistic missile and drone attacks, faced a parallel cyber campaign against its digital infrastructure.
Broader Cyber Threat Landscape
According to reporting from PBS and Cybersecurity Dive, the range of targets extends beyond the confirmed incidents above to include critical infrastructure, defense contractors, and government vendors across the US and allied nations. The decentralized nature of Iran's proxy hacker network—operating from locations outside Iran where internet access is unaffected—means that the near-total collapse of Iran's own internet has not proportionally reduced the cyber threat.
- Primary concern areas: Energy infrastructure and government targets (per US intelligence community warnings)
- Attack pattern: Pro-Iran hacktivist groups conducting opportunistic attacks on vulnerable systems rather than sophisticated state-level intrusions
- Key difference from expectations: Iran's state-sponsored groups are less active than anticipated; proxies carrying the cyber fight independently
US Intelligence Community Cyber Warnings
Verified [CNN] Warning to Bolster Cyber Defenses
The US intelligence community has warned companies and government agencies to bolster their cyber defenses in response to the conflict with Iran. The warning identifies energy infrastructure and government systems as the primary targets of concern.
This warning reflects the assessed risk that Iran-aligned hackers, even operating through proxies outside of Iran, retain the capability and intent to conduct retaliatory cyberattacks against US interests. The Stryker incident demonstrates this concern is well-founded.
Analyst Assessment [Cybersecurity Dive] Risk to US Entities
Cybersecurity analysts assess that US entities face elevated cyber risk during the conflict. The combination of motivated Iran-aligned actors, pre-existing vulnerabilities in critical infrastructure, and the heightened geopolitical tensions creates conditions for increased attack frequency and potentially more damaging incidents.
The CSIS analysis notes that the shape of cyber warfare in the US-Israel conflict with Iran remains an evolving question, with the proxy-driven model representing a departure from previous assumptions about how Iran would wage cyber war during a major conflict.
Iran Internet Blackout
Verified [The Register] Near-Total Internet Shutdown
Iran's internet connectivity has collapsed since the start of the conflict, creating a paradoxical situation where the country waging a cyber proxy war has itself been cut off from the global internet.
| Date | Connectivity Level | Source |
|---|---|---|
| Feb 28 (Day 1) | ~4% of normal | NetBlocks / The Register |
| Mar 6 (Day 7) | ~1% of normal | Iran International / DEFFI |
| Cumulative 2026 | One-third of 2026 offline | DEFFI |
Verified [HRW] Causes and Consequences
The internet blackout results from a combination of two factors:
- Deliberate government shutdown: The Iranian government has a history of cutting internet access during crises (notably during 2019 and 2022 protests). The current shutdown follows this pattern, likely to control information flow and prevent domestic unrest.
- Infrastructure damage: US and Israeli strikes on Iranian infrastructure have physically damaged telecommunications systems, compounding the deliberate shutdown.
Human Rights Watch has condemned the shutdown as a violation of rights that escalates risks to civilians, noting that the blackout prevents Iranians from accessing emergency information, contacting family members, and documenting the conflict.
Strategic Implications of Iran's Internet Blackout
The near-total internet blackout creates several important dynamics for the cyber dimension of the conflict:
- State-sponsored groups degraded: Iran's own state-sponsored cyber units (which normally operate from within Iran) are severely hampered by the lack of connectivity, reducing the sophistication of attacks that can be launched
- Proxy autonomy increased: Iran-aligned hacktivist groups operating from outside Iran (Iraq, Lebanon, other countries) continue to function independently, but without centralized coordination from Tehran
- Information vacuum: The blackout creates an intelligence gap for Iranian leadership, complicating their ability to assess damage, coordinate military operations, and communicate with their own population
- Civilian harm: 90+ million Iranians are largely cut off from the global internet, affecting humanitarian communication, access to information, and documentation of the conflict
Cyber Warfare Strategic Context
Analyst Assessment [CSIS] How Cyber Warfare Is Shaping the Conflict
CSIS analysis examines how cyber warfare is shaping the broader US-Israel conflict with Iran. Key observations:
- The cyber dimension of this conflict is characterized by asymmetry: the US has vastly superior offensive and defensive cyber capabilities, but Iran's proxy network creates a distributed threat that is difficult to fully neutralize
- Iran's pre-conflict investments in hacktivist proxy groups are now paying dividends, as these groups can operate even while Iran's own infrastructure is devastated
- The conflict highlights the vulnerability of private-sector targets (like Stryker) that may not have military-grade cyber defenses
- Energy infrastructure remains the highest-concern target sector given its strategic significance and the existing disruption to global energy markets from the Strait of Hormuz blockade
Analyst Assessment [Iran International] Proxy Cyber Operations Model
The conflict has revealed a distinctive model of cyber warfare where a nation under near-total internet blackout continues to wage an effective cyber campaign through external proxies. This has implications for how future conflicts may unfold in the cyber domain:
- Decentralized by necessity: With Iran at ~1% internet connectivity, centralized command-and-control of cyber operations is effectively impossible. Proxy groups are operating on pre-established directives and autonomous decision-making.
- Geographic distribution: Hacktivist groups operating from multiple countries outside Iran are harder to disrupt than centralized state-sponsored operations would be.
- Reduced sophistication, maintained volume: The loss of state-sponsored group coordination likely reduces the sophistication of individual attacks, but the sheer number of active hacktivist groups maintains a high volume of lower-complexity incidents.
Key Analytical Judgments
- Iran's proxy cyber network remains active despite the near-total internet blackout inside Iran. Dozens of hacktivist groups continue to operate from outside Iran, targeting US, Israeli, and Gulf state systems. High Confidence
- The Stryker attack marks a significant escalation as the first major cyberattack on a US company during the war, demonstrating that private-sector targets are within reach of Iran-aligned hackers. High Confidence
- Energy infrastructure and government systems are the primary targets of concern according to US intelligence community warnings. Further attacks on these sectors should be expected. High Confidence
- Iran's state-sponsored groups are degraded by the internet blackout (4% connectivity on Feb 28, ~1% by Mar 6), shifting the cyber fight to less sophisticated but more numerous proxy groups. High Confidence
- The internet blackout harms Iranian civilians while paradoxically having limited impact on Iran's external cyber proxy operations, creating a humanitarian cost without proportional military benefit. Moderate Confidence
- Coordination between proxy groups is likely reduced without centralized Iranian state direction, potentially leading to less strategic targeting but unpredictable attack patterns. Moderate Confidence
Key Indicators to Monitor
- Additional cyberattacks on US private-sector companies, particularly in healthcare, energy, and defense supply chains
- Escalation from disruptive attacks to destructive attacks targeting physical infrastructure
- Changes in Iranian internet connectivity that could re-enable state-sponsored group operations
- Attacks on energy infrastructure given its identification as a primary concern by US intelligence
- Expansion of hacktivist targeting to additional Gulf state critical infrastructure beyond Kuwait
- Evidence of coordination between separate proxy hacktivist groups suggesting centralized direction has resumed
- Cyber incidents affecting US or allied military command-and-control systems
- Retaliatory cyberattacks timed to coincide with specific military escalations