Military strikes by the United States and Israel against Iranian targets on February 28, 2026 were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread DDoS attacks, website compromises, defacements, and breach claims, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting IRNA, while Tasnim News was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as government, aerospace and defense, and technology, and regional states including Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE saw elevated cyber pressure.
The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as travel, hospitality, and energy. One cited example was a March 11 claim by Handala, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale data-wiping attack against medical technology company Stryker, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of geopolitically motivated cyber operations acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
By April 17, 2026, SOCRadar reported 1,357 verified cyber incidents in the first month of the Iran war across more than 25 countries, 15 sectors, and over 40 threat groups. The firm assessed that the campaign had moved beyond overt disruption into a quieter phase marked by reconnaissance, pre-positioned access, and latent destructive risk if the ceasefire breaks down.
By March 25, 2026, ZenoX reported underground sales of allegedly stolen Iranian banking, civil, health, exchange, and business datasets linked to the conflict. The company said reviewed sample data appeared likely authentic, indicating monetization of compromised Iranian information beyond disruptive attacks.
On March 12, 2026, reporting described disruption at Stryker as a key second-week development in the conflict. The incident was framed as retaliation by Handala and as evidence of escalation toward more destructive operations.
On March 11, 2026, the hacktivist group Handala claimed it had carried out a destructive data-wiping attack against Stryker. The claim said several terabytes of critical data were destroyed, and later reporting characterized the incident as a shift toward wiper-style attacks on a global enterprise.
By early March, reporting highlighted additional opportunistic activity tied to the conflict, including vishing scams in the UAE, ransomware extortion against an Israeli industrial machinery company, and intimidation campaigns by Handala Hack against Iranian-American and Iranian-Canadian influencers. This showed the conflict drawing in cybercriminal and proxy actors beyond traditional state-linked operations.
Unit 42 identified an active phishing campaign using a malicious replica of Israel's Home Front Command RedAlert Android application. The app was designed to deliver mobile surveillance and data-exfiltration malware to targets.
Severe internet disruption inside Iran reduced national connectivity to roughly 1-4%, according to Unit 42. The disruption was assessed as likely constraining the ability of Iran-based state-aligned actors to coordinate sophisticated cyber operations in the near term.
Within the first 48 hours of the conflict, more than 150 cyber incidents were reportedly claimed by participating groups. The activity reflected a rapid surge in disruptive operations against government, finance, telecom, aviation, and critical infrastructure targets.
Following the February 28 strikes, Iran-aligned actors and hacktivist/proxy groups began a multi-vector retaliatory cyber campaign. Reports describe DDoS attacks, hack-and-leak activity, destructive operations, and intrusions affecting targets in Israel and other regional states.
On February 28, 2026, the United States and Israel began joint military operations against Iran. Multiple sources describe this as the trigger for a broader cyber escalation tied to the conflict.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
darkreading.com
Open sourceunit42.paloaltonetworks.com
Open sourcesocradar.io
Open sourcecloudsek.com
Open sourcezenox.ai
Open sourcethecyberthrone.in
Open sourceakamai.com
Open sourcethehackernews.com
Open sourcesilobreaker.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.