How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran

Critical Questions by Kuhu Badgi and Lauryn Williams

Published March 3, 2026

In the early hours of February 28, the United States, alongside Israel, launched a large-scale strike on Iran, aimed at weakening the regime's military and strategic capabilities. The operation was not purely kinetic; cyber operations are reported to have accompanied the strikes.

Iran lacks symmetric conventional response options against the United States and Israel. Instead, the Iranian regime has historically relied on cyber operations and a dispersed array of proxy actors as its instruments of response. The February 28 strikes are more likely to mark the beginning of a new phase of cyber escalation than its conclusion. Cyberspace is a key domain where the Iranian regime's response will unfold.

Q1: What do we know so far about the use of cyber during the coordinated U.S.-Israeli airstrikes on Iran?

A1: The U.S. and Israeli strikes on Iran, termed Operation Epic Fury, carried several significant cyber implications. Alongside the joint kinetic attacks on Iranian targets, an additional attack compromised BadeSaba, a widely used religious calendar application with over 5 million downloads, used by Iranians to track prayer times. The cyber breach enabled the delivery of targeted messages directly to users, including one warning that the Iranian regime would "pay for their cruel and merciless actions against the innocent people of Iran." It went on to address the religious app's users, many of whom are perceived to be regime supporters, by stating: "Anyone who joins in defending and protecting the Iranian nation will be granted amnesty and forgiveness." While some sources have attributed the attack to Israel, there has been no official confirmation of its involvement. From these messages, it can be presumed that the app was compromised to display anti-government messaging.

In addition to the BadeSaba hack, several official Iranian news websites were compromised. There have also been reports of attacks on several Iranian government services and military targets to limit a coordinated Iranian response.

The operation was accompanied by Iranian government-imposed restrictions on digital connectivity. Reporting indicates that Iran is undergoing a near-total internet blackout, with nationwide connectivity running at just 4 percent of normal levels. Some reporting suggests that a portion of the blackout could be due to damage caused by the strikes, specifically to fiber optic cable. And, the Chairman of the Joint Chiefs of Staff has since stated coordinated cyber and space effects "effectively disrupted [Iranian] communications and sensor networks." However, this shutdown largely appears to be an escalation of the Iranian regime's imposed outage in January of this year, during the domestic protests within the country. The resulting lack of authentic Iranian voices online risks fueling a surge in misinformation as the information vacuum is filled.

Q2: What strategic role did cyber play in the attack on Iran, and how has the Trump administration approached offensive cyber operations?

A2: Joint military operations leveraging cyber effects are not new. However, governments are increasingly preparing the battlefield for major military operations in the air or on the ground with offensive cyber operations targeting civilian and military infrastructure. Linked to Israel-a highly sophisticated cyber actor-the BadeSaba prayer app hack demonstrates the country's integration of cyber and influence operations to inflame anti-regime sentiment, all timed to sow confusion at the start of the air campaign. Reported cyberattacks on Iranian state-run sites like news agency IRNA-which saw anti-regime messages posted across its front page-also demonstrated the coordinated nature of cyber intrusions as the United States and Israel launched airstrikes across the country targeting nuclear and other strategic government sites.

The nationwide internet outage since February 28 is impacting the cyber environment in Iran. The Iranian regime has commonly utilized internet blackouts to control information flow during times of national crisis. The current blackout could function as a defensive cyber tool for the regime to reduce the effectiveness of additional cyber intrusions and information operations from outside the country. At the same time, connectivity loss complicates attribution of future cyber incidents, obscuring whether disruptions originate from state-imposed controls or external cyberattacks.

The Trump administration has (as of publication) not released its anticipated National Cybersecurity Strategy, which is expected to articulate a more muscular approach to offensive cyber operations than previous U.S. administrations. Regardless, recent military operations in Venezuela and now Iran provide strong clues into the White House's approach. Immediately following January's Operation Absolute Resolve, President Donald Trump made the unprecedented decision to claim credit for a blackout in Caracas, while the chairman of the Joint Chiefs of Staff stated that cyber and space enhanced the ground invasion. The administration's willingness to publicly discuss offensive cyber operations and capabilities (Trump famously stated that Caracas lost power "due to a certain expertise that we have") was uncharted territory for the United States. Again, just days after the Iran strikes, the Chairman spoke publicly about U.S. Cyber Command and U.S. Space Command's roles, hampering the regime's ability to respond. Senior U.S. leaders' public statements immediately following both conflicts provide a strong indication that the administration will continue to leverage and publicly message unique cyber capabilities.

Q3: Will Iran retaliate, and how capable is Iran's offensive cyber program?

A3: There is significant evidence that Iran will retaliate in cyberspace. The most recent escalation triggered what has been called the most aggressive use of Iran's state-directed "Great Epic" cyber campaign, as part of the broader Cyber Islamic Resistance ideological framework. Iran's capacity to execute this campaign is well-documented, given its demonstrably sophisticated cyber capabilities: wiper attacks, distributed denial-of-service attacks against major U.S. banks, election interference campaigns, and the more recent exploitation of industrial control systems. Taken together, these operations reflect a maturing offensive cyber program capable of targeting both civilian infrastructure and critical national systems.

Iranian-linked cyber actors and affiliated proxies have already demonstrated a broad operational scope. Operations attributed to these groups have included the significant disruption of fuel distribution systems in Jordan. More broadly, Iranian-backed forces' use of kinetic capabilities against regional targets, such as the missile and drone attacks on Dubai, Abu Dhabi, and Doha, underscores the regime's willingness to expand military operations beyond its borders to target perceived allies of the United States or Israel. In this context, if the regime is willing to conduct kinetic strikes against Gulf partners, cyber operations against U.S. and Israeli infrastructure represent a comparatively lower cost, lower-risk extension of these attacks.

That pattern is already visible in other domains. Additional electronic warfare activity has emerged, with GPS and automatic identification systems disrupting more than 1,100 ships across the Gulf region. While not yet attributed, the interference, spanning Iranian, United Arab Emirates, Qatari, and Omani waters, is consistent with the broader pattern of cyber and electronic operations accompanying the conflict.

There is also a clear precedent of Iranian-backed cyber operations accompanying escalating regional tension. According to a Radware report, there was a 700 percent increase in cyberattacks targeting Israel following its military strikes in Iran in 2025. Iran's longstanding reliance on a network of deputized hacktivist proxies, designed to provide the regime with plausible deniability, introduces a secondary escalation risk. Because Iran is currently experiencing a near-total internet blackout, state-sponsored groups will likely be less active than their geographically dispersed proxies who operate autonomously from outside Iran. When state-aligned activity blends with globally distributed hacktivism, attacks can proliferate without clear coordination, complicating attribution and increasing the likelihood that cyber disruption will outpace the scope of military operations themselves.

For the United States, this raises a credible cyber threat to critical infrastructure, particularly sectors that Iran has historically targeted for disruption. Financial services, water utilities, and transportation infrastructure, many of which rely on outdated control systems, remain attractive targets for Iranian actors as kinetic conflict intensifies. Even temporary disruptions to these systems could carry outsized operational and political effects, aligning with Iran's established doctrine.

Q4: What do operations in Iran and Venezuela tell us about the future of cyber warfare?

A4: Together, cyber operations surrounding the Iran and Venezuela operations demonstrate that cyber is a distinct domain of conflict and is playing a more central role in shaping modern battlefield dynamics.

In Iran, cyber operations-both those targeting the country and those being launched from it-show in real time that cyberspace is no longer solely an enabler in conflict. The alleged Israeli BadeSaba hack-timed to coincide with airstrikes-blurred lines between cyber, information, and even electronic warfare, highlighting that nations' attempts to distinguish between these domains are increasingly obsolete. At the same time, even in a weakened state, the regime's efforts to limit internet connectivity functioned to control citizens' access to information and reduce its own vulnerability to cyberattacks.

In the aftermath of Venezuela, the Trump administration's comments changed public discourse about offensive cyber strategy seemingly overnight. The president's statements claiming credit for cyber effects in Caracas, the chairman of the Joint Chiefs of Staff's public remarks following both operations, coupled with a senior White House official's previous statement in a public address that "we are unapologetically unafraid to do offensive cyber," demonstrate an eagerness to discuss offensive cyber (and space) capabilities previously considered highly sensitive and closely held by U.S. officials.

Both conflicts will have lasting implications for the future of cyber warfare. First, events in the Middle East, and previously Venezuela, place in stark relief the reality that cyber is now a distinct domain of conflict available to the most and least resourced actors alike. It will continue to be leveraged within and alongside operations in other domains. Additionally, the United States is likely to continue public messaging around cyber operations as it deems useful.

Finally, as Trump administration voices trumpet offensive cyber, some experts warn that overemphasis on offensive operations leaves the United States more vulnerable if equal investment is not made in defending critical infrastructure that will be targeted by adversary cyber operations. There is already precedent for Iranian attacks on privately or locally-operated U.S. infrastructure. In 2023, Iranian Revolutionary Guard Corps officials were sanctioned for directing cyber operations against vulnerable water systems across the United States. Already, since the February 28 strikes, cyber advisories have urged operators to immediately implement common-sense cyber defenses. With U.S. kinetic operations possibly to continue for "four to five weeks," enhancing resilience to cyber threats is immediately urgent.

Kuhu Badgi is the program coordinator and research assistant for the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Lauryn Williams is the deputy director and senior fellow in the Strategic Technologies Program at CSIS.

Programs & Projects

Critical Questions by Mona Yacoubian - March 1, 2026

Blog Post by Jiwon Lim - January 14, 2026