Demystifying Iranian Cyber Operations in the U.S.-Iran Conflict

Commentary by Nikita Shah

Published March 20, 2026

Iran is a highly capable actor in cyberspace. Known for having conducted cyberattacks against its regional rivals and global foes-particularly the United States and Israel-the Iranian state is adept at exploiting cyber capabilities in furtherance of its political goals, whether cyber espionage, destructive attacks, or influence campaigns. This is clear in the current moment, where the Iranian state-affiliated actor known as "Handala Hack" targeted the supplier of critical medical equipment to the United Kingdom's National Health Service and U.S. medical technology firm Stryker, wiping data from systems and disrupting medical supply chains.

However, it is important to put the role and value of Iranian cyber operations into perspective: They are unlikely to impact or change the course of this war. As this author has written elsewhere, cyber capabilities tend to offer an incremental, not revolutionary edge in conflict. So, although these two targets may appear surprising, they in fact reflect a broader dynamic at play: Iran places a premium on the symbolic value of cyber operations and is therefore unafraid about who becomes collateral damage in the wider conflict with the United States and Israel. As the Twelve-Day War between Israel and Iran in June 2025 showed, the key battlefield will be the information domain, to project power over and attrit domestic and global audiences, rather than a decisive military edge.

Iran as a Capable Foe in Cyberspace

To understand Iran's use of cyber operations in this conflict, it is vital to situate such operations within Iran's broader objectives. Domestically, cyber capabilities serve Tehran's objective of social control and regime preservation. Overseas, Iran regards cyber capabilities as one lever of sabotage amidst others in its hybrid threats campaign-the use of cyber, information operations, sabotage, physical or kinetic attacks, and economic threats-to destabilize its adversaries. These goals are served by a thriving cyber ecosystem, comprising a complex mix of state actors, proxy actors, commercial capabilities, and private sector companies, which Iran has mobilized to varying effect over the last 15 years. As a sophisticated espionage actor, Iran has penetrated U.S. and regional targets, including U.S. critical infrastructure, spying on U.S. elections, and gaining access to supply chains. It is also a capable disruptor, having destroyed the critical infrastructure of Saudi Arabia's oil company Aramco and the Albanian government in 2022 as retaliation for hosting Iranian dissidents. As an economic actor, Iran uses and exports surveillance technologies that it uses to control its own population. And as a political operator, Iran harnesses its network of proxies (including hacktivists and cyber criminals) to wage influence operations, using them for plausible deniability and power projection.

So far in this conflict, cyber operations by Iranian actors have included:

• Shutting Down Iran's Domestic Internet: Though the origins were unclear, this reduced Iran's internet connectivity to 1 percent of ordinary traffic, diminishing visibility and communication.
• Destructive Attacks: Destructive attacks include hacktivism (low-sophistication attacks by politically-motivated actors), against a broad range of countries by pro-Iranian non-state actors, including website defacements and distributed denial-of-service (DDoS) attacks. They also include disruption by state-linked or proxy actors, including the attack on Stryker that wiped its systems (claimed by the Iranian Ministry of Intelligence and Security, MOIS).
• Reconnaissance: Evidence has already emerged of MOIS actors embedded in U.S. and Israeli companies' networks, and using security cameras to support kinetic operations.
  

Three Reasons Why Cyber Capabilities Offer a Modest Edge for Iran

Cyber capabilities are often a contradictory feature of conflict, as the volume of cyber activity in a conflict does not equate to impact. If anything, Iran has demonstrated less cyber activity than might be expected-this can be understood in three ways:

1. Iran's Cyber Capabilities Are Likely Degraded

A critical question for understanding Iran's use of cyber capabilities is: Did Iran plan for this scenario from a cyber perspective? If it has, Iran may be waiting for the right moment to pluck a high-grade cyber capability off its shelf and deploy it against key targets. However, it is more likely that Iran will be hampered by a set of constraints-similar to what Russia faced early on in Ukraine-that might explain why offensive cyber activity by the Iranian state has been relatively quiet at the time of writing (may be for some time).

First, much of the physical and digital infrastructure that Iran depends upon to conduct these attacks may have already been destroyed by air strikes, incapacitated by Iran's internet blackout, or even disabled by U.S. or Israeli offensive cyber operations;

Second, Iran may have suffered a loss of cyber leadership, owing to the purported Israeli bombing of Iran's cyber warfare headquarters in Tehran, though the impact of this is unclear. However, this may be mitigated by the decentralization of Iranian command and control, which provides greater autonomy and decision-making to its operators.

Third, Iran has finite cyber resources that will be stretched. Given how many adversaries Iran has in the region, it faces the challenge of maintaining existing global cyber operations so that it doesn't lose visibility or intelligence (such as this hacking of Albania's parliament or Polish nuclear research facilities), whilst trying to establish footholds into new targets. This, combined with Iran's exploitation of existing technical vulnerabilities (as opposed to new vulnerabilities), suggests opportunistic targeting at play.

Fourth, as with Russia in Ukraine, Iran's intelligence and military operators may be forced to shift to using less secure infrastructure, raising operational security risks to its operators.

1. The Battlespace is in the Information Domain

The Twelve-Day War between Israel and Iran in 2025 revealed both states' approaches to using cyber capabilities: Rather than a high tempo of destructive cyberattacks, the key battle was in the information domain, with both countries seeking to project power over one another.

Last year, Iranian cyber actors pivoted from cyber espionage to hybrid hack-and-leak operations. In the current conflict, Iran has made open calls to mobilizehacktivistgroups as a means of projecting its global reach and making its capabilities seem greater than they are. Further, it attempted to establish influence operations with U.S. audiences through social media. Similar to Israel's purported hacking of the BadeSaba app, the intent is to signal a clear ability to reach directly into foreign audiences, fomenting dissent, and seeking to control the narrative.

As in the Twelve-Day War and earlier this year during domestic protests, Iran's internet is mostly shut down. Though it is unclear whether this was done by the Iranian state, the United States, or Israel, the shutdown plays into a key goal of the Iranian regime: to control the information space during a time of extreme vulnerability, by socially isolating its citizens from the world, and preventing the coalescing of effective opposition movements.

1. Cyber Operations Offer Little Value in Isolation

Much has been made-often inaccurately-in mediacoverage of "hacktivist" attacks by Iranian state-linked actors, whether the disruption to the U.S. company, Stryker, or the participation of over 60 cyber actors in this conflict. In many cases, such coverage sensationalizes these attacks. It makes their impact out to be greater than it is, equates attack type with sophistication, confuses Iran's "unpredictability" in cyberspace for opportunistic targeting, and conflates or overplays links between different hacktivist nationalists as collaboration between their states. Though such attacks are undoubtedly disruptive to the victims, whether wiping tens of thousands of devices of data, or delaying the provision of medical supplies, when viewed through a broader lens, they offer little impact beyond short-term disruption. Otherwise put, they generate much "noise" but do little to alter the course of the conflict.

Additionally, regarding state cyber operations, high-grade destructive cyber capabilities take months (if not longer) to prepare. They need to be highly calibrated to their targets, "layered" or integrated with kinetic options, and once used, become exposed to cyber defenders, reducing their long-term value. In other words, when viewed against the operational constraints the Iranian state is experiencing, kinetic capabilities are much quicker and easier to deploy than cyber operations.

What Future Cyber Activity Might Look Like

What will be of greater value to the Iranian regime is using cyber operations as part of a broader campaign to destabilize other countries in this conflict. Future Iranian cyber activity in this conflict might include the following:

• Dialing up information operations, whether sowing confusion at military activity or fomenting division among U.S., Israeli, or other global audiences (including through the use of AI)
• Opportunistic disruption, targeting low-hanging fruit (i.e., companies with weak cyber defenses); targets of strategic but symbolic value (such as hacking a wheat storage facility in Jordan, likely to spoil its strategic wheat reserve); or targets whose recovery process might drain strategic resources away from states
• Cyber espionage to assess strike damage, conduct reconnaissance on high-value targets (e.g., political decisionmakers), exfiltrate data for subsequent hack-and-leak operations, or establish new accesses that could be repurposed later in time
• Further hacktivism, looking to overseas-based actors for low-level disruptive attacks, generating greater "noise" in the information space
• Destructive cyberattacks, weaponizing existing access to victims to wipe networks, including disguising state operations as hacktivism or cyber criminality as a component of broader information warfare

Given Iran's strategic intent to wage economic warfare by disrupting global energy supply (and its track record), the energy and tourism sectors could well become a prime target for cyber operations, as might logistical supply chains relevant to the military effort. Crucially, causing collateral damage to citizens and organizations will be the point; it generates psychological pressure among weary citizens on their leaders to withdraw from an unpopular conflict, playing into a key information warfare objective for the Iranian state.

Conclusion

For the United States and Israel, cyber operations enable military and intelligence activity to degrade Iran's infrastructure. For Iran, cyber capabilities will offer a critical means of projecting power and raising the cost to countries participating in this conflict, as it seeks to survive.

Given the uncertainty characterizing this conflict, this could all change, resulting in a high-impact cyberattack that the Trump administration considers escalatory. What is more likely, though, especially should Iran restore some of its infrastructure and connectivity in the near future, is an uptick in Iranian cyber operations comprising both opportunistic and strategic targeting. The following might be useful indicators of such an uptick: disruption to U.S.- or Israeli-linked companies, or other countries participating in the conflict; hack-and-leak operations (particularly against U.S. or Israeli targets); increased hacktivism (especially website defacements); disruption to the energy and tourism sectors; a rise in detected AI usage by Iranian actors; and the emergence of cyber cooperation with Iran by other states.

In the meantime, it is important to avoid confusing the volume of cyber activity in this conflict with offering a decisive military edge, not least given the constraints that Iran's regime currently faces. Mistaking the "noise" for impact risks, making the Iranian cyber threat appear more credible than it currently is.

Nikita Shah is a senior fellow with the Intelligence, National Security, and Technology program at the Center for Strategic and International Studies in Washington, D.C.

Programs & Projects