Look, if you thought 2026 was going to be a quiet year for cybersecurity, I have to say — bless your heart. On February 28th, the United States and Israel launched a coordinated military offensive against Iran codenamed Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel), as confirmed by Wikipedia’s detailed breakdown of the 2026 Iran war, targeting IRGC leadership, nuclear infrastructure, and government facilities in what the Institute for Counter-Terrorism described as a pre-emptive war. And with that, the concept of “warfare stays on the battlefield” died a quiet, undignified death.
The Digital Blackout Nobody Was Ready For
Within hours of the first kinetic strikes, Iran’s internet simply… ceased to exist. Connectivity plummeted to between 1 and 4 percent of normal capacity — a near-total nationwide blackout lasting more than 60 hours and affecting over 90 million people, as documented by Palo Alto Networks Unit 42 in their March 2026 threat brief. U.S. Chairman of the Joint Chiefs Gen. Dan Caine stated that “coordinated space and cyber operations effectively disrupted communications and sensor networks” with the explicit goal of leaving adversaries “disrupted, disoriented and confused,” a phrase which — let’s be honest — is just military speak for “we turned off their WiFi and watched the chaos unfold.” Meanwhile, as ZenData Security reported, Israeli forces also hijacked Iranian state broadcast channels and aired recorded speeches by President Trump and PM Netanyahu, essentially turning Iranian state TV into an extremely unwelcome political ad.
The irony — and perhaps the brilliance, depending on your point of view — is that the blackout that was supposed to cripple Iran’s command structure also kneecapped Iran’s own sophisticated state-aligned cyber units. As Unit 42 assessed, the “significant degradation of Iranian leadership” would likely hinder Iran’s ability to coordinate the more advanced stuff in the near term. You cut off your enemy’s internet, congratulations, you’ve also cut off their hacker army. Perhaps not the most well-thought-through second-order effect.
When Cloud Infrastructure Becomes a War Zone
Here’s the part that should make every CTO in the Gulf region reach for their antacids. Iranian Shahed drones struck three Amazon Web Services data centers — two in the UAE and one in Bahrain — knocking them offline and disrupting banking, payments, and delivery services for millions of people, as reported by Tom’s Hardware and confirmed by CNBC. Iran’s IRGC claimed the Bahrain facility was targeted specifically because AWS hosts U.S. military workloads there. AWS, for its part, declined to comment on that claim, which is probably the most expensive “no comment” in the company’s history.
As ABHS detailed in their breakdown of the incident, services including EC2, S3, DynamoDB, and Lambda went dark, with Careem, Snowflake, and Emirates NBD among the casualties. CISA, as it turned out, had warned about elevated physical security risks for U.S.-aligned critical infrastructure in the Gulf in the weeks prior — a warning that apparently sat in someone’s inbox. AWS told customers to back up their data and reroute traffic to alternative regions, which is a polite way of saying “we did not plan for drones.” As CNBC’s tech analysis piece noted, the operational outlook in the Middle East is now officially “unpredictable,” which is perhaps the most expensive one-word business forecast in AWS’s history.
This represents something genuinely new: cloud infrastructure being treated as a legitimate military target. The strategic doctrine shift here — that physical data center attacks are fair game — is the kind of thing that war studies professors will be writing about for the next twenty years. And as I, who covers precisely this kind of systemic infrastructure threat, keeps hammering home in his security analysis: management planes are the crown jewels. You compromise the management layer, you get everything it manages. Iran just proved that point — with drones.
60+ Hacktivist Groups and the “Electronic Operations Room” Nobody Invited You To
So about that near-total internet blackout — it didn’t stop everyone. Because many of the hacktivist groups coordinating Iran’s cyber retaliation weren’t in Iran. On February 28th itself, a coordination structure calling itself the “Electronic Operations Room” was established, as Unit 42’s threat brief confirmed, pulling together more than 60 hacktivist groups to synchronize DDoS attacks, data-wiping operations, and website defacements. Over 150 claimed incidents emerged within the first 72 hours.
The most prominent actor, Handala — a group linked to Iran’s Ministry of Intelligence and Security — claimed attacks on an Israeli energy exploration company, Jordan’s fuel systems, and Israeli payment infrastructure, as CyberSecurityNews documented. The Cyber Islamic Resistance umbrella, coordinating groups including RipperSec and Cyb3rDrag0nzz, also claimed to have compromised an Israeli drone defense and detection system. Pro-Russian hacktivist collectives joined the operation too, because apparently this particular conflict was open to all comers. As ProbablyPwned’s analysis noted, the FAD Team (Fatimiyoun Cyber Team) was deploying wiper malware designed for permanent data destruction — and had claimed unauthorized access to SCADA/PLC systems in Israel and neighboring countries, which, if verified, is an escalation that’s genuinely difficult to understate.
Analysts at AttackIQ warned that this hacktivist wave was probably just the opening act. As connectivity in Iran restored, the expectation was — and remains — that more destructive operations would follow, from groups affiliated with both the IRGC and the Ministry of Intelligence, including the revived Altoufan Team.
The AI-Generated Propaganda Olympics
Both sides have, apparently, decided that psychological warfare is now a core deliverable. Israel’s National Cyber Directorate released an AI-generated counter-psyop video mocking Iranian hackers — depicting fictional Iranian military officials frustrated that their phishing attempts were being cheerfully ignored by savvy Israeli citizens, as the Jerusalem Post reported. The agency logged over 1,300 reports of Iranian psychological warfare attempts since the war began, with 77 percent involving phishing attacks designed to steal personal information. Iran, for its part, leveraged Telegram to recruit Israeli citizens to start fires, create anti-government graffiti, and generally be chaotic on behalf of a foreign government — which, if we’re being honest, is a business model that sounds like it was invented by a very unhinged marketing consultant.
As NPR’s March 10 analysis of cyber AI warfare documented, both sides are pumping out AI-generated synthetic media at machine speed, flooding X, YouTube, TikTok, and Telegram with fabricated images of downed Israeli F-35s and false claims of captured pilots. Security studies professor James J.F. Forest characterized this as “a new era of influence warfare” — noting the unmatched scale that generative AI now makes possible. The Israeli government also allegedly used AI to map Tehran traffic patterns and security routines in the lead-up to strikes on Supreme Leader Khamenei, per reporting cited by CloudSEK’s comprehensive situation report. It’s perhaps worth sitting with that for a moment: AI-generated disinformation on one hand, AI-assisted targeting decisions on the other. Different vibes.
AI Escalation: The Part That Should Actually Keep You Up at Night
Here’s where I think the conversation gets genuinely uncomfortable. Fortune and Forrester Research analysts have flagged that AI may already be turbocharging Iran’s offensive cyber capabilities beyond familiar attack patterns. As Forrester principal analyst Allie Mellen — author of the upcoming Code War — told Fortune, Iran has spent years targeting U.S. critical infrastructure through DDoS attacks, influence campaigns, and system-wiping operations, and “would presumably use their latest weapons.” She also noted that Iranian hackers have already used Google’s Gemini AI system to improve phishing messages and build hacking tools — which is, uh, quite a use case for a consumer AI product.
Bob Kolasky, senior vice president at Exiger, raised the prospect of China granting Iran greater AI capabilities if Beijing commits more firmly to Iranian military objectives, and warned that “AI-enabled cyberattacks have not really been tested at scale, and whether U.S. critical infrastructure can defend against novel attacks is unknown,” as directly quoted in the same Fortune piece. There are, he noted, “clearly vulnerabilities that can be exploited, and AI will make it easier for Iran to identify those.” The Center for Strategic and International Studies, as cited in their cybersecurity analysis, concluded that the February 28 strikes are “more likely to mark the beginning of a new phase of cyber escalation than its conclusion.”
Which brings us, rather grimly, to the thing worth internalizing here. This conflict isn’t just a geopolitical event to follow on the news. It’s a live stress test of whether the digital infrastructure underpinning modern life — cloud services, payment systems, energy grids, surveillance networks — can withstand coordinated, AI-accelerated, hybrid physical-and-cyber assault. The answer, based on the last two weeks, appears to be: “sort of, for now, under conditions that are now demonstrably unstable.” As covered in my coverage of the LexisNexis breach and the FBI wiretap system hack — both breaking in the same week — the structural vulnerabilities in our digital infrastructure don’t wait for geopolitical conflicts to declare a ceasefire. They just… sit there, waiting for whoever decides to walk through the door next.
Whether that door is opened by a drone, a phishing email, or an AI that got a little too good at finding unpatched data centers — the war for digital infrastructure is, apparently, well and truly underway.
