Iran Goes Dark: The Biggest Cyberattack in History Just Happened

Iran Goes Dark: The Biggest Cyberattack in History Just Happened
~ larshilse

You know what? I was just sitting down with my third coffee of the morning, still processing the geopolitical shitshow from last weekend, when my feed lit up like a Christmas tree on fire. Iran’s internet is at one percent of normal traffic. One. Fucking. Percent. According to NetBlocks — who are about as reliable as it gets for this kind of real-time monitoring — connectivity dropped to 4% on Saturday, February 28, and as of early Monday morning, March 2, it’s sitting at 1%. That’s not a “disruption.” That’s a digital execution.

This is the largest coordinated cyberattack in recorded history, and we’re all just… watching it happen on our phones between checking the football scores. Let that sink in.

What Actually Happened

Per reporting from The Jerusalem Post, SecurityWeek, and multiple open-source intelligence feeds, the US and Israel launched a massive coordinated strike — both kinetic and cyber — against Iran starting Saturday, February 28. The cyber component, dubbed Operation Rising Lion (or “Roar of the Lion” depending on which outlet you’re reading), hit simultaneously with the first waves of airstrikes against IRGC command infrastructure.

The attack reportedly combined several vectors at once — and this is the part that should make every critical infrastructure operator’s blood run cold. According to WIRED and reporting from Times of India, within minutes of the first explosions, Iranians started receiving push notifications from a prayer timing app called BadeSaba Calendar. That’s not coincidence. That’s pre-positioned access. Someone had been sitting inside that app’s infrastructure — or its notification pipeline — waiting.

The assault hit the IRGC’s communications infrastructure to prevent coordination of counterattacks. State propaganda outlets went dark: IRNA, the official news agency, offline for extended periods. Tasnim News, linked to the IRGC, hacked and reportedly displaying subversive messages targeting Supreme Leader Khamenei. Iran’s own “national internet” — the isolated intranet they built precisely to survive this scenario — apparently also collapsed under the strain, per RFERL reporting. When even your backup plan fails, you’ve had a genuinely bad day.

DDoS attacks, deep intrusions into energy sector data systems, aviation infrastructure targeting, electronic warfare disrupting navigation — all running simultaneously. Per The Jerusalem Post, Western intelligence sources described the comms damage as designed specifically to prevent Iranian cyber and electronic units from coordinating retaliatory drone and ballistic missile launches.

Why Every CISO Should Be Reading This Right Now

Here’s where I stop laughing and start swearing at you, because this directly affects your organisation.

CISA — which doesn’t exactly cry wolf — issued emergency advisory AA26-059A and elevated to Shield Red, the highest tier in its alerting framework. The first time they’ve ever done that since the system was created in 2023. The advisory names water treatment facilities, electrical grid operators, natural gas pipelines, healthcare networks, and financial institutions as the highest-priority targets. CISA also deployed Protective Security Advisors to all 50 states and activated the Joint Cyber Defense Collaborative.

Iran has been building its offensive cyber capability for over a decade. CyberAv3ngers — the IRGC-linked group — already compromised a Pennsylvania water authority’s PLC in November 2023. Unitronics Vision Series controllers. Internet-facing. Running factory-default passwords. Hundreds of US water systems using the exact same kit. They already had access to chunks of US critical infrastructure. They’ve been pre-positioning for years.

APT33 has documented access to operational technology networks in the energy sector. Volt Typhoon (Chinese, but the principle is identical) spent years living quietly inside US infrastructure for exactly this kind of moment. The question isn’t whether Iran has pre-positioned access to US critical infrastructure. It’s how much of it, and whether those access paths are still live.

If you’re running OT/ICS environments, industrial control systems, or anything touching physical infrastructure — and you haven’t already gone through that CISA advisory with a fine-tooth comb — what the hell are you doing?

The Supply Chain Angle Nobody’s Talking About

The prayer app story deserves more attention than it’s getting. BadeSaba Calendar is consumer software. Not military infrastructure. Hackers pre-positioned in a consumer app’s notification pipeline to push messages to Iranian civilians during a wartime communications blackout.

That is a supply chain attack used as a psychological operation tool. In wartime. In real time.

Think about what that means for your environment. I’ve written about the North Korea APT37 air-gap-jumping techniques and how state actors think about indirect access paths. The lesson is identical: nation-states don’t always come in through the front door. They come in through the app your employees use to check prayer times, or the update mechanism for a piece of software nobody’s reviewed in three years. My post on Notepad update traffic hijacked by Chinese state hackers covers exactly this pattern — six months of poisoned updates, zero detection.

What Went Wrong — Root Cause For The Rest Of Us

Iran’s national internet strategy — the “halal internet” isolationist approach — failed catastrophically under real adversarial pressure. Years of investment in an isolated intranet, and it collapsed anyway. Why? Because isolated networks still have administrators who connect to things. Still have vendors. Still have update mechanisms. The attack surface you don’t acknowledge is the one that kills you.

For the rest of us watching this from the cheap seats: the lesson isn’t “build a national intranet.” The lesson is that complex interconnected systems fail in complex interconnected ways, and when a sophisticated state actor decides you’re a target, your perimeter controls are largely decorative.

The second lesson: pre-positioning is real. That prayer app notification wasn’t improvised. That was months of access, maintained quietly, weaponised at exactly the right moment. How long has someone been sitting in your OT network? When did you last do a proper threat hunt? Not a compliance scan. A hunt.

What You Need to Do This Week

I’ve been writing about this threat model for years — my analysis of the quantum threat to national security covers the deeper strategic picture, and my research on submarine cable infrastructure protection maps out how interconnected our critical systems actually are. This moment has been coming.

Concrete things. Now:

If you’re critical infrastructure (water, energy, healthcare, finance):

  • Pull that CISA advisory AA26-059A. Read every single technical mitigation. Do not delegate this to an intern.
  • Immediately audit any internet-facing OT systems. If you have Unitronics PLCs on a public IP, I have nothing polite to say to you — but go read my older post on why your device’s IP being publicly visible is a catastrophic idea.
  • Change default passwords. Yes, I know I shouldn’t have to say that. I’m saying it anyway.
  • Enable enhanced monitoring on all critical system logs. Not eventually. Today.
  • Isolate internet-exposed operational technology systems immediately.

If you’re in financial services:

  • Review remote access pathways. MFA on everything. No exceptions.
  • Activate any enhanced monitoring capabilities you have sitting dormant.
  • Brief your incident response team. Make sure everyone knows the playbook.

If you’re in healthcare:

  • You’re already on the shit list from every ransomware gang operating. Now add nation-state actors to that. UMMC’s ransomware disaster shut down 35 clinics. Imagine that plus a coordinated nation-state campaign.

For everyone:

  • Threat hunt. Assume you may have dormant access that was established before this weekend.
  • Engage your threat intel feeds. If you’re relying solely on vendor advisories, you’re too slow.
  • Tabletop the “what if Iran hits us during a crisis period” scenario. Right now it’s hypothetical. In 48 hours it might not be.

The Bigger Picture

The geopolitical context here is genuinely unprecedented. Flashpoint, quoted by Fortune, called the next 48 hours a period of “extreme volatility” where hacktivists and Iranian proxies “take the lead in escalation.” These actors coordinate via Telegram and Reddit. They’re not sitting on their hands.

Kathryn Raines, former NSA and now at Flashpoint, noted that screenshots of alleged attacks are already circulating — and it takes weeks to months to verify accuracy. Which means the disinformation and the actual attacks are running simultaneously, and you won’t immediately know what’s real. That’s the operational environment right now.

I’ve written about why a Cyber 9/11 has always been closer than we admit. We may be living through a version of it in slow motion this week. The difference is that this one has a kinetic war attached to it, and Iran’s cyber assets — even degraded — are not trivial. The question isn’t if retaliation attempts will happen. It’s when, from where, and whether your team is ready.

Get your shit together. This week.

Published by larshilse

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.