On the morning of 28 February 2026, the US and Israel began joint military strikes on Iran. The conflict is expected to have widespread security, political and economic ramifications beyond the combatant countries, including on the cyber threat landscape. To support organisations pursuing cyber resilience and preparedness, this blog examines the conflict’s cyber dimension and the implications for the cyber threat landscape going forward.
The strikes follow the failure of nuclear talks between the US and Iran held on 26 February. According to US President Donald Trump, the goals of the campaign include ensuring that Iran is unable to develop a nuclear programme and instigating regime change. The strikes are a significant expansion in hostilities in comparison to the June 2025 strikes by the US and Israel, which were largely constrained to nuclear facilities. Over 2,000 targets have been hit, including in several civilian areas.
Iranian media has confirmed that Iran’s Supreme Leader, Ayatollah Ali Khamenei, was killed in the attacks. Tasnim has also confirmed the deaths of Chief of Staff of the Armed Forces Abdulrahim Mousavi, Commander of the Islamic Revolutionary Guard Corps (IRGC) Mohammad Pakpour, Secretary of Iran’s Defence Council Ali Shamkhani, and Iranian Defence Minister Aziz Nasirzadeh.
In retaliation, Iran has conducted strikes throughout the region, predominantly targeting Israel and countries hosting US military bases, including Kuwait, the UAE, Bahrain, Jordan, Qatar, Oman and Saudi Arabia. Meanwhile, Israel has conducted strikes on Lebanon after Hezbollah launched missiles at Israel in support of Iran. As a result, the region is experiencing widespread air travel disruptions due to airspace closures, while Iran has threatened to close shipping through the Strait of Hormuz, an essential crude oil shipping chokepoint.
Cyber capabilities are playing a supporting role in the conflict. Since 28 February, Iranian internet connectivity has fallen to less than 4% of ordinary levels, a near-total internet blackout, which Israeli media has attributed in part to Israeli cyberattacks. The Iranian state has also likely curtailed internet access itself to limit information flow and dissent. Several Iranian apps and news websites have also been rendered inaccessible or defaced with anti-regime messaging beginning Saturday morning. According to media reports, US activity has included information operations targeting senior Iranian officials to encourage regime change, as well as coordinated cyber operations to disrupt communications.
It is highly likely that the US and Israel are applying offensive cyber lessons learned from the US’s capture of Venezuelan President Nicolás Maduro, as well as disruptive cyber capabilities similarly deployed during the June 2025 strikes on Iran. The US is increasingly prioritising the development of offensive cyber capabilities, which can be deployed to cause internet outages, energy blackouts, and communication disruptions to support kinetic or information operations.
Iranian cyber activity has, in comparison, been limited. Internet and communication blackouts, the threat of physical harm from kinetic strikes, and disruptions to the chain of command are all likely hindering an Iranian cyber response. Broader strategic cyber goals, previously analysed by SecAlliance, are likely to remain consistent barring significant changes to regime institutions. Nevertheless, Iranian cyber capacity will be impacted by ongoing strikes, supporting the following assessments:
In sum, although Iranian cyber capabilities will be hindered in the immediate term, the intent to attack US, Israeli or allied entities is expected to be heightened, while the intent to target less critical political or private sector targets is expected to diminish.
The reignition of conflict in the Middle East will have implications for the cyber threat landscape beyond its borders. Defenders are expected to face business continuity and resiliency challenges due to economic and supply chain shocks. Attackers, including cybercriminals and state-backed actors, such as those linked to Russia or China, are likely to exploit heightened anxieties and interest in the conflict in spearphishing lures to deliver malware or steal credentials. As offensive cyber capabilities play an increasingly prominent role in global conflicts, states are likely to continue to prioritise investment in and development of offensive cyber programmes.
In the medium to long term, these events will also have profound impacts on state behaviour and the international order. In the event of losing a significant ally in Iran, Russia will be further isolated from the international community and may become more volatile in its behaviour. China may interpret US actions as setting a precedent for forcible regime change in Taiwan. Other states that have faced political pressure from the US, including Cuba, will have to reevaluate security considerations and the likelihood of US intervention in their affairs. In Iran, without a strong and organised opposition, regime change threatens to become a protracted, violent conflict that will spill over its borders.
This is a developing situation. SecAlliance will continue to monitor and analyse events as they unfold to support the security and preparedness of our clients.
SecAlliance provides detailed and timely analysis to clients via our dedicated ThreatMatch platform, including our monthly Geopolitical analysis and bi-annual PESTLE-M Horizon Scanning assessments. For more information, please contact info@secalliance.com.
Further reading by SecAlliance on Iranian cyber activity can be found here:
