Israeli Strike on Tehran Compound Disrupts Iranian Cyber Operations
Military attack on IRGC facility coincided with collapse of state-backed hacking infrastructure, marking escalation in integrated cyber-kinetic warfare.
Israeli and U.S. forces struck a Tehran compound housing Iran’s cyber warfare headquarters on February 28, 2026, in an operation that simultaneously disabled government-backed hacking infrastructure and plunged the country into a near-total internet blackout.
The attack on the Islamic Revolutionary Guard Corps facility, which according to The Cyber Express housed the IRGC’s cyber and electronic warfare directorate, coincided with CNBC reporting that Iran’s internet connectivity collapsed to approximately 1-4% of normal levels. Threat intelligence firms monitoring Iranian state-sponsored groups observed an unprecedented operational silence from Advanced Persistent Threat actors previously active against Israeli and Western targets.
The temporal correlation raises critical questions about whether Israeli planners deliberately targeted cyber operations infrastructure or whether the internet collapse resulted from cascading damage to telecommunications systems. According to CNBC, analysts noted that ‘U.S.-Israeli cyber operations deliberately targeted telecommunications infrastructure to disrupt the Islamic Revolutionary Guard Corps’ (IRGC) command-and-control networks during the kinetic strikes.’
1-4%
120+ hours
90 million
Iranian Cyber Apparatus Goes Silent
Multiple cybersecurity firms documented a dramatic reduction in malicious activity originating from Iran following the strikes. Foundation for Defense of Democracies reported that Cloudflare CEO Matthew Prince observed operators were ‘likely sheltering’ during the military strikes, while Bloomberg characterized the silence from Iran’s ‘feared hacking groups’ as evidence of how far the country’s offensive capabilities had ‘withered.’
According to Palo Alto Networks’ Unit 42, the assessment that state-aligned threat actors face significant operational constraints is based on ‘limited internet connectivity in Iran’ and the ‘significant degradation of Iranian leadership and command structures.’ The firm noted that while hacktivist groups based outside Iran remain active, sophisticated cyber operations requiring coordination appear hampered.
Iran operates a mature cyber ecosystem through the IRGC and Ministry of Intelligence (MOIS), with documented groups including APT33, APT35, MuddyWater, and OilRig. These units have historically targeted critical infrastructure, conducted espionage campaigns, and deployed destructive malware against adversaries. During the June 2025 Israel-Iran conflict, researchers recorded over 600 cyberattack claims within 15 days, demonstrating the ecosystem’s typical operational tempo.
The Hybrid Warfare Blueprint
Operation Epic Fury, as the U.S. designated the strikes, represents what CloudSEK described as ‘the largest cyberattack in history against Iran.’ The operation integrated electronic warfare, denial-of-service attacks, and intrusions into energy and aviation infrastructure alongside kinetic strikes on 500 military targets using approximately 200 fighter jets.
Western intelligence sources confirmed to SOCRadar that damage to IRGC communications infrastructure aimed to ‘prevent counterattack coordination and disrupt drone and ballistic missile launch capabilities.’ The coordinated approach marked what Center for Strategic and International Studies analysts characterized as governments ‘increasingly preparing the battlefield for major military operations’ with offensive cyber operations targeting both civilian and military infrastructure.
Physical Infrastructure Meets Digital Disruption
The ambiguity surrounding cause and effect highlights challenges in assessing hybrid operations. Analysts at The Cyber Express noted that ‘the relationship between physical infrastructure destruction and operational cyber capability remains ambiguous,’ with the blackout stemming primarily from coordinated cyber-kinetic operations rather than solely from physical destruction of the compound.
Iran had already been operating under severe internet restrictions since January 2026, when authorities imposed a blackout during domestic protests. According to internet monitoring organization NetBlocks, the February 28 disruption represented an escalation of existing regime-imposed controls, though concurrent offensive cyber operations targeting telecommunications infrastructure compounded the effects.
| Operational Element | Traditional Warfare | Hybrid Warfare (Iran 2026) |
|---|---|---|
| Communications Disruption | Post-strike collateral damage | Pre-strike coordinated cyber attack |
| Intelligence Gathering | Signals/human intelligence | AI-assisted network infiltration |
| Psychological Operations | Leaflets, radio broadcasts | Compromised apps, hijacked media |
| Target Identification | Satellite imagery | Hacked surveillance cameras, AI analysis |
Retaliatory Capabilities Remain Uncertain
Despite the disruption, security researchers warn against underestimating Iran’s residual offensive capabilities. Nextgov reported that Google Threat Intelligence Group expects Iran to ‘target the U.S., Israel, and Gulf Cooperation Council countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure.’
Hacktivist groups operating outside Iran have demonstrated continued activity. According to Unit 42, approximately 60 individual groups remained active as of March 2, including pro-Russian actors joining pro-Iranian collectives. The Handala Hack persona, linked to Iran’s Ministry of Intelligence, claimed responsibility for compromising Israeli energy companies and Jordanian fuel systems, though many claims remain unverified.
- Physical destruction of cyber warfare facilities may produce temporary operational degradation but doesn’t eliminate geographically dispersed assets
- Internet blackouts impair both regime operations and offensive cyber capabilities, creating strategic tradeoffs
- Proxy hacktivist networks provide operational resilience but lack the sophistication of state-directed APT groups
- The integration of cyber and kinetic operations is now standard doctrine in Middle Eastern conflicts
What to Watch
The full impact of the strike on Iran’s cyber warfare headquarters may not materialize for weeks or months. Security practitioners should monitor whether sophisticated Iranian APT campaigns resume at previous operational tempo or whether the disruption produces lasting degradation of Tehran’s offensive capabilities.
Critical infrastructure operators in the U.S., Israel, and Gulf states face elevated risk as Iran’s command structure potentially grants tactical autonomy to cells operating outside the country. Financially motivated cybercriminal groups may also exploit geopolitical uncertainty for opportunistic campaigns leveraging conflict-related social engineering.
The precedent established by Operation Epic Fury—simultaneous cyber-kinetic targeting of offensive cyber infrastructure—signals an evolution in modern warfare doctrine. As states increasingly view cyber operations as co-equal domains with air and ground campaigns, the distinction between preparing the battlefield and conducting the battle continues to erode. For defenders, this reality demands resilience architectures that assume adversaries will strike digital infrastructure before, during, and after kinetic operations.