From Kinetic Strikes to Cyber Retaliation
The joint U.S.-Israeli military offensive launched on February 28, 2026 — codenamed Operation Epic Fury by the United States and Operation Roaring Lion by Israel — has triggered the most significant cyber escalation of the year.
Within hours of the initial strikes, Iran began a multi-vector retaliatory campaign that has since evolved into a sprawling trans-regional cyber conflict involving state-sponsored actors, criminal groups, and ideologically motivated hacktivists.
Iran's Internet: 1-4% Connectivity
One of the most immediate consequences was the near-total collapse of Iran's internet connectivity, which dropped to between 1 and 4 percent beginning the morning of February 28.
Palo Alto Networks' Unit 42 assesses that the severe degradation of Iranian leadership and command structures will likely hinder the ability of state-aligned threat actors to coordinate sophisticated cyberattacks in the near term. However, this disruption has not prevented proxy actors and diaspora-based groups from launching attacks independently.
60+ Hacktivist Groups Now Active
Unit 42 has observed a massive surge in hacktivist activity, with estimates of over 60 individual groups now active as of March 2, 2026:
| Actor Category | Notable Groups | Activity |
|---|---|---|
| Iran-aligned | Handala Hack (MOIS-linked) | Energy company breaches, fuel system compromises, death threats |
| Pro-Russian | Multiple groups joining fray | DDoS attacks, defacements |
| Independent hacktivists | Various ideological groups | Data leaks, website defacements |
Handala Hack, a persona linked to Iran's Ministry of Intelligence and Security (MOIS), has claimed responsibility for breaching an Israeli energy exploration company, compromising Jordan's fuel systems, and issuing death threats against Iranian-American and Iranian-Canadian influencers.
Weaponized RedAlert App
On the technical front, Unit 42 identified an active phishing campaign deploying a malicious replica of the Israeli Home Front Command's RedAlert application — a legitimate emergency warning system.
The weaponized Android package (APK) delivers mobile surveillance and data-exfiltrating malware to victims who believe they are installing a critical safety tool. This social engineering approach exploits the heightened fear and urgency surrounding the kinetic conflict.
Recommendations
Security teams across the region should:
- Heighten monitoring for phishing campaigns, especially mobile-targeted attacks
- Block known IoCs associated with fake RedAlert APK distributions
- Watch for hacktivist defacements and DDoS attacks against public-facing infrastructure
- Review access controls for critical infrastructure and energy sector systems
- Monitor threat intelligence feeds for evolving attribution and new group activity
The breadth and diversity of participants make attribution and response exceptionally complex, and the situation continues to evolve rapidly.