Iranian Communications and Sensors Disrupted by US Cyber Command; Researchers Warn of Retaliatory Cyber Attacks
Published on March 3, 2026
Key Takeaways
- Digital Strikes: Critical Iranian communication and sensor frameworks were disabled in a coordinated operation by the U.S. Cyber Command.
- Tactical Foundation: These non-kinetic cyber actions directly enabled Operation Epic Fury, a joint kinetic military campaign conducted alongside Israeli forces.
- Threat Landscape: Cybersecurity authorities anticipate retaliatory cyber warfare from state-sponsored threat actors targeting allied critical infrastructure.
The U.S. Cyber Command's Iran operations recently neutralized key adversary defense systems, such as telemetry and communication architectures, in a calculated deployment of modern military strategy, Joint Chiefs of Staff Chairman Gen. Dan Caine said at a Pentagon press conference on Monday. Meanwhile, security researchers anticipate potential retaliatory ransomware and DDoS attacks.
According to military officials, the deliberate Iranian communications disruption neutralized the adversary's capability to process sensor data or coordinate defensive countermeasures, “disrupting and degrading and blinding Iran's ability to see, communicate, and respond.”
Escalation in Global Cyber Warfare
Intelligence indicates an elevated probability of retaliatory digital strikes by state-sponsored proxies and aligned hacktivist groups. Anticipated threat vectors include sophisticated ransomware deployments and distributed denial-of-service (DDoS) attacks, especially given Iran’s available internet connectivity, which dropped to between 1-4%.
Palo Alto Unit 42 has estimated that 60 individual groups are active, including pro-Russian groups Cardinal, Russian Legion, and NoName057(16), and Iranian state-aligned personas:
- Handala Hack (Void Manticore), a hacktivist persona linked to Iran's Ministry of Intelligence and Security (MOIS)
- APT Iran, a pro-Iranian hacktivist collective
- The Cyber Islamic Resistance, a pro-Iranian hacktivist collective
- Dark Storm Team (also known as DarkStorm or MRHELL112) is a pro-Palestinian and pro-Iranian collective
- The FAD Team, composed of pro-regime actors
- Evil Markhors, a pro-Iranian group
- Sylhet Gang, a message amplifier and recruitment engine for the pro-Iranian hacktivists
- 313 Team (Islamic Cyber Resistance in Iraq), active pro-Iranian hacktivists
- DieNet, a pro-Iran hacktivist group
In the months leading up to the conflict, Check Point Research (CPR) observed malware deployments associated with the Iranian threat group Cotton Sandstorm (aka Haywire Kitten), affiliated with the Islamic Revolutionary Guard Corps (IRGC). They leveraged the WezRat custom modular infostealer in spearphishing campaigns and sometimes WhiteLock ransomware, specifically against Israeli targets.
Educated Manticore, an IRGC-aligned cluster that overlaps with APT35/APT42 (Charming Kitten) activity, leverages high-trust impersonation against “journalists, researchers, security experts, academics, and foreign-based groups and individuals opposing the Iranian regime,” CPR said.
Also, scammers exploit the crisis to steal UAE IDs while impersonating the MOIS in a vishing campaign, and INC Ransom (aka Tarnished Scorpius) listed an Israeli industrial machinery company, replacing the company logo with a swastika.
Tactical Recommendations
Unit 42 cybersecurity experts’ recommendations include:
- Keep at least one backup stored offline (air-gapped)
- Implement strict “out-of-band” verification for incoming requests via media
- Increase response to any threat signals where possible, especially those associated with internet-facing assets such as websites, virtual private network (VPN) gateways, and cloud assets
- Ensure internet-facing infrastructure is patched
- Train employees on and monitor for phishing and social engineering activity
- Consider implementing geographic IP address blocking from specific high-risk regions where legitimate business is not conducted
- Have a robust communications plan ready to address unauthorized access versus system compromise, as scoping and quickly verifying the potential compromise can prevent public panic
- Continue to check trusted cyber agencies such as the U.K. National Cyber Security Center and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Iran Threat Overview and Advisories page
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular