A sharp escalation in the Middle East has entered a hybrid phase blending military strikes with large-scale cyber operations, creating spillover risks for organizations in the region and globally.
The developments follow joint Israeli-US strikes on Iran on February 28, 2026, which were accompanied by what has been described as one of the largest cyber campaigns in history.
Cyber Escalation Follows Military Strikes
Coordinated strikes by Israel and the US targeted Iranian leadership, military and nuclear-linked sites over the last few days. According to CloudSek, in parallel, a sweeping cyber operation disrupted Iran’s digital infrastructure, with internet connectivity reportedly dropping to around 4% of normal levels. However, the reason for this shutdown remains unconfirmed at the time of publication.
Government services, official media outlets and parts of the energy and aviation sectors were severely affected. The disruption coincided with retaliatory missile and drone attacks by Iran against Israeli territory and US regional bases.
Security experts expect cyber retaliation to intensify. Cynthia Kaiser, SVP at Halcyon and former FBI cyber executive, said, “Iran will likely respond in cyberspace. It will probably look like cybercrime and ransomware.”
She added, “Our Halcyon intel team is already seeing increased activity in the Middle East and calls to action from the distributed denial-of-service (DDoS) botnet HydraC2, hacktivist group Handala, and ransomware group Sicarii.”
Between February 28 and March 1, more than 150 hacktivist incidents were recorded across open channels. These operations largely involved DDoS attacks, website defacements and unverified data breach claims, targeting government, banking, aviation and telecom sectors.
Read more on Middle East cyber operations: SIM Swapping Fraud Surges in the Middle East
Ransomware and Obfuscation Tactics in Focus
Kaiser pointed to Iran’s previous campaigns as evidence of an established pattern. “Iran has a long track record of using cyber operations to retaliate against perceived political slights. From disabling US financial websites between 2011 and 2013, to erasing data from the Las Vegas Sands Casino in 2014, to defacing websites after the death of Iranian military commander Qasem Soleimani and issuing online death threats to US election officials in 2020 and 2021, Tehran’s cyber playbook has been aggressive and evolving.”
These actions highlight the ways that Iran could use attempted obfuscation, multiple actors and destructive tools against US networks in the coming weeks:
-
Deploying ransomware before wiping an organization’s data
-
Leveraging long-term espionage access and data exfiltration from different threat actors for destructive attacks
-
Hiding behind fictitious cybercriminal groups
-
Engaging in online harassment of victims, including the release of stolen data
Guidance For Organizations
The UK’s National Cyber Security Centre (NCSC) said there is currently no significant change in the direct cyber threat from Iran to the UK at present, though the situation remains fluid. It warned of a heightened indirect risk for organizations with offices or supply chains in the Middle East.
Organizations are urged to review their risk posture, increase monitoring, enforce multi-factor authentication (MFA) and ensure offline backups are in place.
Critical national infrastructure operators are also advised to revisit contingency plans and follow established guidance for severe cyber threats.
“Organizations are advised to review their risk posture, take proportionate action and report any concerning activity to the NCSC’s Incident Management team using Report a cyber incident,” the agency concluded.
