Cyber Front Opens in Iran: Massive Digital Disruption Follows Kinetic Strikes
Key Takeaways
- A coordinated wave of cyber-enabled operations targeted Iranian digital infrastructure, including a major religious app and government services, alongside joint U.S.-Israeli military strikes.
- The operations caused significant internet outages and aimed to disrupt Iran's military coordination while messaging its civilian population.
Mentioned
Key Intelligence
Key Facts
- 1Cyberattacks coincided with joint U.S.-Israeli kinetic strikes on Saturday morning, March 1, 2026.
- 2BadeSaba, a religious calendar app with 5M+ downloads, was hacked to display anti-government messages.
- 3Internet connectivity in Iran saw two major drops at 0706 GMT and 1147 GMT, according to Kentik data.
- 4Cyber operations targeted Iranian government services and military systems to disrupt response coordination.
- 5Security firms Sophos and Halcyon warn of imminent retaliatory strikes by Iranian proxy groups.
Who's Affected
Analysis
The early Saturday morning strikes on Iran represent a significant escalation in the integration of kinetic and cyber warfare. As U.S. and Israeli forces targeted physical military assets, a parallel digital offensive dismantled Iran’s internal communications and public-facing platforms. This dual-track approach suggests a highly sophisticated level of coordination designed not just to destroy hardware, but to paralyze the state’s ability to respond and to influence the domestic narrative in real-time. By hitting both the physical and digital domains simultaneously, the coalition effectively blinded Iranian command and control while bypassing state-controlled media to reach the populace directly.
One of the most strategic elements of this cyber campaign was the compromise of BadeSaba, a religious calendar application with over 5 million downloads. According to Hamid Kashfi, founder of DarkCell, targeting this specific app was a calculated move to reach the government’s core support base. The app, which is widely used by religious and pro-government demographics, was defaced with messages urging the armed forces to defect and join the people. This psychological operation (PSYOP) demonstrates a shift toward targeting cultural and religious digital infrastructure to undermine the regime’s legitimacy from within, rather than just attacking traditional military networks.
Rafe Pilling, director of threat intelligence at Sophos, warns that Iranian proxy groups and hacktivists are likely to target Israeli and U.S.-affiliated commercial and civilian entities.
Infrastructure analysis provided by Doug Madory of Kentik revealed two massive drops in Iranian internet connectivity at 0706 GMT and 1147 GMT. These outages indicate that the cyber operations went far beyond simple website defacement, likely involving disruptions at the ISP or backbone level to prevent a coordinated military or emergency response. While the Jerusalem Post reported strikes on government services and military systems, the widespread nature of the connectivity issues suggests a broader effort to isolate the country during the kinetic phase of the operation. This level of network interference is characteristic of state-level actors capable of identifying and exploiting critical nodes in national digital infrastructure.
What to Watch
Looking forward, the cybersecurity community is bracing for the inevitable 'second wave' of this conflict: retaliation. Rafe Pilling, director of threat intelligence at Sophos, warns that Iranian proxy groups and hacktivists are likely to target Israeli and U.S.-affiliated commercial and civilian entities. These retaliatory strikes often take the form of 'recycling' old data breaches to create a sense of ongoing vulnerability, or launching unsophisticated but disruptive attacks on internet-exposed industrial control systems (ICS). Cynthia Kaiser of Halcyon noted that her firm has already observed increased regional activity and calls to action from pro-Iranian cyber actors, suggesting that the digital battlefield will remain active long after the smoke clears from the physical strikes.
For global enterprises, particularly those in the energy, finance, and defense sectors, the risk profile has shifted. The precedent set by this operation—using cyber to amplify kinetic effects—will likely be studied and replicated by other nation-states. Organizations must now account for the possibility that their digital assets could become collateral damage or primary targets in geopolitical conflicts, even if they are not direct participants. The focus must shift from simple perimeter defense to resilience and the ability to operate in a degraded digital environment as 'hybrid' warfare becomes the new standard for international conflict.
Timeline
Timeline
Kinetic Strikes Begin
Joint U.S.-Israeli military operations target assets across Iran.
First Connectivity Drop
Major internet outage detected across Iranian networks by Kentik analysts.
Second Connectivity Drop
A second wave of digital disruption further isolates Iranian infrastructure.
BadeSaba Compromise Confirmed
Reports emerge of the 5M-user religious app being used for anti-regime messaging.
Retaliation Warnings
Cybersecurity firms Sophos and Halcyon issue alerts regarding Iranian proxy activity.
Sources
Sources
Based on 3 source articles- (ca)Hackers hit Iranian apps, websites after U.S.-Israeli strikesMar 1, 2026
- Sph Media Limited (sg)Hackers hit Iranian apps, websites after US-Israeli strikesMar 1, 2026
- Reuters (il)Cyber front opens after US-Israeli strikes as hackers target Iranian apps and state servicesMar 1, 2026