Before the first missiles flew over Tehran on Saturday night, the cyber war was long underway.
Israel hit Iran with cyberattacks targeting media platforms and phone applications, pushing messages to millions of Iranians calling on them to revolt against their government. Iran's internet connectivity collapsed to just 4% of normal levels — a near-total blackout that mirrored restrictions imposed during last year's conflict with Israel. The digital battlefield was shaped and contested hours before B-2 stealth bombers dropped the first 2,000-pound bombs on Iranian ballistic missile facilities.
Bill Brenner
The strikes came after years of invisible groundwork. Israeli intelligence operatives, drawing on covert access to Tehran's traffic camera network and mobile tower infrastructure built up over years, had fed real-time surveillance footage to targeting teams long before the first plane left the ground. Unit 8200 and Mossad knew the streets of Tehran, by one account, "like Jerusalem." When the order came, Iran's command networks were already compromised, its senior IRGC leadership geolocated, its digital defenses overwhelmed.
This is what modern war looks like — and it is precisely the scenario cybersecurity and national security professionals have spent decades preparing for.
Intelligence firms including Google's Mandiant, CrowdStrike, and Recorded Future now assess that Iran's state-linked hacking groups — APT33, APT34/OilRig, and the IRGC-affiliated CyberAv3ngers — are retooling and reorienting toward U.S. and Gulf energy, financial, and defense-adjacent targets. The pattern is familiar: Iran has historically responded to kinetic setbacks with escalating cyber operations against sectors its conventional military cannot reach.
The Multi-State ISAC has issued emergency alerts to state and local governments. The UK's National Cyber Security Centre and Canada's Centre for Cyber Security have published formal threat bulletins. Private sector threat teams are operating at elevated readiness. However, the absence of CISA's coordination abilities leaves a measurable gap precisely when sector-wide communication and rapid threat-sharing matter most — and when the adversary has the most reason to use everything it has left.
The Cyber Dimension of Kinetic War
Within hours of the strikes, Iran-linked hacktivist groups launched what threat intelligence firm Flashpoint described as the most aggressive use yet of Iran's "Great Epic" cyber campaign — a loosely coordinated network of operatives operating under the banner of "Cyber Islamic Resistance." Days before the US-Israel attacks, the group Handala, linked to Iranian intelligence, claimed to have breached Clalit, Israel's largest healthcare network, and vowed to begin "massive cyber attacks in the coming hours."
The targets are not limited to the Middle East. "If there is a country that is going to specifically go after hospitals as a gray zone weapon of war, I think that's going to be Iran," said Mike Hamilton, field CISO at Lumifi Cyber and former CISO of the City of Seattle.
Iranian state-backed groups — APT33, APT34, MuddyWater, and IRGC-affiliated personas like CyberAv3ngers — have a documented history of targeting U.S. critical infrastructure. In 2023, Iranian-linked hackers compromised water utilities in Pennsylvania and other states. They routinely target poorly secured operational technology — the programmable logic controllers and SCADA systems that manage water treatment, power distribution, and hospital operations. "Iranians are known to go after operational technologies," Hamilton said. "That's what they're good at."
The Logic Behind Strategic Coercion
The logic behind Iranian cyber retaliation tracks precisely with what Anne Neuberger, the former top cybersecurity official on the National Security Council, described in a recent podcast interview for Foreign Affairs. Neuberger outlined how adversaries view cyber operations as a tool of strategic coercion — not just espionage, but the ability to hold American infrastructure hostage during a crisis to deter U.S. military action or extract concessions.
"You could see China causing issues in the port navigation system or an air traffic control system in order to disable flights for a period of time," Neuberger said, describing a Taiwan scenario. The principle applies identically to Iran today. As Neuberger put it, one could see an adversary "potentially threatening to disable parts of critical infrastructure and leaving the future U.S. leadership having to balance and consider the impact on the homeland if the U.S. gets involved in a particular crisis."
Gutted Defenses at the Worst Time
The Cybersecurity and Infrastructure Security Agency (CISA) — the federal government's frontline civilian cybersecurity force, responsible for alerting hospitals, water utilities, power plants, and pipeline operators that adversaries are targeting them — is currently operating at roughly 38% of its normal staffing levels.
CISA has lost approximately one-third of its workforce since the beginning of the Trump administration. The agency's counter-ransomware initiative has been shuttered. Its election security team has been disbanded. Its stakeholder engagement division — the people who share threat intelligence with critical infrastructure operators — faces a proposed 62% funding cut. The National Risk Management Center, which analyzes and predicts threats to national infrastructure, faces a 73% cut.
The agency has been without a permanent director since January 2025. Nearly all its operational divisions and at least half its regional bureaus lack permanent leaders. The ongoing partial government shutdown has further reduced its operational capacity. DHS's own website is not being actively managed due to the funding lapse.
The steep cuts extend beyond CISA. In April 2025, the administration fired General Timothy Haugh, the head of both the NSA and U.S. Cyber Command, along with his deputy. Haugh had been in the middle of a comprehensive review of Cyber Command's forces and structures. That modernization effort was orphaned.
"We just fired [a whole lot of] our cyber people tasked with helping to make sure [adversaries] don't touch critical infrastructure," said Hamilton. "The ability of the United States to have a hand in protecting that infrastructure is diminished."
What's Next
The next 72 hours — and likely the weeks beyond — are a period of acute risk. Iranian hacktivist proxies and state-affiliated groups are mobilizing on Telegram and other channels, claiming attacks and coordinating operations to fill what Flashpoint calls "the vacuum left by Tehran's central command" — a reference to the deaths of multiple senior Iranian military and intelligence officials in the strikes, including Supreme Leader Khamenei himself.
Neuberger stressed that the United States must be able to assert with confidence that adversaries cannot disable critical military communications or infrastructure during a crisis. "Can we prevent the most critical military, power, pipeline networks from being disrupted during a crisis or conflict? I believe that we can," she said. But that confidence, she warned, requires both robust defense and the institutional capacity to coordinate it.
That institutional capacity is what has been systematically dismantled. "Even if an administration decides to turn this around, you're looking at years," Hamilton said. "We just lost a bunch of brain power and experience. They're going to go out into the private sector and do just fine. But that doesn't help CISA or our critical infrastructure."
