March 17, 2026

SHARE |

Cyber Operations as Iran’s Asymmetric Leverage

Municipal Water Authority of Aliquippa via AP, File

Two weeks into the Iran war, key leadership and infrastructure of the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) have been struck — the two foremost entities behind Iran’s capable cyber arsenal. Iran has, in recent years, been a highly capable cyber threat actor. It has relied on both state institutions and hacktivists and utilized a range of tactics for espionage and disruption of targets, including in the U.S., as seen in the 2024 hack into Trump’s presidential election campaign. While U.S. and Israeli decapitation strikes have degraded some of Iran’s high-end Advanced Persistent Threat (APT) activity, especially emanating from the IRGC, proxies, and hacktivist groups continue to mount a significant cyber campaign against the U.S., Israel, and their allies. This built-in resilience aligns with Iran’s mosaic defense doctrine, in which decentralization makes capabilities resilient to decapitation strikes as the war continues. Much of Iranian cyber activity serves to exhaust cyber defenders and undercut political will for the war in Iran among the U.S. public, the bedrock of Iran’s asymmetric warfare strategy.  

Israel’s intelligence collection effort through its access to Tehran’s traffic camera network is likely the single most operationally influential cyber component of the current war. It permitted meticulous pattern-of-life tracking of IRGC commanders and mapped the security posture of Iranian Supreme Leader Ali Khamenei’s compound. The cyber operations during the opening salvo of Operation Epic Fury and Roaring Lion moved beyond intelligence preparation: mobile towers near key government institutions were disabled to cut communications, and the BadeSaba prayer application, used by millions of Iranians to confirm prayer times, was used in a psychological operation to rile people up against the regime —  seemingly to no great effect. Further on the escalation ladder, Israel kinetically struck Iran’s cyber warfare headquarters in eastern Tehran, according to the Israeli Defense Forces, degrading the centralized command of one of the most active cyber powers in the Middle East.  

Iranian retaliatory action in the cyber domain is especially pertinent in understanding its defense posture and strategy as the war enters its third week. Despite significant degradation of the IRGC's command-and-control infrastructure, Iran’s cyber retaliation was swift and diffuse, highlighting the efficacy of its patchwork of cyber actors. According to Unit 42 of Palo Alto Networks, a cybersecurity firm, within hours of the start of Operation Epic Fury, over 60 pro-Iranian hacktivist groups mobilized — though a significant portion of their claimed operations remains unverified. This patchwork of different cyber actors acting on Iran’s behalf aligns with its overall mosaic defense doctrine, rooted in decentralization to function even under significant strain and leadership decapitation. As cybersecurity firm BeyondTrust notes: “The most immediate risk comes not from the reconstituting IRGC command structure, which will require time to restore coherence, but from the pre-positioned proxy ecosystem that operates under delegated authority or independent ideological motivation.” 

Multiple Iran-aligned groups have claimed largely unverified compromises of industrial control systems across Israel, Poland, Turkey, Jordan, and Gulf states. The attack on Michigan-based medical device company Stryker warrants particular attention. U.S. officials and former officials have described it as likely the most significant wartime cyberattack against the U.S. in history, per the Wall Street Journal’s reporting. Stryker — a Fortune 500 company serving 150 million patients annually — was forced to tell its global workforce to disconnect from all networks, with some hospitals temporarily pausing the transmission of patients' vital-sign data. Handala, the group responsible, is a hacktivist persona operated by Void Manticore, MOIS's primary offensive cyber instrument. The group claimed the attack in retaliation for the Minab elementary school that killed 160 children. This signifies that a genuine high-end state-directed cyber capability remains, likely also a result of decentralization. The objective of such an attack appears to be bringing the war home to American civilians in a palpable way. Additionally, it demonstrates that Iran’s cyber capability extends to U.S. civilian infrastructure and can be used if it wants to, which has significant ramifications on the psychology of civilians and exhausts cyber defenders in the U.S., since all infrastructure is now potentially a target. 

For the U.S., the geopolitical implications of this war's cyber dimensions should be considered from the vantage points of Russia and the People’s Republic of China (PRC). Russia, which so far has only publicly stated it condemns the aggression against Iran but has not publicly provided any statements on aid to Tehran, shows opportunistic involvement in cyberspace. Cybersecurity firm CrowdStrike detected that the Russian hacker group Z-Pentest has been disrupting U.S. networks in apparent support of Tehran since the war began, though it is unclear whether this represents opportunistic probing or a coordinated state action. Russia faces no escalatory risk from supporting Iran's cyber operations, given the existing state of U.S.-Russia relations, and the conflict provides a low-cost vehicle to impose a burden on U.S. cyber defenders.  

The PRC, however, presents a more consequential dynamic. Beijing has maintained public restraint in the Iran War, but the conflict is likely serving as a real-time intelligence-collection opportunity. This conflict provides an unprecedented window into how U.S. and Israeli cyber capabilities may perform in the event of an invasion of Taiwan: what long-term intelligence-gathering tactics it has used, how offensive cyber operations are timed, and how cyber and PSYOPs work together.