Epic Fury/Roaring Lion Sparks Escalating Cyber Conflict as Iran Goes Offline, Hacktivists Step Up Retaliation

On February 28, 2026, the United States and Israel launched a coordinated offensive — code-named Operation Epic Fury by the U.S. and Operation Roaring Lion by Israel — setting off a wide-ranging cyber conflict that spread across the Middle East and beyond.

Within hours of the strikes, Iran launched a multi-vector retaliatory campaign involving hacktivist groups, state-aligned actors, and opportunistic cybercriminals, growing into one of the most intense cyber confrontations in recent memory.​

One of the most significant early developments was Iran’s near-complete loss of internet access. By the morning of February 28, available connectivity inside Iran had dropped to between 1% and 4%.

This sudden disruption cut off state-aligned cyber units from their command and control networks, severely limiting their ability to coordinate and execute sophisticated cyberattacks near-term.

Iranian cyber cells have since shifted into operational isolation, which may cause unpredictable deviations from their established attack patterns.​

Palo Alto Networks’ Unit 42 analysts identified an active phishing campaign almost immediately following the offensive, in which attackers deployed a malicious replica of the Israeli Home Front Command’s RedAlert emergency alert application.

Distributed as an Android Package Kit (APK) through SMS phishing messages, it tricks users into downloading malware for mobile surveillance and data exfiltration.

Attackers exploit public fear to deliver malware under the cover of a trusted safety tool during the ongoing conflict.​

Despite the disruption to Iran’s own infrastructure, hacktivist activity outside the country surged rapidly.

As of March 2, 2026, approximately 60 individual groups — including pro-Russian collectives — were actively engaged in operations targeting Israeli, Western, and regional assets.

Many of these groups operate under the newly formed “Electronic Operations Room,” established on February 28, 2026. These groups have claimed responsibility for attacks ranging from DDoS assaults on banks and government sites to full infrastructure compromises affecting energy, payment, and defense systems.​

The conflict’s reach has extended far beyond Iran’s borders. Cybercriminals in the UAE launched vishing scams impersonating the Ministry of Interior to steal national identification numbers.

The ransomware-as-a-service group Tarnished Scorpius (also known as INC Ransomware) listed an Israeli industrial machinery company on its leak site, replacing the company logo with a swastika.

The speed and breadth of these attacks reflect a conflict that has moved well beyond a state-versus-state dynamic into a multi-actor cyber war.​

Inside the Hacktivist Threat Ecosystem

The “Electronic Operations Room” has become the primary coordination hub for Iran-aligned hacktivist operations since the conflict began.

Handala Hack, a persona linked to Iran’s Ministry of Intelligence and Security (MOIS), has emerged as the most active actor, claiming responsibility for breaching an Israeli energy exploration company, compromising Jordan’s fuel systems, and threatening Iranian-American and Iranian-Canadian influencers with death — including sharing their home addresses with physical operatives.

This move from digital disruption to physical intimidation marks a dangerous escalation in hacktivist behavior.​

Other actors include the Cyber Islamic Resistance — an umbrella collective coordinating groups like RipperSec and Cyb3rDrag0nzz — which claimed to have compromised a drone defense system and Israeli payment infrastructure.

The FAD Team reported unauthorized access to multiple SCADA and PLC systems in Israel, while DieNet targeted airports and banks across Bahrain, Saudi Arabia, Jordan, and the UAE.

Pro-Russian groups NoName057(16) and the “Russian Legion” joined the conflict, the latter claiming access to Israel’s Iron Dome radar system, though these claims remain unverified.​

Organizations should store at least one copy of critical data offline to guard against ransomware and wiper attacks. All internet-facing assets must be kept fully patched and hardened.

Employees should be trained on phishing and social engineering, and organizations should consider geographic IP blocking for high-risk regions.

Business continuity plans should be updated, breach claim verification processes put in place, and ongoing guidance from CISA and the UK National Cyber Security Center monitored closely.

IoCs

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.