Iran-Linked Cyber Campaigns Converge With Electronic and Psychological Warfare as Regional Conflict Escalates

On February 28, 2026, a joint US-Israeli military operation launched strikes inside Iran, opening a conflict that rapidly extended into cyberspace.

Iran responded with ballistic missiles and drone strikes across Bahrain, Kuwait, Iraq, Saudi Arabia, the UAE, Israel, and Qatar.

Hacktivist groups on both sides mobilized almost immediately, targeting critical infrastructure, military logistics, and government systems.

The scale of these coordinated operations marked one of the most intense mergers of physical and digital warfare the Middle East had ever witnessed.​

Iranian-aligned groups launched distributed denial-of-service (DDoS) campaigns, website defacements, data theft, and data-wiping operations against US, Israeli, and Gulf Cooperation Council (GCC) targets immediately after the first strikes.

These activities were driven by a network called the Islamic Resilience Cyber Axis — built between 2024 and 2025 — whose Electronic Operations Room coordinates malicious cyber activity.

Groups such as Cyber Islamic Resistance, Fatimion Cyber Team, Cyber Fattah, DieNet, and Sylhet Gang-SG joined the effort. On the other side, pro-Western hacktivists hit Iranian news sites, religious applications, and government portals in parallel.

The darknet ecosystem amplified the conflict further, with propaganda, recruitment drives, and data trading all surging at the same time.​

Resecurity analysts identified a sharp escalation by several Iran-linked threat actors, including the newly emerged Cyber Isnaad Front, which published a hit list targeting individuals across multiple industries in Israel.

On March 11, 2026, the Handala Hack Team — flagged by Resecurity as one of the most credible active groups during the conflict — claimed a cyberattack against Stryker Corporation, a US-based medical technology company.

The attack disrupted the firm’s global network and involved the exfiltration of a significant volume of sensitive data, with Handala stating it was retaliation for a missile strike on a school in Minab, Iran.​

The attacks were deliberate. Iranian-aligned actors leveraged credentials stolen through infostealer malware to access web panels and applications, focusing on energy infrastructure in Jordan.

Hacktivists also scanned Israeli network ranges for exposed IoT devices, exploiting vulnerabilities in Hikvision and Dahua cameras — including CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, and CVE-2025-34067 for Hikvision, and CVE-2021-33044 for Dahua.

Patches are currently available for all identified CVEs, and all affected organizations are strongly urged to apply them without delay.​

Multiple Pakistani television channels, websites, and mobile applications were swept up in the broader campaign, prompting that country’s National Computer Emergency Response Team (CERT) to launch a formal investigation.

At least three Amazon data centers in the UAE and Bahrain sustained damage from Iranian drone strikes, compounding the digital disruption.

The IRGC’s Cyber Warfare headquarters in eastern Tehran was bombed, limiting Iran’s ability to coordinate a centralized response, and pushing more activity toward proxies operating outside the country.​

The 2026 Iran conflict produced the most extensive GPS spoofing and jamming campaign ever recorded in any military conflict, operating as a quiet but deeply damaging layer beneath the more visible strikes.

Within just 24 hours of the initial US-Israeli actions, over 1,100 commercial ships in UAE, Qatari, Omani, and Iranian waters reported navigation failures.

Their onboard systems falsely placed vessel positions at airports, nuclear plants, and landlocked locations — a classic signature of active GPS spoofing.

Iran’s state forces and proxy actors deployed advanced electronic warfare systems across the Persian Gulf, Strait of Hormuz, and regional airspace, creating navigational chaos for both civilian and military platforms throughout the theater.​

The interference escalated quickly. Windward identified 21 new jamming clusters on the first day, rising to 38 the following day. Lloyd’s List Intelligence documented 1,735 GPS interference events affecting 655 vessels in the first week, with daily incidents nearly doubling.

By March 7, 2026, over 1,650 vessels experienced GPS interference, a 55 percent rise over the prior week.

Resecurity analysts noted that GNSS and GPS spoofing creates serious risks for operational technology environments, where industrial control systems and digital services rely on accurate geolocation data.

Organizations in affected regions are advised to deploy redundant navigation systems, reduce single-source GPS dependency, and audit any geolocation-dependent industrial processes.

Monitoring for anomalous position data in maritime and aviation platforms should be treated as a priority defensive measure in the current environment.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.