Iran-Linked Cyber Campaigns Align with Electronic and Psychological Warfare
Key Takeaways A February 2026 military conflict between US-Israeli forces and Iran quickly escalated into unprecedented cyber and electronic warfare. Iranian-aligned hacktivist groups, coordinated by...
Key Takeaways
- A February 2026 military conflict between US-Israeli forces and Iran quickly escalated into unprecedented cyber and electronic warfare.
- Iranian-aligned hacktivist groups, coordinated by the “Islamic Resilience Cyber Axis,” launched extensive DDoS attacks, data theft, and data-wiping operations against Western and Gulf targets.
- The conflict saw the most widespread GPS spoofing and jamming campaign ever recorded, causing severe navigational disruptions for over a thousand commercial vessels.
- Iranian-aligned threat actors exploited vulnerabilities in Hikvision (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067) and Dahua (CVE-2021-33044) cameras, for which patches are available.
A joint US-Israeli military operation initiated strikes within Iran on February 28, 2026, marking the beginning of a conflict that rapidly expanded beyond conventional warfare into the digital realm. Iran retaliated swiftly with ballistic missile and drone attacks targeting Bahrain, Kuwait, Iraq, Saudi Arabia, the UAE, Israel, and Qatar.
Table Of Content
Immediately, hacktivist factions on both sides mobilized, launching attacks against critical infrastructure, military logistics, and government systems. This synchronized escalation represented one of the most significant convergences of physical and digital conflict ever witnessed in the Middle East.
Cyber Onslaught from Iranian-Aligned Groups
Following the initial kinetic strikes, Iranian-aligned groups launched a series of cyberattacks against targets in the US, Israel, and the Gulf Cooperation Council (GCC). These operations included distributed denial-of-service (DDoS) campaigns, website defacements, and destructive data-wiping attacks, alongside data theft.
These activities were orchestrated by the Islamic Resilience Cyber Axis, a network established between 2024 and 2025, which operates an Electronic Operations Room to coordinate malicious cyber activities. Groups such as Cyber Islamic Resistance, Fatimion Cyber Team, Cyber Fattah, DieNet, and Sylhet Gang-SG participated in these efforts. Concurrently, pro-Western hacktivists targeted Iranian news sites, religious applications, and government portals. The darknet ecosystem further fueled the conflict, experiencing a surge in propaganda, recruitment drives, and the trade of stolen data.
Analysts at Resecurity observed a sharp increase in activity from several Iran-linked threat actors. Among them was the newly identified Cyber Isnaad Front, which published a targeted hit list of individuals across various industries in Israel.
On March 11, 2026, the Handala Hack Team, identified by Resecurity as a highly credible and active group during the conflict, claimed responsibility for a cyberattack against Stryker Corporation, a US-based medical technology company. This attack reportedly disrupted Stryker’s global network and led to the exfiltration of a substantial volume of sensitive data. Handala stated the attack was in retaliation for a missile strike on a school in Minab, Iran.
The cyberattacks demonstrated clear intent. Iranian-aligned actors utilized credentials obtained through infostealer malware to gain access to web panels and applications, with a particular focus on energy infrastructure in Jordan. Additionally, hacktivists scanned Israeli network ranges for exposed IoT devices, exploiting vulnerabilities in Hikvision and Dahua cameras. Specific vulnerabilities targeted included CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, and CVE-2025-34067 for Hikvision devices, and CVE-2021-33044 for Dahua devices. Patches are currently available for all these identified CVEs.
The broader campaign also impacted multiple Pakistani television channels, websites, and mobile applications, prompting Pakistan’s National Computer Emergency Response Team (CERT) to initiate a formal investigation. The conflict’s physical dimension also affected digital infrastructure, with at least three Amazon data centers in the UAE and Bahrain sustaining damage from Iranian drone strikes. Furthermore, the bombing of the IRGC’s Cyber Warfare headquarters in eastern Tehran reportedly limited Iran’s centralized response capabilities, driving more cyber activity through proxy groups operating outside the country.
Electronic Warfare and GPS Spoofing: A Hidden Battlefield
The 2026 Iran conflict featured the most extensive GPS spoofing and jamming campaign ever recorded in military history. This electronic warfare operated as a silent, yet profoundly disruptive, layer beneath the more visible kinetic strikes. Within 24 hours of the initial US-Israeli actions, over 1,100 commercial ships in UAE, Qatari, Omani, and Iranian waters reported navigation failures. Their onboard systems erroneously indicated vessel positions at airports, nuclear plants, and landlocked locations – a clear sign of active GPS spoofing. Iran’s state forces and proxy actors deployed advanced electronic warfare systems across the Persian Gulf, Strait of Hormuz, and regional airspace, creating widespread navigational chaos for both civilian and military platforms.
The interference rapidly intensified. Windward detected 21 new jamming clusters on the first day, increasing to 38 by the following day. Lloyd’s List Intelligence documented 1,735 GPS interference events affecting 655 vessels within the first week, with daily incidents nearly doubling. By March 7, 2026, over 1,650 vessels had experienced GPS interference, representing a 55 percent rise over the preceding week. Resecurity analysts highlighted that GNSS and GPS spoofing poses significant risks to operational technology environments, where industrial control systems and digital services rely on accurate geolocation data.
What You Should Do
- Immediately apply all available patches for Hikvision (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067) and Dahua (CVE-2021-33044) camera vulnerabilities.
- Organizations in affected regions should deploy redundant navigation systems and reduce single-source GPS dependency for critical operations.
- Conduct thorough audits of all geolocation-dependent industrial processes and operational technology environments.
- Prioritize monitoring for anomalous position data in maritime and aviation platforms as a critical defensive measure.
- Implement robust credential management practices and multi-factor authentication to mitigate risks from infostealer malware.
- Enhance network segmentation and implement strong intrusion detection systems to identify and respond to DDoS attacks and data exfiltration attempts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.