Cyberattacks Hit Iran Amid Regional Tensions

Iran experienced a wave of cyber disruptions alongside U.S.–Israeli military strikes, according to early reports.
Multiple apps and websites were defaced or disabled during the incidents.
Internet connectivity also dropped sharply across the country during the same period.

Coordinated Hacks Target Apps, News Sites, and Connectivity

Cybersecurity analysts reported that several Iranian news websites were compromised early Saturday, displaying messages linked to the ongoing conflict. The religious calendar app BadeSaba, which has more than 5 million downloads, was also hacked and showed warnings urging armed forces to abandon their weapons. Reuters was unable to reach the app’s chief executive for comment, and U.S. Cyber Command did not immediately respond to inquiries. Internet monitoring data showed two major drops in Iranian connectivity at 0706 GMT and 1147 GMT, leaving only minimal access available.

Security researcher Hamid Kashfi described the BadeSaba breach as strategically chosen because the app is widely used among government supporters. Its religious nature makes it a trusted tool, which may have amplified the impact of the defacement. Additional cyber operations reportedly targeted government services and military systems to limit Iran’s ability to coordinate a response. These claims, reported by the Jerusalem Post, have not yet been independently verified.

Experts Warn of Potential Escalation

Threat intelligence specialists say the attacks could signal the beginning of broader cyber activity in the region. Rafe Pilling of Sophos noted that Iranian‑aligned groups or hacktivists may retaliate against Israeli or U.S.‑linked targets. Such actions could include repurposed old data breaches, attempts to compromise exposed industrial systems, or more direct offensive operations. Cynthia Kaiser, formerly of the FBI, added that pro‑Iranian cyber personas have already circulated calls to action similar to those seen in past hack‑and‑leak or ransomware campaigns.

CrowdStrike’s Adam Meyers said the company is observing reconnaissance efforts and early DDoS activity consistent with Iranian‑aligned threat actors. These patterns often precede more aggressive operations, suggesting that the current wave may not be the final stage. Meanwhile, cybersecurity firm Anomali reported that Iranian state‑backed groups had already deployed “wiper” malware against Israeli targets ahead of the strikes. Wiper attacks are designed to erase data, making them more destructive than typical espionage‑focused intrusions.

Historical Context and Recent Response Patterns

Iran is frequently cited by U.S. officials as a significant cyber threat, often mentioned alongside Russia and China. Despite this reputation, Tehran’s responses to previous attacks on its territory have sometimes been limited in scope. After U.S. strikes on Iranian nuclear sites in June, there were few signs of major retaliatory cyber operations. Media reports at the time noted only a brief service interruption in Tirana, Albania, rather than widespread disruptive activity.

The current situation may differ due to the scale of the military strikes and the visibility of the cyber incidents. Analysts caution that Iran’s cyber strategy often unfolds gradually, with proxy groups playing a central role. These groups can act with more flexibility and deniability, making attribution difficult. Observers will be watching closely for signs of escalation in the coming days.