Palo Alto Networks: Iran’s internet blackout is reshaping the cyber battlefield
Threat analysts say degraded connectivity may hinder state attacks even as hacktivist groups escalate disruption.
The United States and Israel’s joint offensive against Iran on February 28 has triggered a parallel escalation in cyberspace. But according to Unit 42, the threat intelligence division of Palo Alto Networks, Iran’s own ability to conduct coordinated state-sponsored cyber operations may be temporarily constrained.
Beginning the morning of February 28, Iran’s available internet connectivity dropped to between 1% and 4%, Unit 42 said. The disruption, combined with reported degradation of leadership and command structures, is likely hindering the ability of state-aligned cyber units inside Iran to coordinate sophisticated attacks in the near term.
Some Iranian cyber cells may now be operating in isolation, potentially deviating from established patterns. While actors outside Iran may retain autonomy, Unit 42 assesses that the capacity to sustain complex operations is reduced for now.
At the same time, non-state actors have increased activity. Unit 42 estimates that roughly 60 hacktivist groups were active as of March 2, including pro-Iranian and pro-Russian collectives. Observed operations include distributed denial-of-service (DDoS) attacks, website defacements and hack-and-leak campaigns, most of which appear to be low- to medium-level disruptions.
Among the groups claiming activity are Handala Hack, APT Iran, the Cyber Islamic Resistance and Dark Storm Team. Several have asserted compromises of infrastructure and financial institutions, though Unit 42 cautions that hacktivist groups often exaggerate the scope of their impact.
Pro-Russian collectives have also joined the campaign. Groups including Cardinal and NoName057(16) have claimed disruptive activity against Israeli government and defense-related entities. Another group, “Russian Legion,” claimed access to Israel’s Iron Dome missile defense system, though such assertions remain unverified.
Cybercriminals are also exploiting the conflict. A vishing campaign in the United Arab Emirates is reportedly impersonating government authorities to steal identification credentials, while the ransomware group Tarnished Scorpius has listed an Israeli company on its leak site.
