I’ve been covering cyber threats for years now, and I’ve sat through countless conference panels where retired generals talk about “the coming cyber war.” Always in the future tense. Always hypothetical. That era is over.
On February 28, the US and Israel hit Iran. But the shooting started in cyberspace. Hours before any jet crossed Iranian airspace, US Cyber Command had already gutted Tehran’s communications and sensor networks. General Dan Caine confirmed it publicly: space and cyber operations came first, leaving Iran unable to “see, coordinate, or respond effectively.” Think about what that means. By the time the bombs dropped, the Iranian military was already operating blind.
And it only got stranger from there.
Tehran’s traffic cameras killed the Supreme Leader
This is the part that reads like fiction but isn’t. Israeli intelligence had been inside Tehran’s traffic camera network for what appears to be months, possibly longer. Not just watching. Feeding the footage into a machine alongside CIA human intelligence, signals intercepts, satellite imagery, communications metadata. The Financial Times was first to report the scope of it. One Israeli source called the whole setup an AI-powered “target production machine.” You pour data in, you get a 14-digit grid coordinate out.
They built what they called a “life pattern” for Khamenei. His routes. His schedules. Which aides traveled with him. When his security detail was thinnest. The Jerusalem Post reported that Israeli analysts mapped these patterns over an extended period, cross-referencing traffic camera data with other intelligence streams.
Then the CIA confirmed Khamenei would attend a senior military meeting on the morning of the 28th. The entire operation timeline shifted around that single piece of intelligence. The result: Khamenei dead, along with the IRGC commander, the defense minister, the chief of staff, the head of the National Defense Council. More than a dozen top officials, gone before lunch.
I keep coming back to what RUSI wrote about this. They pointed out something that gets lost in the spectacle: cyber’s biggest contribution here wasn’t disruption. It was reconnaissance. Years of quiet network access, pre-positioned in Iranian infrastructure, activated at the decisive moment. That’s not a hack. That’s a long-term intelligence operation that happened to run through fiber optic cables instead of dead drops.
Israel doesn’t want to depend on Silicon Valley for its kill chain
Here’s something that should concern anyone in the AI policy space. Haaretz reporter Omer Benjakob told NPR that Israel is building its own military AI systems specifically because it can’t afford to rely on American commercial platforms. His quote was memorable: “One day someone will discover we also use Claude, and then there’ll be a protest in San Francisco, and then they’ll take Claude away from us.”
He said this on the record.
The Anthropic dispute with the Trump administration over military use of Claude is well documented at this point. But the strategic implications go deeper than one company’s ethical stance. If your precision targeting pipeline depends on a model whose provider can revoke access based on a policy change or public pressure campaign, you have a serious sovereignty problem. Israel clearly sees it that way. Others will too.
None of this means AI targeting is ready for primetime, though. The March 8 strike on the Shajareh Tayyebeh school in Minab killed 165 people. 110 of them were schoolgirls. The building used to be a military base. Whether AI targeting systems worked off stale data is still under investigation, but a UCL computer scientist put the core issue bluntly: “This stuff is only two or three years old.”
Speed and precision are not the same thing. This war is proving that every day.
60 hacktivist groups, one internet blackout, and a paradox
Iran’s internet dropped to somewhere between 1% and 4% connectivity on February 28. That’s barely functional. You’d think that would cripple the regime’s cyber response. And for the state-run APT groups operating inside Iran, it probably did, at least initially.
But that’s not how Iran’s cyber infrastructure actually works. Tehran has spent years building out proxy networks. Hacktivist groups, some loosely affiliated, some directly run by MOIS or the IRGC, operating from outside Iran’s borders. When the internet went dark domestically, these external nodes lit up.
Unit 42 counted around 60 groups active in the first week alone. Handala Hack, which has documented ties to the Ministry of Intelligence, ran wiper and exfiltration campaigns against Israeli defense targets. On March 12, they hit Stryker, one of the largest medical technology companies in the US. MuddyWater, an IRGC-linked group, turned out to have pre-planted backdoors in Israeli-adjacent defense and financial networks. They didn’t need to break in after the war started. They were already inside.
March 2 was when things escalated beyond the Middle East. Pro-Russian hacktivist group NoName057(16) formally joined the Iranian coalition. Since then, the combined front has been hitting targets in Cyprus, Romania, across the Gulf states. Government websites, airports, telecom providers. The Russia-Iran cyber axis is no longer theoretical. It’s operational.
Now, the OT and SCADA claims. Groups have been posting screenshots alleging access to Israeli water systems, Jordanian grain storage controls, various industrial systems. John Hultquist at Google Threat Intelligence has been saying for years that Iran exaggerates its cyber successes for psychological effect, and he’s right. A lot of these claims don’t hold up under scrutiny.
But I’d be careful about dismissing all of it. CyberAv3ngers compromised real US water systems in 2023 using nothing more sophisticated than default passwords on Unitronics PLCs. The capability is proven. What we don’t know is how much coordination these proxy groups can maintain while their state sponsors are dealing with an actual shooting war.
The information battlefield is now indistinguishable from the physical one
Before the first airstrike, Israel had already compromised BadeSaba, a popular Iranian prayer app with over five million users. They pushed messages to regime supporters urging military defection. They hijacked state news websites to publish anti-regime content. Later, they sent AI-equipped drone swarms over Tehran to hit Basij militia checkpoints.
Iran’s been playing the same game in reverse for years. Dozens of Israeli nationals recruited through Telegram, paid to commit low-level sabotage: starting fires, spraying antigovernment graffiti, sowing social discord. A Clemson University researcher called Israel’s approach “psychological operations integrated with military operations in one clean campaign with a single goal: toppling the Iranian regime.”
Both sides have turned every digital platform into a weapon. Messaging apps, news sites, social media, traffic infrastructure. There’s no longer a meaningful line between “cyber operation” and “influence operation.” It’s all one battlefield.
CISA is running on fumes at the worst possible time
I can’t write about this conflict’s cyber dimension without mentioning what’s happening at CISA. The agency has lost roughly a third of its staff. The temporary director got reassigned to another corner of DHS right as the war kicked off. FBI and NSA have put out joint warnings about Iranian targeting of US defense contractors and financial firms. Jamie Dimon at JPMorgan went on CNBC and said banks are bracing for a wave of cyber and terrorist attacks.
So at the exact moment when motivated, state-aligned Iranian cyber actors are looking for American targets, the primary agency that’s supposed to coordinate civilian cyber defense is hollowed out. That should worry people far more than it seems to.
European organizations need to pay attention
The NCSC in the UK puts Iran in the same threat tier as Russia and North Korea. That was true before February 28. It’s more true now, because the Russian hacktivist groups that joined the Iranian coalition have broadened the targeting aperture into Europe.
Organizations in Austria and the DACH region might feel geographically removed from this conflict. They’re not. If your supply chain touches Israeli technology, if your cloud provider hosts workloads for companies in targeted sectors, if you run Israeli-manufactured OT equipment, you’re in scope. CyberAv3ngers targeted Unitronics PLCs in 2023 specifically because they were Israeli-made. That logic doesn’t stop at borders.
Trellix published research showing that Iranian threat groups have expanded from targeting a handful of countries to more than twenty since the conflict started. Western Europe is on that list. The tactics are familiar: spear-phishing, unpatched edge devices, ransomware that looks criminal but serves state interests, data leaks timed for maximum embarrassment.
This doesn’t end when the bombing stops
Iranian APT groups like APT42, APT34 and MuddyWater have a well-documented habit of running campaigns for years after the initial trigger. The proxy networks are activated. Russia and Iran have found operational common ground in cyberspace. The infrastructure built for this conflict will be repurposed, not dismantled.
Two decades of defense policy debates about whether cyber is a “real” domain of warfare just got their answer. In this conflict, cyber was the opening move, the intelligence backbone, the targeting enabler, the psychological weapon, and the retaliatory instrument of choice for a regime that lost its conventional military options in a matter of hours.
We’re not waiting for the first cyber war anymore. We’re in it.
