Recorded Future's Insikt Group® is actively monitoring the rapidly evolving situation following coordinated US-Israeli strikes against Iran and the death of Supreme Leader Ali Khamenei. This analysis serves as a continuously updated compilation of the threat actors, tactics, and infrastructure likely to be involved in Iranian cyber retaliation — both from state-sponsored operators and aligned hacktivist groups - and scenario based guidance.
This report will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.
Insikt Group will provide updates as new findings emerge surrounding these incidents or cyber threat activity related to them is detected. See these links for additional background on how Iran previously responded to the killing of Qassem Suleimani, prior intelligence briefing from June 2025 on the Israel-Iran conflict, and how Iranian-aligned actors have run complex influence campaigns to exploit prior conflicts.
What Happened
On February 28, 2026, the United States and Israel launched coordinated air strikes against Iran in what is likely to be a prolonged military operation. The US designated the campaign "Operation Epic Fury"; Israel named its component "Operation Lion's Roar." Within hours, Supreme Leader Ali Khamenei and several senior members of Iran's strategic leadership were killed, a new temporary governing council was established, and retaliatory Iranian missile and drone strikes were underway across the Middle East. The cyber dimension of this conflict is active and escalating.
The Strikes
US-Israeli forces conducted approximately 900 strikes during the first twelve hours of operations, targeting Iran's ballistic missile program, senior military leadership, and defense infrastructure. The IDF confirmed striking 500 Iranian targets. Key confirmed outcomes include:
- Supreme Leader Ali Khamenei killed, along with senior advisors including IRGC Chief Mohammad Pakpour, Armed Forces Chief of Staff Abdolrahim Mousavi, Defense Minister Aziz Nasirzadeh, and Defense Council Secretary Ali Shamkhani
- 40 senior IRGC commanders reportedly killed across the country
- Iranian naval assets targeted, including an Iranian Jamaran-class corvette destroyed at Chah Bahar pier — a signal of US-Israeli intent to mitigate the threat to the Strait of Hormuz
- Nuclear facilities at Natanz, Isfahan, and Taleghan 2 showed no evidence of strikes as of March 1, per satellite imagery analysis
Iran's Response
Iran's retaliation has been immediate and broad. Under "Operation Truthful Promise 4," the IRGC launched missile and drone strikes against US military installations and regional allies across at least nine countries — including Bahrain, Qatar, Kuwait, the UAE, Saudi Arabia, Jordan, Iraq, Israel, and Cyprus. As of March 2:
- Four US service members have been killed and five seriously wounded, confirmed by US CENTCOM
- An Iranian ballistic missile killed at least nine Israelis west of Jerusalem
- Attacks on Abu Dhabi and Dubai killed three UAE residents and injured 58 others; 152 of 165 ballistic missiles were intercepted
- Iran-backed Iraqi Shi'ite militias (the Islamic Resistance in Iraq) claimed 16 separate attacks against US bases
- Iran broadcast VHF warnings that the Strait of Hormuz is closed to passage, prompting several major maritime companies to suspend transits
Iran's Leadership Situation
SNSC Secretary Ali Larijani announced a temporary leadership council composed of President Masoud Pezeshkian, Head of the Judiciary Gholam-Hossein Mohseni-Ejehei, and Guardian Council cleric Ayatollah Ali Reza Arafi. Iran's Foreign Minister Abbas Araghchi stated a new supreme leader will be chosen within "one or two days." Despite leadership disruption, the remaining Iranian military and political apparatus has vowed to continue fighting, with the IRGC pledging "severe, decisive, and regret-inducing punishment."
Implications: What This Means for Your Security Team
1. Kinetic Conflict Has an Immediate Cyber Shadow
Pro-Iran hacktivist groups — including Handala Hack Team, Cyber Islamic Resistance, RipperSec, APT IRAN, and Cyber Fattah — have announced coordinated cyber operations against Israeli and regional targets. While large-scale, independently verified intrusions had not been confirmed as of March 2, organizations should not mistake this for low risk. Handala Hack Team in particular has a documented history of transitioning from opportunistic attacks to high-value, strategic targeting — including supply chain vendors and critical infrastructure.
2. Iran's Internet Blackout Cuts Both Ways
Iranian internet connectivity dropped to approximately 4% of normal levels on February 28, limiting some domestic group activity. However, several pro-Iran threat actors operate outside Iran or on distributed infrastructure, meaning they remain fully operational and may intensify activity to assert relevance.
3. Possible Cyber Escalation Paths
Insikt Group assesses that if kinetic operations continue to intensify — particularly leadership-targeting strikes — the likelihood of state-sponsored destructive cyber operations against critical infrastructure increases significantly. US, Israeli, and Gulf-based organizations are at elevated risk. The targeting profile for the near term includes Israeli media outlets, telecom providers, and SMBs, with US and Gulf organizations in the escalation path.
4. Strait of Hormuz Closure Creates Global Supply Chain Risk
With over 100 container ships, 200 bulk carriers, and 450 tankers reportedly in and around the Strait at the time of closure warnings on February 28, any sustained disruption will reverberate across global energy markets and trade. Organizations in energy, oil and gas, maritime shipping, and financial services with regional exposure should elevate monitoring immediately.
5. Iran-Linked Physical Threat Activities Very Likely to Increase In North America, Western Europe, and Australia
The expansive scope and initial success of joint US-Israel military operations against Iran will very likely prompt a significant increase in Tehran’s efforts to asymmetrically target the US and Western countries through violent non-state actors, and heighten the risk that home-grown and domestic violent extremists will be motivated to independently plot their own attacks. Based on prior targeting by Iran-nexus groups over the past five years, the most likely targets are:
- High-profile US, Israeli, and Western foreign policy and military officials
- Iranian dissidents residing abroad
- Targets perceived to be associated with Israeli or Jewish communities
- Private sector organizations affiliated with the US or Israeli military, particularly defense contractors, insurance companies, banks and financial institutions, and critical infrastructure service providers.
What to Watch For
As this situation evolves, the following indicators will signal further escalation:
- Strait of Hormuz enforcement — Whether Iran moves from rhetorical closure to active interdiction of vessel traffic
- Shift in hacktivist targeting — Movement from media and telecom targets toward critical infrastructure, financial systems, or US-based organizations
- State-sponsored cyber operation indicators — Insikt Group is monitoring for a transition from hacktivist opportunism to coordinated, destructive operations attributed to Iran's cyber apparatus
- Nuclear facility targeting — Whether subsequent strike waves include Natanz or Isfahan, which would signal a fundamental shift in US-Israeli objectives
Strategic Risk Outlook
Based on the current situation, the Insikt Group has developed three scenarios (though not mutually exclusive) to help companies understand possible event trajectories and resilience questions to consider.
Scenario One: Regional War and Energy Shock
What happens: Iran escalates retaliation across the Gulf, focusing on using missile strikes, drones, mining, and proxy militants to cripple shipping routes. The US and Israel move from targeted strikes to sustained operations.
What to Watch: Control of key shipping lanes, Iran’s ability to conduct asymmetric ops or proxy attacks
Risk to organizations: Energy prices spike and remain volatile. Shipping insurance surges. Airspace closures disrupt cargo and commercial travel. Gulf facilities near US installations face collateral risk. Supply chains experience recurring disruption as conflict becomes protracted.
Cyber risk: Hacktivist activity intensifies immediately (DDoS, website defacements, data leak claims), potentially followed by destructive state-linked cyber operations targeting energy, logistics, and telecom networks. Operational downtime risk increases.
Resilience Question: What is the operational and financial impact of a 30- or 60-day closure of the Strait of Hormuz across our critical dependencies?
Scenario Two: Regime Fracture and Militia Foothold
What happens: Khamenei’s death triggers a power struggle. Iran's leadership transition will shape the ideological and strategic direction of its retaliation. Internal unrest grows, compounded by militant spillover from the Afghanistan-Pakistan conflict. Militias and separatist minority groups compete for territory and influence.
What to Watch: Militia expansion, erosion of IRGC control, and cross-border militant activity
Risk to organizations: Not a full regional shutdown, but persistent instability: drone incidents, militia activity near US-linked facilities, and sporadic infrastructure disruption across Iraq and the Gulf. Elevated terrorism risk if ungoverned areas expand.
Cyber risk: Opportunistic cyber operations target Israeli, US, and Gulf organizations, particularly media, telecoms, and mid-sized enterprises. Increased extremist recruitment and influence operations likely.
Resilience Question: Are we prepared for high-impact, low-probability incidents such as terrorist violence or sudden infrastructure disruption affecting regional operations?
Scenario Three: Prolonged Stalemate
What happens: Limited de-escalation talks begin, but episodic strikes continue. The regime retains control after making concessions. The Strait of Hormuz remains open, though tensions remain elevated.
What to Watch: Targeted assassinations, rhetorical shifts from leadership
Risk to organizations: Persistent friction. Higher oil prices. Higher insurance costs. Periodic airspace and port closures. Slower regional investment. Operations continue, but with thinner margins and higher volatility.
Cyber risk: Iranian hacktivist campaigns continue, though limited by rolling Internet blackouts. Heightened risk of state-sponsored attacks against regional energy, logistics, and telecom to gain leverage.
Resilience Question: If volatility becomes the baseline, how must we adjust our risk posture to operate sustainably under persistent disruption?
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/ongoing-iran-conflict-what-you-need-to-know