Is the internet becoming just another casualty of war? We’re fixated on the bombs and the geopolitical maneuvering, but the real story here isn’t the kinetic conflict between the U.S., Israel, and Iran – it’s the surprisingly limited cyberwar unfolding alongside it. While headlines scream of “digital battlefields,” the reality, as detailed in a recent Unit 42 report, is that Iran’s own severely degraded internet connectivity is acting as a chokehold on its cyber capabilities, at least in the short term. This isn’t to say there’s no threat, far from it. But the narrative of a sophisticated, coordinated Iranian cyber offensive crippling Western infrastructure is, for now, largely hype.
On February 28, 2026, the launch of Operation Epic Fury and Operation Roaring Lion triggered a predictable retaliatory response from Iran. However, within hours, Iran’s internet access plummeted to a mere 1-4%. This isn’t a case of clever defensive measures; it’s a consequence of the strikes themselves impacting command and control structures. Think of it like trying to run a complex military operation with only a walkie-talkie when you’re used to fiber optic cables. The sophisticated, nation-state level attacks we’ve been warned about for years require bandwidth, coordination, and reliable communication – all of which are now severely compromised. Unit 42 assesses this disruption will hinder the ability of state-aligned threat actors to coordinate and execute complex cyberattacks.
Source material: unit42.paloaltonetworks.com.
This doesn’t mean Iran is offline entirely. The report highlights a surge in activity from hacktivist groups, some 60 individual entities, including pro-Russian actors. Groups like Handala Hack, linked to Iran’s Ministry of Intelligence and Security (MOIS), are claiming responsibility for attacks ranging from compromising energy companies in Jordan to threatening Iranian-American influencers with physical harm. But these are, generally, lower-sophistication operations – website defacements, DDoS attacks, and data leaks. They’re disruptive, certainly, and create noise, but they aren’t the systemic takedowns many feared. The impact is assessed as “low to medium significance.” The real danger lies not in the success of these attacks, but in their potential to escalate tensions and create confusion.
The situation is further complicated by the potential for Iranian cyber units to operate in “operational isolation.” With centralized command degraded, individual cells, both within and outside Iran, may act autonomously, deviating from established protocols. This introduces unpredictability. We’re seeing early signs of this with groups like the Cyber Islamic Resistance coordinating multiple teams for synchronized attacks, and the FAD Team claiming access to SCADA systems. This isn’t a centrally orchestrated symphony of cyber warfare; it’s more like a series of independent musicians improvising, some playing in tune, others…not so much. And while state-sponsored groups like APT Iran and those under the “Serpens” constellation could escalate activity, their capacity is demonstrably reduced.
It’s also crucial to understand that Iran isn’t the only actor exploiting this chaos. Other nation-state aligned threat actors may attempt to exploit the situation to further their own interests. Unit 42 notes geographically dispersed operators and affiliated cyber proxies may target governments hosting U.S. military bases, aiming for logistical disruptions. And, predictably, cybercriminals are already capitalizing on the conflict, using social engineering scams in the United Arab Emirates to steal credentials. The conflict is a magnet for malicious actors of all stripes, creating a broader threat landscape for everyone. The report also details a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert application, demonstrating the immediate and direct threat to civilians.
The response from the cybersecurity industry is, predictably, focused on technical solutions. Palo Alto Networks is pushing its Next-Generation Firewalls, Cortex XDR, and URL filtering services. These are valuable tools, absolutely, but they address the symptoms of the problem, not the underlying geopolitical reality. Foundational security hygiene – offline backups, multi-factor authentication, employee training – remains the most effective defense. The Unit 42 report rightly emphasizes the need for robust communication plans to manage the inevitable claims of breaches, even if they’re exaggerated. Because in the fog of war, perception is often more damaging than reality.
Here’s what to watch for in the next six months: the emergence of “shadow operations.” As Iran’s internet connectivity slowly recovers, expect to see a resurgence in state-sponsored activity, but not necessarily a return to the pre-conflict status quo. The period of operational isolation may have empowered certain cells, creating independent actors with their own agendas. The question isn’t if Iran will retaliate in cyberspace, but how – and whether that retaliation will be centrally controlled or a fragmented, unpredictable series of attacks launched by rogue elements. The real test won’t be stopping the DDoS attacks; it will be identifying and neutralizing the splinter groups operating outside the traditional chain of command.
