No products in the cart.

Home News Iran’s Pre-Planned Cyber Offensive: Six Months of Silent Preparation Before the 2026 Strikes

News

Iran’s Pre-Planned Cyber Offensive: Six Months of Silent Preparation Before the 2026 Strikes

scsecMarch 27, 20262 Mins read4 Views

Iran-linked cyber groups significantly ramped up their activity following the late February 2026 US and Israeli military strikes, but new analysis suggests this response was not spontaneous. Instead, it appears to have been carefully prepared months in advance.

Research from cybersecurity firm Augur Security indicates that Iranian intelligence and military-linked cyber units—particularly those associated with the Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC)—began expanding and strengthening their operational infrastructure as early as six months before the strikes.

Pre-Positioned Cyber Infrastructure

Iranian cyber operations rely on a layered infrastructure designed to obscure attribution and ensure resilience. At the base level are domestic providers such as Tehran-based hosting companies. These connect to second-tier “bulletproof” hosting services in multiple countries, which are known for tolerating or ignoring malicious activity.

A third layer involves shell companies and globally distributed hosting setups. Some of these entities are registered in countries like the United States or the United Kingdom but operate across jurisdictions such as Dubai or the Netherlands. This multi-layered design makes tracking and disrupting operations far more difficult for defenders.

Signs of Preparation

Augur’s analysis found a noticeable surge in infrastructure activity among major Iranian advanced persistent threat (APT) groups in the months leading up to the February 28 strikes.

For example, the group commonly known as MuddyWater showed a spike in network allocations in September 2025, including activity tied to European hosting providers. This pattern is consistent with staging infrastructure ahead of planned cyber operations. While the connection to the later conflict is assessed with moderate confidence, the timing strongly suggests preparation for a coordinated response.

Other well-known Iranian-linked groups involved include OilRig (APT34), APT35 (Charming Kitten), APT33 (Peach Sandstorm), Cotton Sandstorm, and CyberAv3ngers. These groups are tied to either MOIS or IRGC cyber units and have a long history of espionage, disruption, and influence operations.

Expansion of Hacktivist Activity

Within 24 hours of the military strikes, Iran-aligned actors reportedly established a centralized “Electronic Operations Room” to coordinate cyber activities. This effort brought together approximately 60 hacktivist groups, enabling rapid and synchronized attacks.

Groups such as Cyber Fattah, Fatimiyoun Cyber Team, and Handala participated in this coordinated campaign. Their operations have primarily targeted government systems, financial institutions, and critical infrastructure in the United States and Israel. Secondary targets include Gulf nations perceived as supporting or facilitating the strikes.

Operational Resilience

Despite damage to Iran’s domestic internet infrastructure caused by the strikes, the country’s cyber capabilities remained largely unaffected. This is due to the distributed and international nature of its cyber infrastructure, which allows operations to continue even when local systems are disrupted.

The structure and mission of the IRGC also contribute to this resilience. Unlike the conventional Iranian military, which focuses on national defense, the IRGC operates as a broader ideological and strategic force with global reach, including dedicated cyber units.

Key Takeaway

The findings highlight a critical reality: cyber capabilities are not easily degraded through traditional military action. Iran’s ability to prepare, distribute, and sustain its cyber operations across multiple jurisdictions makes it highly resistant to disruption, even in the face of direct physical attacks.

Previous post Perseus Android Malware Steals Passwords and Crypto from User Notes

Next post Navia Breach Exposes Sensitive Data of 2.7 Million in Weeks-Long Undetected Cyberattack

1 Comment

scsec says:

March 27, 2026 at 13:09

This is a compelling analysis highlighting how modern cyber warfare is increasingly premeditated and infrastructure-driven. The six-month buildup underscores that cyber operations are no longer reactive but strategically aligned with geopolitical events. It also reinforces a critical point: kinetic actions alone are insufficient to disrupt distributed cyber capabilities. Organizations need to prioritize proactive threat intelligence and infrastructure mapping to defend against such well-prepared adversaries.

Reply