Fog, Proxies and Uncertainty: Cyber in US-Israeli Operations in Iran

These are days of considerable uncertainty in Iran and across many countries in the Middle East and, as with any military intervention, reporting in the first instance remains at best speculative. As we carefully assess the potential, and eventually actual, role and effects of cyber capabilities and activities in the context of Operations Epic Fury and Roaring Lion, there are at least seven elements that merit close attention.

Assessing the Role of Cyber Capabilities in Military Operations

First, as more information is shared about the operations, these cases might contribute to our ongoing assessment of whether cyber remains more useful as a first-strike enabler, or they may provide additional lessons on how cyber might sustain physical effects. So far, US General Dan Caine’s press conference speech on 2 March noted two roles for US Cyber Command: firstly, as ‘first-movers’ in using ‘non-kinetic effects’ to shape the environment for the subsequent phases of the operation; and secondly, in maintaining a ‘continuous layering’ throughout the first 57 hours of the operation – he claims that it had ‘disrupted communications and sensor networks’. Previous operations, such as last year’s Midnight Hammer, reportedly used cyber to disrupt air defences ahead of the bombing of nuclear sites. Epic Fury will require supporting elements working around the clock, cycling between offensive targeting, defensive operations, information operations and intelligence collection across a continuously shifting battlefield.

As the operation unfolds and more information is released, it remains to be seen whether these activities fit the pattern observed in Venezuela and Ukraine: that cyber effects are most consequential at the start of a campaign, when conditions are more controlled and when degrading the adversary's coordination capacity has the highest strategic impact. The current landscape is different from that of the US Operation Absolute Resolve aimed at removing Nicolás Maduro from Venezuela, where energy infrastructure was suffering from gradual and critical decay, cyber capabilities within the country were far from developed, and the timeline and scope was more contained. In contrast, Iran hosts patriotic hacker groups, the IRGC has its own dedicated cyber–electronic command, and several Advanced Persistent Threats (APT34, APT39 and APT42) have long been linked to the country, raising concerns about retaliatory cyber activity – which has already been taking place.

Moreover, it is clear that Operation Midnight Hammer, Operation Absolute Resolve and now Operation Epic Fury represent successive opportunities that the US has been using to sharpen the institutional, operational and tactical integration of cyber capabilities in military operations with different lengths and against different kinds of adversaries. Epic Fury is possibly the most contextually challenging given the leadership decapitation and spillover to other parts of the Middle East. A more public understanding of the use of cyber capabilities in sustaining military operations can also further support informed debate, especially at a time when other NATO member states have been more eagerly and publicly arguing for the further development of offensive cyber capabilities.

Layering Not Only ‘Effects’, but Also Intelligence

The press conferences following General Caine’s briefings on Operation Absolute Resolve and now Epic Fury both follow the same narrative of the US Cyber Command and Space Command ‘layering non-kinetic effects’. But (and this is the second point that merits attention) as important as non-kinetic ‘effects’, is the layering of those effects with intelligence collection in successfully achieving military objectives throughout an operation. The killing of Ayatollah Ali Khamenei illustrates this with as much clarity as one can get right now. An example is the CIA passing HUMINT to the Israelis about the location of the Ayatollah – intelligence that led the US and Israel to adjust the timing of the entire operation to exploit this window – complemented by Israel’s pre-existing access to Iranian security and traffic cameras and the disruption of mobile phone towers near his location to prevent his protection detail from receiving warnings. This all allowed the Israelis to successfully carry out precision strikes on the compound. This sequencing of HUMINT, SIGINT and cyber espionage illustrates: (i) how cyber supports reconnaissance; (ii) how pre-positioning in strategic networks well ahead of an operation can enable it to be used in critical strikes; (iii) how the ‘layering’ of intelligence sources supported by cyber espionage can enable strikes of greater precision and therefore limit collateral damage to civilians in that specific context; (iv) and (yet again!) an invaluable reminder that cyber is only as good as the other capabilities and intelligence sources it is paired with.

Cyber is almost certainly a critical (albeit not decisive on its own) capability in supporting reconnaissance and broader intelligence-gathering efforts in the months (and in this case, years) preceding an operation: mapping adversary networks; pre-positioning access within critical systems; and informing the planning of subsequent phases. This dimension does not end at H-Hour. As Epic Fury and Roaring Lion develop, the intelligence-gathering role of cyber is likely to prove as consequential as its disruptive one.

Expanding the Fog of Crisis Through Proxies

Third, and perhaps more importantly, it will be crucial to continue monitoring how proxies might expand the fog of crisis. In June 2025's 12-day conflict, reporting from cybersecurity firms showed that hacktivist activity (website defacement and data leaks) was mostly pro-Iranian, while reporting on the Israeli side focused on targeted operations attributed to groups like Predatory Sparrow (Gonjeshke Darande), which targeted Iran's financial infrastructure in the days following Israel and US’s targeting of Iranian nuclear facilities. Emerging OSINT and cyber threat intelligence reports indicate that multiple Telegram channels are being set up by hacktivist groups, predominantly pro-Iranian, to target Israeli organisations following the latest operations. The challenge is that it is hard to determine attribution for some of these groups, especially new ones. On previous occasions, Iranian state-sponsored cyber threat actors have been known to use hacktivist personas to enhance deniability.

Cyber Activity Mirroring Strategic Expansion of the Conflict

Fourth, with the conflict expanding across the broader Middle East following Iranian retaliatory strikes on US bases in Bahrain, Qatar, Kuwait and the UAE, it is also important to monitor hacktivist activities beyond the ‘immediate parties’. Iran has historically relied on a melange between state-sponsored and hacker groups for delivering cyber effects. With network access limited in Iran since the start of the operations, proxies such as hack based outside of the country can take on ‘patriotic’ activities that align with military targets and perceived adversaries, but without consistent coordination with state-based and government-linked groups it remains unclear how impactful they might be. While effects of cyber disruptions have been unconfirmed and largely self-reported, pro-Iranian hacktivist groups have been mobilising to disrupt Israeli electronic banking portals, civil society websites and e-commerce platforms, as well as allegedly targeting Qatar's Ministry of Interior online services, Kuwait's airport official portal, and other targets in Bahrain, Jordan and elsewhere. The Jordanian National Cyber Security Centre has successfully thwarted a cyberattack originating in Iran against their strategic food reserve, but this report is only one example among other indicators of the expansion of the conflict also showing signs in cyberspace.

Confusing Narrative Through Psychological Operations

Fifth, tracking the tactics of psychological operations targeting populations in Iran, the US and Israel will be essential. During the opening hours of Operation Roaring Lion, Mossad launched a Farsi-language Telegram channel offering Iranians an alternative information channel, calling on 'our Iranian brothers and sisters' and inviting them to share content of their 'just struggle against the regime’. In January, government satellite broadcasts in Iran were reportedly hacked to air regime-change content, an effort to reach the Iranian population directly and undermine the regime's information control. Perhaps less attributable, but still notable in its timing, a widely-used Iranian prayer-timing app (BadeSaba) was hacked to send notifications to users reading ‘help has arrived’ right after the first bombs dropped in Iran on 28 February and then reportedly followed by surrender instructions.

Assessing Internal Coordination in a Moment of Leadership Change

Sixth, observing and understanding shifts in priorities, chain of command and use of capabilities within the IRGC in this moment of leadership change will be important albeit difficult. With Ali Khamenei's death confirmed, it remains unclear how succession pressures and potential internal infighting will affect the IRGC's capacity to pursue existing operational objectives in cyberspace. This becomes all the more complex considering the claims from the Israeli Defence Forces (IDF) of having hit a large compound of in eastern Tehran on 4 March which included the IRGC’s intelligence directorate and cyber warfare headquarters. It remains unclear how much this alleged attack has disrupted the IRGC’s capacity to conduct and plan its cyber campaigns.

The layering of uncertainty, as ever, reinforces, the corollary risk is a period of decentralised, proxy-led escalation with limited central restraint, making the coming days particularly volatile and difficult to attribute. Regardless of whether there is a clear direction from the IRGC regarding targets or whether alleged IDF strikes only momentarily or significantly hindered the IRGC’s capacity, as long as connectivity remains limited inside Iran, it is difficult to assess how more ‘destructive’ cyber operations will be delivered by Iran and which targets they will focus on despite there being an alignment between proxy activity with the current kinetic activities—, both in terms of alignment of targets and alignment in supporting Iran's broader strategic objective to create chaos and fog of war, as well as to blame the US for the regional spillover of the crisis.

What This Means for the US, UK and Allies

Seventh, uncertainty remains over when and how Iranian cyber activity could expand to directly target the US homeland and its allies, although many are already in alert. Iran (and its proxies’) cyber playbook has been aggressive and evolving, and more importantly it has historically conducted cyber operations against countries abroad and especially in periods of tension. These have ranged from wiping out data from the Las Vegas Sands Casino in 2014 and several cyber campaigns targeting energy and government targets across the Gulf – most notoriously Saudi Aramco in 2012 – to conducting a wiper attack on Albanian government systems in 2022 (leading to Albania expelling the Iranian ambassador), and most recently, ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage.

A reported Department of Homeland Security assessment from 28 February noted that Iran and its proxies ‘probably’ pose a persistent threat of targeted attacks on the US homeland, with the most immediate concern being low-level hacktivist attacks such as DDoS and website defacements. The UK's National Cyber Security Centre has similarly issued an advisory noting that while there is ‘no current significant change in the direct cyber threat from Iran to the UK’, the fast-evolving nature of the conflict means that assessment ‘may be subject to change’, particularly for organisations with operations or supply chains in the region – which are facing heightened risks of cyber threats. Even so, as noted in the 2025 Iran report by the Intelligence and Security Committee of the UK Parliament, while ‘it appears that the UK is not a top priority for Iranian offensive cyber activity’ in the pre-conflict current environment, it was still seen to ‘pose a significant threat to the UK and its interests’. The UK has been reluctant to be drawn into the conflict, despite tensions with Cyprus following an Iranian drone attack on the British airbase in Akrotiri. But having granted the US permission to use British bases for what it describes as 'specific and limited defensive purposes' – intercepting Iranian missiles before they reach their targets – it remains unclear whether this calibrated involvement will nonetheless place the UK within the scope of Iranian and proxy retaliatory campaigns in cyberspace.

© RUSI, 2026.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.