Cyber Escalation: Multi-Vector Attacks Surge Following “Operation Epic Fury”

In the wake of the massive joint offensive launched by the United States and Israel on February 28, the digital battlefield has seen a sharp escalation in activity. A new report from Unit 42 reveals that a “multi-vector retaliatory campaign” is currently unfolding, involving an array of state-aligned actors and global hacktivist collectives.

The report details how the physical strikes—code-named Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel)—triggered an immediate and evolving “trans-regional conflict” in cyberspace. While the initial strikes were kinetic, the response has been digital, with activists outside of Iran ramping up operations.

However, the threat from within the country faces a unique physical barrier. As Unit 42 researchers observed: “We believe threat activity from nation-state groups based within the country is mitigated in the near term because of the limited internet connectivity in Iran”. Since the morning of the strikes, available connectivity has plummeted to between 1% and 4%.

State-aligned units may now be acting in “operational isolation,” leading to a break from their typical attack patterns. This “tactical autonomy” means that cells located outside of the region may continue to strike without direct orders. “The loss of connectivity and significant degradation of Iranian leadership and command structures will likely hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks in the near-term,” the report states.

Despite the coordination hurdles, several prominent hacktivist groups have claimed significant “victories” against Israeli infrastructure:

• “Handala” Group: Claims to have infiltrated IDF networks, leaking documents related to the “Magen Tsafoni” (Northern Shield) operation, including command approvals and contact details.
• “Russian Legion”: This collective made the bold claim of gaining access to Israel’s Iron Dome missile defense system, asserting they were “controlling radars, intercepting targets and monitoring in real-time”.
• NoName057(16): A well-known pro-Russian group that has targeted a wide range of municipal, political, and defense entities with disruptive operations.

Unit 42 continues to track the Iranian state-sponsored constellation known as Serpens. These groups typically focus on “projecting and amplifying political messaging” through destructive and psychological tactics.

Experts warn that as the conflict continues, these campaigns are likely to pivot toward high-value targets, including politicians and decision-makers, as well as the “supply-chains, critical infrastructure, vendors or providers” that support them.

Organizations worldwide are advised to remain on high alert as the trans-regional conflict continues to spill over into the global digital landscape.