Google's Threat Intelligence Group issued an alert on March 2, 2026, stating that Iranian state-affiliated actors and aligned hacktivist collectives have launched a coordinated cyber campaign targeting entities in Israel, Gulf Cooperation Council countries, and locations in Europe and North America. The activity correlates with the start of joint U.S.-Israeli military operations — designated Operation Roaring Lion (U.S.-led) and Operation Epic Fury (Israeli-led) — both initiated on February 28, 2026.
Between February 28 and March 1, CloudSEK documented more than 150 hacktivist-claimed incidents across public channels — primarily DDoS attacks, website defacements, and data-exfiltration operations against government, financial, aviation, telecommunications, and critical-infrastructure sectors. Google also identified increased scanning and reconnaissance from known Iranian-linked IP ranges targeting energy, finance, and transportation sectors in the region and beyond.
No confirmed successful intrusions into critical operational technology systems have been publicly disclosed as of March 2, 2026.
Timeline of Reported Cyber Activity
Cyber activity escalated immediately following the first reported military strikes on February 28, 2026:
Initial hacktivist claims appear on Telegram and X channels within hours of confirmed missile launches.
150+ incidents logged: DDoS ~68%, defacements ~22%, data-exfiltration claims ~10%.
Google publishes warning of heightened Iranian cyber posture, citing reconnaissance against Western financial institutions.
Additional claims surface targeting European aviation firms and U.S. energy utilities.
Key Tactics Observed in the Campaign
The majority of activity follows patterns previously associated with Iranian state actors and affiliated hacktivist groups:
- DDoS attacks — Volumetric floods targeting government portals and financial exchanges, with peaks exceeding 1.2 Tbps in isolated cases (Cloudflare Radar, Feb 28–Mar 1)
- Website defacements — Replacement of homepages with political messaging on regional airline, bank, and ministry sites (Zone-H archive, Mar 1)
- Data-exfiltration claims — Public releases of alleged stolen documents from energy and telecom firms; authenticity remains unverified in most instances
- Reconnaissance scans — Increased port scanning and vulnerability probing from Iranian ASNs against OT/SCADA environments in Gulf states (Google Threat Intelligence indicators)
Affected Sectors and Geographic Scope
CloudSEK's March 1 report broke down the claim distribution by both geography and sector. Israel accounted for the largest share of targeted entities, while government and finance were the most frequently hit verticals.
Geographic Distribution
Sectors Targeted
Notable targets included regional stock exchanges, national airlines, central banks, port authorities, and power grid operators across the affected regions.
Google and Industry Threat Assessments
Four major cybersecurity firms published or updated threat intelligence briefs between March 1–2, 2026:
Elevated activity from groups previously linked to IRGC cyber units. Use of commodity tools + custom wipers. No confirmed OT compromise.
3–5× increase in Iranian-origin scanning against Middle East energy assets.
Iran-origin DDoS campaigns peaked at 1.2 Tbps on February 28, 2026.
Credential-stuffing attempts against regional financial institutions.
Google's alert specifically highlighted elevated activity from groups previously linked to Iran's Islamic Revolutionary Guard Corps (IRGC) cyber units, the use of commodity tools for initial access combined with custom wipers in select operations, and — crucially — no evidence of successful OT compromise at time of publication.
Broader Context: Historical Comparisons
The current campaign volume significantly exceeds prior escalation periods tied to Iran-related tensions:
| Period | Context | Volume |
|---|---|---|
| 2020 | U.S.–Iran tensions post-Soleimani | ~200 incidents total |
| 2024 | Regional flare-ups (avg weekly) | 80–120 claims/week |
| Feb 28–Mar 1, 2026 | Operations Roaring Lion & Epic Fury | 150+ in 72 hours |
The 150+ incidents in 72 hours exceeds the prior weekly average from similar escalation periods in 2024, suggesting a more coordinated and rapid mobilization of hacktivist infrastructure — though elevated claiming volume does not necessarily equate to elevated real-world impact.
Related Coverage — Google & Tech Security