Google's Threat Intelligence Group issued an alert on March 2, 2026, stating that Iranian state-affiliated actors and aligned hacktivist collectives have launched a coordinated cyber campaign targeting entities in Israel, Gulf Cooperation Council countries, and locations in Europe and North America. The activity correlates with the start of joint U.S.-Israeli military operations — designated Operation Roaring Lion (U.S.-led) and Operation Epic Fury (Israeli-led) — both initiated on February 28, 2026.
Between February 28 and March 1, CloudSEK documented more than 150 hacktivist-claimed incidents across public channels — primarily DDoS attacks, website defacements, and data-exfiltration operations against government, financial, aviation, telecommunications, and critical-infrastructure sectors. Google also identified increased scanning and reconnaissance from known Iranian-linked IP ranges targeting energy, finance, and transportation sectors in the region and beyond.
No confirmed successful intrusions into critical operational technology systems have been publicly disclosed as of March 2, 2026.
Timeline of Reported Cyber Activity
Cyber activity escalated immediately following the first reported military strikes on February 28, 2026:
{item.event}
Key Tactics Observed in the Campaign
The majority of activity follows patterns previously associated with Iranian state actors and affiliated hacktivist groups:
- DDoS attacks — Volumetric floods targeting government portals and financial exchanges, with peaks exceeding 1.2 Tbps in isolated cases (Cloudflare Radar, Feb 28–Mar 1)
- Website defacements — Replacement of homepages with political messaging on regional airline, bank, and ministry sites (Zone-H archive, Mar 1)
- Data-exfiltration claims — Public releases of alleged stolen documents from energy and telecom firms; authenticity remains unverified in most instances
- Reconnaissance scans — Increased port scanning and vulnerability probing from Iranian ASNs against OT/SCADA environments in Gulf states (Google Threat Intelligence indicators)
Affected Sectors and Geographic Scope
CloudSEK's March 1 report broke down the claim distribution by both geography and sector. Israel accounted for the largest share of targeted entities, while government and finance were the most frequently hit verticals.
Geographic Distribution
Sectors Targeted
Notable targets included regional stock exchanges, national airlines, central banks, port authorities, and power grid operators across the affected regions.
Google and Industry Threat Assessments
Four major cybersecurity firms published or updated threat intelligence briefs between March 1–2, 2026:
{a.finding}
Google's alert specifically highlighted elevated activity from groups previously linked to Iran's Islamic Revolutionary Guard Corps (IRGC) cyber units, the use of commodity tools for initial access combined with custom wipers in select operations, and — crucially — no evidence of successful OT compromise at time of publication.
Broader Context: Historical Comparisons
The current campaign volume significantly exceeds prior escalation periods tied to Iran-related tensions:
| Period | Context | Volume |
|---|---|---|
| {row.period} | {row.context} | {row.volume} |
The 150+ incidents in 72 hours exceeds the prior weekly average from similar escalation periods in 2024, suggesting a more coordinated and rapid mobilization of hacktivist infrastructure — though elevated claiming volume does not necessarily equate to elevated real-world impact.
Related Coverage — Google & Tech Security
Discussion
Every comment appears live in our Discord server.
Join to see the full conversation and connect with the community.
Comments sync to our ObjectWire Discord · Google Warns of Iran-Linked Cyber Attacks Targeting Global Infrastructure Amid Ongoing Conflict.