Iran Targeted by Coordinated Cyberattacks After U.S.–Israeli Strikes – Apps, DDoS and Wiper Malware Explained

Iran Hit by Coordinated Cyberattacks Following U.S.–Israeli Strikes: Apps, Government Systems and Digital Infrastructure Targeted

March 1, 2026 — As joint U.S.–Israeli airstrikes targeted locations across Iran, a parallel wave of coordinated cyber operations unfolded early Saturday morning, striking Iranian digital infrastructure, government-linked services, and widely used mobile applications. Cybersecurity analysts describe the activity as a synchronized digital offensive designed to apply pressure beyond the physical battlefield.

One of the most significant incidents involved the hacking of BadeSaba, a religious calendar application with more than 5 million downloads. After being compromised, the app reportedly displayed messages including “It’s time for reckoning,” urging members of Iran’s armed forces to lay down their weapons and “join the people.” Security researchers suggest the choice of target was strategic, as the app is widely used by religious and government-supporting communities, amplifying the psychological impact of the breach.

At the same time, multiple Iranian news websites were defaced, displaying unauthorized political messages. Although no group has officially claimed responsibility, the cyber activity coincided precisely with military operations, suggesting a coordinated effort.

According to internet monitoring data, connectivity across Iran dropped sharply at 0706 GMT, and again at 1147 GMT, leaving only minimal national connectivity available. Analysts estimate that internet access fell by approximately 96%, severely disrupting government services, banking platforms, and public communication networks.

Cyber experts also observed several types of attack techniques during this escalation.

One major method was Distributed Denial-of-Service (DDoS) attacks. In a DDoS attack, large networks of compromised computers flood a target server with massive traffic, overwhelming it and causing websites or services to crash. These attacks are often used to temporarily disable systems and create confusion during larger operations.

Security firms also reported signs of reconnaissance activity, where threat actors scan networks to identify vulnerabilities before launching more destructive operations.

More concerning, analysts identified indications of potential “wiper” malware activity. Unlike ransomware—which encrypts data and demands payment—wiper malware permanently erases data, making systems unrecoverable. This form of attack is considered highly destructive and is typically used in politically motivated cyber conflicts rather than for financial gain.

Cybersecurity companies including CrowdStrike and Anomali reported activity consistent with Iranian-aligned threat actors conducting DDoS operations and scanning for exposed systems. Meanwhile, Sophos warned that proxy groups and hacktivist networks may escalate operations, potentially targeting U.S. or Israeli military, commercial, or civilian infrastructure.

Additionally, anti-ransomware firm Halcyon noted increased cyber mobilization across the Middle East, including renewed calls for hack-and-leak operations—where previously stolen data is released strategically to influence public perception.

Although Iran has historically been named alongside Russia and China as a cyber-capable state actor, past responses to foreign strikes have often been more restrained than expected. However, given the scale and synchronization of the current cyber activity, analysts believe the digital dimension of this conflict may continue to intensify.

This evolving situation demonstrates that modern warfare no longer exists solely in the physical domain. Alongside airstrikes and military maneuvers, cyber operations targeting infrastructure, communication systems, and public psychology are becoming central components of geopolitical conflict.