iscover
Dr Avi Davidi, Iran expert at the Jerusalem Institute for Strategy and Security, speaks to Defence Connect on the role of cyber operations in the fighting in Iran.
Defence Connect: Given that Israel’s opening move against Iran has been described as “the largest cyber attack in history”, what exactly might that have looked like?
Dr Avi Davidi: In this conflict, the cyber component was not merely a preliminary information-disruption effort but appears to have been deeply integrated into the kinetic campaign from the outset, synchronised with airstrikes and other military actions.
According to multiple network observatories, nationwide Iranian internet connectivity plunged to roughly 4 per cent of normal levels during the first hours of the joint Israeli–US strike, indicating an almost total communication blackout across government, media and public services.
The effects reportedly included:
- Massive degradation of internet infrastructure: a near-nationwide outage that impeded official broadcast, command and control, and civilian digital services.
- Targeted disruption of state media and communications: major outlets, including IRNA and IRGC-affiliated platforms, were taken offline or defaced with counter-regime messaging.
- Strategic intrusion into critical sectors: independent reporting suggests cyber operations sought to degrade industrial control systems in energy and aviation to complicate Iran’s defensive coordination.
This multi-vector disruption goes beyond the traditional DDoS or propaganda defacements usually reported in regional tensions. It resembles the “Integrated Cyber-Kinetic” doctrine discussed in cyber security circles, where non-kinetic actions directly facilitate kinetic military objectives.
Defence Connect: Does Iran have any cyber capability to impact the outcome of the fighting?
Dr Avi Davidi: Yes, but the nature and effectiveness of Iran’s cyber capabilities in this conflict should be understood in context.
Iran has developed a range of offensive cyber assets, including:
- State-linked threat actors: Groups associated with the Islamic Revolutionary Guard Corps (IRGC) or Ministry of Intelligence that have carried out espionage, disruption campaigns and destructive operations in the past.
- Distributed denial-of-service (DDoS) and wiper malware tools: common tactics in recent escalations and predicted as probable vectors for future operations.
- Spear phishing and credential harvesting: Historical activity by groups such as APT35 targeting defence and tech professionals.
However, the current documented impact of Iranian cyber operations against Israel has been relatively limited compared to the scale of state cyber power elsewhere (e.g. China, Russia). Iranian attacks have primarily focused on:
- DDoS and disruption of less critical targets such as sites and services, rather than deep penetration of critical Israeli infrastructure.
- Information disruption and influence operations rather than systemic degradation of military capabilities.
There are isolated reports of more ambitious attacks, for example, an attempted intrusion into an Israeli hospital resulting in data compromise. (Iran International)
Iran also has significant experience with proxy and affiliated groups that augment state cyber efforts. These actors expand the breadth of attacks but often lack the sophisticated tooling or operational security of a dedicated state cyber unit.
Overall, while Iran possesses credible cyber capabilities, the evidence suggests that its operations to date have fallen short of meaningfully altering the battlefield in Israel’s favour. Their most likely impact remains in asymmetric, disruptive operations and information campaigns rather than strategic cyber dominance.
Defence Connect: While we can assume there has been some disruption to official Iranian cyber operations, what impact might hacktivist groups have?
Dr Avi Davidi: Hacktivism now plays an important but distinct role in this conflict’s cyber dimension.
In recent years, and particularly following 2025’s Israeli–Iran tensions, pro-Iranian and pro-Palestinian hacktivist collectives have increased activity. Reports indicate dozens of such groups have launched attacks across multiple sectors – from government and financial systems to energy and emergency networks – using DDoS, defacements, and other low-barrier tactics.
Key characteristics of hacktivist contributions include:
- Volume over sophistication: these groups frequently deploy high-volume campaigns (e.g. wave DDoS attacks) that can disrupt availability but are rarely capable of deep compromise or long-term persistence.
- Symbolic impacts: hacktivist operations often aim to create headlines or psychological pressure rather than achieving definitive operational outcomes.
- Supporting propaganda and influence efforts: some campaigns amplify narratives favorable to Tehran or hostile to Israel and its allies.
- From a strategic perspective, hacktivists can cause episodic disruptions and draw attention, but they are typically less effective than state-linked APTs in hitting hardened or well-defended infrastructure.
Thus, while hacktivist groups contribute to the cyber battlefield, their impact is more amplifying, adding noise and opportunistic disruption, rather than decisive in shaping the conflict’s operational outcomes.
Dr Avi Davidi is a senior Research Fellow at the Jerusalem Institute for Strategy and Security (JISS) and the Elrom Air and Space Research Center, Tel Aviv University. With over 36 years of experience in US-Israel-Iran relations, strategic intelligence and cyber threats, he is a recognised expert on Iranian affairs.
