As missile sirens wailed over Israel earlier this month, thousands of Israelis received texts claiming to be from their military, encouraging them to download a fake shelter app, which could have stolen reams of personal data.
Others received a mass text saying: “Netanyahu is dead. Death is approaching you and soon the gates of hell will open before you. Before the fire of Iranian missiles destroys you, leave Palestine.”
The messages, cybersecurity experts say, are the most visible end of a vast war being waged in the far reaches of the internet between Iran, Israel and the US, and their online sympathisers.
They may use keyboards instead of rifles but Iran’s hackers, who have fought Israel in the digital shadows for years, are among the most battle-hardened soldiers Tehran can call on.
READ MORE
“The Iranians are throwing everything they have at this,” said Chris Krebs, who as a former director of the Cybersecurity and Information Security Agency (CISA) was one of the most senior civilian US cybersecurity officials.
“It is all hands on deck,” Krebs said. “If their cyber operators are breathing, then they will be on their keyboards.”
Their aims vary wildly, from sowing fear to causing chaos, hoovering up intelligence and isolating missile targets. In the murky world of cyber warfare it is hard to tell who even has the upper hand.
But winning in cyber space has become so critical to shaping perceptions and damaging enemy morale that Iran has invested heavily in efforts to pierce American and Israeli firewalls.
Iran has three different levels of cyber operators, whose boundaries are often blurry, analysts and former officials said.
The most experienced are run directly by the Islamic Revolutionary Guard Corps and Iran’s ministry of intelligence. They maintain a dizzying array of front organisations, used to introduce plausible deniability for attacks and issue public threats.
Iran also hires semi-autonomous hacking proxies, cybercriminals and contractors. Finally, volunteer hacktivists have also regularly mobilised behind Tehran.
Its operatives are believed by various governments and cyber experts to have doxxed Israel-based employees of a large US defence contractor, hacked the emails of politicians in Albania – which hosts an Iranian opposition group – and infiltrated a Polish nuclear research centre. Much of its most sensitive espionage is likely to have gone unreported.
Their most destructive attack attributed to them has been against Stryker, a multibillion-dollar American medical technology company whose clients include the UK’s NHS. Thousands of employees were sent home after being locked out of their computers earlier this month, disrupting supplies of critical equipment and delaying surgeries.
Handala, a hacking front believed by cybersecurity researchers and the US government to be tied to Iranian intelligence, claimed to have wiped some 200,000 devices, in what Krebs called the most consequential wartime cyberattack against the US ever seen.
Handala also claimed to have broken into a personal email account belonging to FBI director Kash Patel, publishing personal photographs. The FBI confirmed his emails had been targeted by “malicious actors”, but said the information was “historical in nature”.
The current military campaign has escalated a back-and-forth cyber battle that has raged for years between the three countries. The US and Israel have formidable offensive capabilities, and have tended to land larger strategic blows than Iran – dealing, for example, significant damage to the Iranian nuclear programme with malware known as Stuxnet that was discovered in 2009.
The US launched cyberattacks just before last month’s initial air strikes on Iran, “disrupting and degrading and blinding Iran’s ability to see, communicate and respond”, according to Gen Dan Caine, chairman of the joint chiefs of staff.
And Israel wielded its cyber intelligence when dealing one of the biggest blows of the war: years ago, it hacked nearly all the traffic cameras in Tehran, part of an extensive intelligence-gathering operation in advance of its assassination of supreme leader Ayatollah Ali Khamenei.
Israel also used a popular Iranian prayer app to send notifications to millions, encouraging regime defections, according to media reports. “Only this way can you save your life for Iran,” one message read.
Iran, meanwhile, is regarded as less technically competent than Russia or China, often relying on phishing and crude “wiper” malware, which deletes targets’ data.
But Tehran has historically used cyberattacks as a low-cost way to do asymmetric battle with its stronger rivals, spreading confusion and jamming the gears. In 2022, some Israeli media outlets accused Iranian hackers of infiltrating an old phone of Mossad chief David Barnea’s wife, leaking what appeared to be his personal information on Telegram.
It has fought the current campaign on two fronts, said Alexander Leslie of US-based cybersecurity firm Recorded Future.
To hit softer targets and wage psychological warfare, it has leant on its louder hacktivist fronts and proxies.
But Iran’s more threatening groups have been quieter. Top operatives have been methodically searching for vulnerabilities, analysts say, scouting for entry points and positioning themselves in target networks.
“The loudest activity is not always the most important,” said Leslie.
Seedworm, a group that the US and UK say is linked to Iranian intelligence, has been spotted trying to enter US networks since early February, according to cybersecurity firm Symantec. The group has been booted out of a US bank, an airport and a software company that supplies the defence industry.
But Iran appears to have been trying hardest to break through Israel’s hardened cyber defences, which are sturdier than those of the US.
Israeli authorities say it has launched thousands of wiper attacks on Israeli companies, successfully hitting about 50. Its operatives’ hacking of security cameras across Israel and the Gulf has helped target drone and missile strikes, said Gil Messing, at Israeli cybersecurity company Check Point Software.
Tehran is also aligning its cyber capabilities with its regular war effort. Its hackers showed a “new level” of “scale, effect and sophistication” by co-ordinating strikes with the mass text messages sent to Israeli citizens, Messing said.
But for all the noise, some analysts are surprised that Tehran has not struck more decisive strategic targets. In the past, it has attacked American and Israeli critical infrastructure, including water treatment plants, but has not struck similar blows during the current conflict.
There are a handful of possible explanations: early Israeli strikes may have weakened Iran’s capabilities; Tehran might have hobbled its own hackers by throttling its internet for domestic censorship; and it can just take time to design the complex malware needed for big attacks.
They may also have found their way undetected into sensitive economic or military targets, squatting inside to suck up information. “They could have long-term access that they are not ready to burn,” said Andy Piazza at cybersecurity firm Palo Alto Networks.
But if it can get its hackers firing, US defences are uneven, some experts say.
“If they’re given time and space to regroup, [Iran] could very well develop the capabilities to deliver something more decisive,” said Matthew Ferren at the Council on Foreign Relations.
- Copyright The Financial Times Limited 2026
