Iran’s decentralized cyber offensive heightens risk for U.S. firms

As joint U.S. and Israeli airstrikes hit targets across Iran, security experts say a parallel and less predictable battle is unfolding in cyberspace, with potential long-term consequences for companies and critical infrastructure far beyond the region. Analysts warn that Iranian-aligned hackers and loosely affiliated sympathizers are turning to more decentralized and chaotic tactics, increasing the chance of disruptive attacks that are harder to anticipate or deter.

The evolving campaign has been galvanized by the formation of what militants call the “Great Epic” cyber offensive, a loose framework bringing together pro-Iranian hacktivist groups and cyber units that share tools, targets, and propaganda but operate with significant autonomy. Rather than relying solely on traditional state-directed operations, these actors are increasingly leveraging online forums, encrypted messaging platforms, and public code repositories to coordinate attacks and recruit volunteers with varying levels of technical skill. This shift, specialists say, blurs the line between state operations and crowd‑sourced digital retaliation, complicating efforts to attribute incidents and respond in a targeted way.

One of the most visible signs of this change has been a marked push toward public recruitment. The hacker collective Islamic Cyber Resistance has issued open calls for what it describes as “general mobilization,” inviting security researchers, developers, and other technology professionals to join a “great circle of war” in defense of Iran and its allies. Recruitment messages shared in Arabic and English urge prospective volunteers to contact coordinators directly, promising integration into a wider digital “resistance” network aimed at attacking infrastructure and information systems in the United States, Israel, and regional partners. Cyber analysts say this model resembles a crowdsourcing approach to offensive capabilities, dramatically expanding the pool of potential operators and amplifying both the scale and unpredictability of operations.

The air and cyber offensive launched by the United States and Israel at the end of February, under the operational names Epic Fury and Roaring Lion, has further destabilized Iran’s traditional command structures and appears to be accelerating this decentralization. Military and policy assessments describe the operation as a combined kinetic and digital strike designed to paralyze key regime institutions, including elements of the Revolutionary Guard, intelligence services, and critical communications systems. Analysts argue that by degrading central control, the campaign may unintentionally push more responsibility and initiative to loosely managed cyber affiliates and ideologically motivated hacktivists, who are less constrained by state policy or diplomatic considerations.

Threat intelligence firms report that pro-Iranian operators operating under the broader “Cyber Islamic Resistance” label have claimed responsibility for attacks on gas stations in Jordan as well as against U.S. and Israeli defense and technology contractors. These operations have ranged from data‑wiping attempts and website defacements to psychological warfare, where hackers publish screenshots and boast of their exploits in Telegram channels and other social platforms to amplify perceived impact. Verification of these claims often lags behind the propaganda, which can fuel confusion for targeted organizations and complicate incident response.

The hacking of the BadeSaba Calendar prayer app has become a defining example of how cyber tools are being used for psychological operations rather than purely technical disruption. With more than 5 million downloads, BadeSaba is widely used in Iran to track prayer times and religious observances, and is seen by many users as a trusted, apolitical utility. Over the weekend, the app sent push notifications reading “Help has arrived!” and calling for the formation of a “People’s Army” to support “Iranian brothers,” followed by messages directing lower‑ranking members of the Revolutionary Guard to surrender and pointing protesters toward alleged safe gathering points. Cybersecurity researchers say this incident illustrates how compromising a familiar consumer app can be used to seed disinformation, erode trust in digital services, and inflame tensions at moments of maximum uncertainty.

Researchers at firms such as CloudSEK and Flashpoint have documented a sharp escalation in hacktivist activity since the launch of Operation Epic Fury and Roaring Lion, counting more than a hundred claimed incidents in the space of just a few days. The attacks have targeted a wide range of sectors, including energy, finance, government services, and information technology, often through low‑cost methods such as website defacement, denial‑of‑service attacks, and data leaks. While many incidents cause only temporary disruption, experts warn that the volume of activity increases the likelihood that a more sophisticated intrusion could compromise sensitive systems or trigger cascading failures in connected networks.

For U.S. companies, the primary risk is no longer limited to traditional data theft or espionage campaigns tied to identifiable Iranian advanced persistent threat (APT) groups. Instead, executives and security leaders must prepare for a more diffuse threat landscape in which semi‑independent actors, inspired or encouraged by Tehran, seek to undermine public trust, disrupt operations, or damage reputations through targeted leaks and false information. That could mean attacks designed to manipulate internal communication tools, alter content on corporate websites, or flood customer‑facing channels with forged messages that appear to come from trusted sources.

Security practitioners say this environment demands a stronger emphasis on resilience and detection rather than reliance on traditional deterrence or diplomatic pressure. Companies are being urged to test incident response plans, harden access to cloud and identity systems, and train employees to treat unexpected messages and alerts with skepticism, even when they appear to originate from familiar apps or internal services. Critical infrastructure providers, including in the energy, transportation, and financial sectors, are under particular pressure to improve segmentation between operational and administrative networks, as well as to share real‑time intelligence about suspicious activity with industry peers and government partners.

Analysts caution that the decentralization of Iran‑aligned cyber activity is likely to persist as long as the broader confrontation continues, and may even outlast any ceasefire or reduction in direct military hostilities. In practical terms, that means organizations with U.S., Israeli, or allied ties could remain on target lists long after the latest round of strikes fades from headlines, especially if they are seen as symbolically important or vulnerable. For many security teams, the challenge will be to sustain higher levels of vigilance over months or years, adjusting to a threat model in which small, loosely coordinated groups can still inflict outsized damage on public confidence and digital infrastructure.