Iranian Cyberattacks Ahead of US, Israel Strikes Discovered

The discovery of Iranian cyber activity ahead of the February 28 U.S.–Israel missile campaign underscores a growing convergence between kinetic and digital warfare. Researchers at Augur Security traced six CIDR blocks, attributed to the MuddyWater APT, to an Estonian autonomous system, indicating that Tehran deliberately leveraged foreign infrastructure to mask its preparations. This pre‑operational staging began roughly six months before the strikes, aligning with a pattern of long‑term reconnaissance that Iranian groups have employed in past campaigns against regional adversaries. The timing also coincided with diplomatic escalations, hinting that cyber preparation was part of a broader coercive strategy.

The activity was not isolated to MuddyWater; APT33, APT34, APT35, CyberAv3ngers and Cotton Sandstorm all showed elevated traffic in the same window, suggesting a coordinated effort across Iran’s cyber‑espionage portfolio. Moreover, more than 60 hacktivist collectives, including Handala and Cyber Fattah, were reportedly mobilized after the missile strikes, turning the cyber front into a mass‑participation retaliation platform. Such rapid activation of hacktivist networks demonstrates Iran’s ability to blend state‑run and civilian cyber forces for amplified impact. Leveraging an Estonian AS provider illustrates Tehran’s willingness to exploit neutral jurisdictions, complicating attribution and hindering defensive response timelines for potential victims.

From a strategic perspective, the synchronized cyber‑kinetic campaign raises the stakes for U.S. and Israeli defense planners, who must now account for a persistent, multi‑layered threat that can be activated on short notice. Intelligence services are likely to increase monitoring of foreign autonomous systems and expand collaboration with European ISPs to disrupt staging grounds before they become operational. For enterprises, the episode serves as a reminder to harden supply‑chain defenses, adopt zero‑trust architectures, and maintain continuous threat‑intel feeds to detect early signs of state‑sponsored intrusion. Regulators may consider mandating disclosure of foreign IP usage to improve transparency and accelerate incident response.