According to analysts, a series of cyber operations were recorded in the early hours of Saturday, taking place in parallel with the military attacks. These included intrusions into several news websites, where propaganda messages were published, as well as the hacking of the popular BadeSaba application, a religious calendar with more than five million downloads, Reuters reports.
Users of the app were shown messages such as “It’s time to stand up,” with calls for members of the armed forces to lay down their arms and join the civilians. Reuters was unable to reach the CEO of the company behind the app, and the US Cyber Command did not immediately respond to a request for comment.
At the same time, there was a sharp decline in internet connectivity in Iran.
Possible wider operations
Hamid Kashfi, a security researcher at DarkCell, said the attack on the BadeSaba app was a strategic move because it is often used by religious and pro-government users. Some media outlets have also reported cyberattacks targeting Iranian state services and military targets to hinder Tehran's coordinated response, but Reuters could not independently confirm these claims.
Analysts warn that the current activities could be just a prelude to broader operations. Rafe Pilling, director of threat intelligence at Sophos, said that pro-Iranian groups and hacktivists could launch attacks on targets linked to the US and Israel, including military systems, companies and civilian infrastructure.
Such attacks could include the re-release of previously stolen data presented as a new security incident, attempts to compromise industrial systems accessible via the internet, and direct offensive cyber operations.
Increased activity of hacker groups
Cynthia Kaiser, a former senior FBI cybersecurity official now at Halcyon, says there has already been an increase in online activity by known pro-Iranian digital actors. These are groups that have previously carried out so-called "hack-and-leak" operations, as well as ransomware and DDoS attacks that overload internet services to make them unavailable.
According to Adam Meyers of CrowdStrike, activity consistent with patterns of Iranian-linked hacking groups has already been observed, including scouting targets and launching DDoS attacks. Analysis by Anomali, shared with Reuters, also suggests that some Iranian state-backed groups have already carried out so-called “wiper” attacks – operations aimed at wiping data – against Israeli targets ahead of military strikes.
Iran and the previous cyber response
Despite its reputation as a serious cyber threat, Iran has often reacted with restraint in the past. After the US strikes on Iranian nuclear targets in June last year, there has been no major wave of disruptive cyberattacks, apart from a brief disruption of digital services in Tirana, according to media reports at the time, reports tportal.
