Israel has claimed a successful strike on a Tehran-based compound that housed Iran’s “cyber warfare headquarters” and the “Intelligence Directorate,” among others. The impact of this, however, on Iran’s cyber capabilities remains unclear.
The Israel Defense Forces in a Wednesday update said it had bombed the Eastern front of Iran where several critical military and intelligence units were allegedly housed. IDF listed seven primary agencies, including the headquarters of the Iranian Islamic Revolutionary Guards Corps (IRGC), the cyber and electronic and the Intelligence Directorate headquarters.
Israel nor the United States, who is coordinating the offense against Tehran shared further comments or details of this particular operation. The IDF, however, released a digital illustration of the alleged compound that was attacked.
The IRGC-linked cyber operatives have previously targeted the 2024 U.S. elections, for which Washington has even named and placed bounties for any info on them.
Read: US Offers $10M for Iranian Cyber Operatives Behind Election Interference and Critical Infrastructure Attacks
Cyber Warfare Continues Despite Infrastructure Strikes
Israel’s claims of striking Iran’s cyber warfare headquarters comes on the back of threat intelligence monitoring indicating Iranian-aligned cyber operations growing in number. According to cybersecurity firm Cyble’s threat monitoring reports covering the conflict period, the relationship between physical infrastructure destruction and operational cyber capability remains ambiguous.
Iran’s internet connectivity collapsed to approximately 1-4% of normal levels following the February 28 joint US-Israeli strikes—a near-total nationwide blackout that has persisted for over 120 hours. However, this disruption stems primarily from the coordinated cyber-kinetic operation that targeted Iran’s communications infrastructure simultaneously with kinetic strikes, rather than from the physical destruction of the compound housing cyber warfare headquarters.
Security researchers note that the degraded internet connectivity likely hampers domestically-based Iranian state actors more than the physical headquarters damage. The blackout limits command-and-control infrastructure for Advanced Persistent Threat groups typically operating from within Iran’s borders, but pre-positioned capabilities and externally-operated assets continue functioning.
Pre-Positioned Threats Remain Active
Critically, multiple Iranian state-sponsored hacking groups had established operational infrastructure before the kinetic strikes commenced. Cybersecurity firm Anomali reported to Reuters that Iranian state-backed groups conducted wiper attacks designed to erase data on Israeli targets prior to the February 28 offensive, indicating pre-positioned destructive capability that may still be active on compromised networks awaiting external trigger signals.
Advanced Persistent Threat groups including MuddyWater, APT42, Prince of Persia and CRESCENTHARVEST were all documented as actively targeting Israeli and regional organizations in January and February 2026—before hostilities escalated. These pre-existing footholds represent latent capability that could activate without requiring new command-and-control infrastructure within Iran’s degraded internet environment.
The most significant confirmed technical operation during the conflict period came from Unit 42 researchers at Palo Alto Networks, who identified an active phishing campaign distributing weaponized replicas of Israel’s RedAlert missile warning application. The sophisticated Android malware collects contacts, call logs, SMS messages, account information and device identifiers before encrypting and exfiltrating the data. The campaign demonstrates state-level tradecraft.
Hacktivist Activity Surges While State Actors Remain Silent
The cyber threat landscape following the strikes has been dominated by hacktivist operations rather than sophisticated state-sponsored campaigns. Over 70 individual hacktivist groups were active as of March 3, with an “Electronic Operations Room” established by Iraqi-aligned actors to coordinate pro-Iranian campaigns across multiple collectives.
However, threat intelligence analysts note a significant gap between the volume of hacktivist claims—primarily consisting of DDoS attacks, website defacements and unverified industrial control system access assertions—and the known destructive capabilities of Iran’s state-sponsored cyber units.
The vast majority of observed operations consist of DDoS claims, website defacements, unverified ICS access assertions, and recycled propaganda,” the Cyble threat report states. What warrants the highest concern going forward is the convergence of pre-positioned APT capability on Israeli and regional networks, the progressive restoration of Iranian internet connectivity which will re-enable coordination of state-level operations, and the growing cross-ideological alliance between pro-Iranian and pro-Russian hacktivist ecosystems.
Multiple pro-Russian hacktivist groups including NoName057(16) and Cardinal have pivoted from Ukraine-focused operations to join anti-Israel campaigns in support of Iran, confirming cross-ideological convergence patterns that provide sustained operational tempo independent of Tehran’s connectivity status.
Assessment: Capability vs. Infrastructure
Cybersecurity experts from Cyble believe that striking physical headquarters does not necessarily eliminate cyber operational capability. Modern state-sponsored hacking operations rely on distributed infrastructure, encrypted communications channels, and operatives who may work remotely or from locations outside Iran’s borders.
“The present phase saw cyber activity that was largely anticipatory rather than destructive,” according to threat intelligence analysis. “What warrants continued monitoring is the assessed gap between current activity levels and the capability sets known to be held by state-sponsored actors on both sides.”
The UK’s National Cyber Security Centre issued an advisory on March 2 assessing “likely no current significant change in the direct cyber threat from Iran to the UK,” while warning of an “almost certainly heightened risk of indirect cyber threat” for organizations with Middle East presence or supply chain exposure.
Organizations in affected sectors face continued risk from pre-positioned malware, externally-operated command infrastructure and hacktivist campaigns that operate independently of physical headquarters. When Iranian internet connectivity restores, threat intelligence analysts anticipate a potential spike in state-directed cyber operations.
The full impact of Israel’s strike on Iran’s cyber warfare headquarters may not become apparent for weeks or months, as security researchers monitor whether sophisticated Iranian APT campaigns resume at previous operational tempo or whether the disruption produces lasting degradation of Tehran’s offensive cyber capabilities.
