Full Report
Iran was hit by an expected cyber onslaught in addition to missiles today as threat actors supporting the Islamic Republic warned Iran’s foes to “prepare for the destruction of your infrastructure” in eminent “massive” cyberattacks. Given recent reporting on the United States using offensive cyber capabilities in an unprecedented manner to capture Venezuelan leader Nicolas…
Analysis Summary
# Incident Report: Operation Epic Fury - Multi-Vector Cyber Onslaught against Iran
## Executive Summary
On February 28, 2026, Iran was targeted by a massive, synchronized cyber campaign appearing to support U.S. and Israeli kinetic military operations. The attacks caused widespread disruption to critical infrastructure, government communications, and public news agencies, while simultaneously employing psychological operations (PSYOPs) via compromised mobile applications.
## Incident Details
- **Discovery Date:** February 28, 2026
- **Incident Date:** February 28, 2026
- **Affected Organization:** Various Iranian Government Agencies, News Outlets, and Infrastructure Providers
- **Sector:** Government, Energy, Aviation, Media
- **Geography:** Iran
## Timeline of Events
### Initial Access
- **Date/Time:** February 28, 2026 (Concurrent with missile strikes)
- **Vector:** Supply chain compromise and exploitation of unpatched vulnerabilities.
- **Details:** Attackers breached "BadeSaba," a popular Muslim prayer app, to hijack push notification services.
### Lateral Movement
- **Details:** Deep intrusions were reported into data systems tied to energy and aviation sectors; details suggest movement from peripheral systems to core industrial and security communication networks.
### Data Exfiltration/Impact
- **Details:** Impact was primarily focused on disruption ("digital fog"). While data exfiltration is suspected in "deep intrusions," the primary impact was the paralysis of security communications and navigation systems.
### Detection & Response
- **How it was discovered:** Evident through service outages, "digital fog," and unauthorized push notifications on civilian devices.
- **Response actions taken:** Iranian state media (Fars) acknowledged the disruptions; FAD Team (pro-Iran) attempted defensive vulnerability assessments of strategic sites.
## Attack Methodology
- **Initial Access:** Hijacking of mobile app APIs (BadeSaba) and exploitation of critical infrastructure vulnerabilities.
- **Persistence:** Not explicitly detailed, but involved deep-seated intrusions in data systems.
- **Defense Evasion:** Use of "digital fog" (combined EW and Cyber) to mask specific operational goals.
- **Discovery:** Pre-attack reconnaissance and vulnerability assessments by both state and non-state actors.
- **Lateral Movement:** AI-accelerated movement (as noted in general sector trends referenced in the report).
- **Impact:** Distributed Denial of Service (DDoS), Electronic Warfare (EW) to disrupt GPS/Navigation, and unauthorized messaging/PSYOPs.
## Impact Assessment
- **Financial:** Undisclosed, but significant impact on energy and aviation operations.
- **Data Breach:** Compromise of user notification tokens for the prayer app; potential exposure of security communication logs.
- **Operational:** "Almost complete digital fog"; disruption of news agencies and security communications.
- **Reputational:** Massive loss of public trust in state-sanctioned mobile applications and government ability to protect digital borders.
## Indicators of Compromise
- **Network indicators:** Large-scale volumetric DDoS traffic originating from global sources.
- **Behavioral indicators:** Unauthorized push notifications originating from the legitimate BadeSaba app server/API.
- **Signal indicators:** GPS jamming and spoofing in the Gulf region.
## Response Actions
- **Containment measures:** Isolation of compromised news agency servers.
- **Eradication steps:** Attempted hardening of the Supreme Leader’s official web platforms.
- **Recovery actions:** Transitioning to manual or analog communication backups where digital systems failed.
## Lessons Learned
- **Key takeaways:** The merging of kinetic strikes with cyber-enabled PSYOPs (via civilian apps) creates disproportionate panic.
- **Critical Weakness:** Heavy reliance on a single mobile application for civilian communication/religious practice provided a high-value target for psychological warfare.
## Recommendations
- **Mobile App Security:** Implement strict integrity checks and multi-signature requirements for push notification broadcasts in high-risk regions.
- **Infrastructure Resilience:** Segment industrial control systems (Energy/Aviation) from general internet-facing communication systems to prevent "digital fog" from impacting safety-critical operations.
- **Defensive Mobilization:** Establish rapid-response hacktivist coordination protocols for national defense.