Sophos Warns of Rising Cyber Risk After US-Israel-Iran Strikes
Cybersecurity firm Sophos has published a formal cyber advisory warning organisations in the United States, Israel, and allied regions of elevated cyber risk following the joint US-Israeli military strikes on Iran on 28 February 2026.
Cybersecurity firm Sophos has published a formal cyber advisory warning organisations in the United States, Israel, and allied regions of elevated cyber risk following the joint US-Israeli military strikes on Iran on 28 February 2026. The operations, designated Operation Epic Fury by the US and Operation Roaring Lion by Israel, targeted Iranian military infrastructure, nuclear sites, and senior leadership. Iran's Supreme Leader, Ayatollah Ali Khamenei, was confirmed killed in the strikes. Iran has launched retaliatory missile and drone barrages across the region in the days since.
Within hours of the initial strikes, Sophos X-Ops and Unit 42 researchers at Palo Alto Networks observed a rapid surge in activity from Iran-aligned hacktivist groups across Telegram, X, and underground forums. Sophos's companion hacktivist activity report, published 2 March 2026, documents over 60 individual threat groups mobilising, with activity skewing toward website defacement, distributed denial-of-service attacks, and credential-based intrusions.
Sources: Sophos X-Ops, Unit 42, CloudSEK. Figures as of 2 March 2026.
What happened on 28 February
The strikes targeted military installations, IRGC facilities, and nuclear infrastructure across multiple Iranian cities including Tehran, Isfahan, Qom, Karaj, and Kermanshah. Reports from Israeli and US media indicate simultaneous cyber operations caused widespread disruption to Iranian state media, communications infrastructure, and financial systems. Internet monitoring organisations Netblocks and Cloudflare recorded Iranian national connectivity collapsing to between 1% and 4% of normal levels in the immediate aftermath.
That near-total connectivity loss has a dual effect on the threat landscape. Unit 42 assesses that the degradation of Iranian command structures and internet access will likely limit the near-term capability of state-sponsored groups to coordinate sophisticated attacks from within Iran. However, proxy actors, diaspora groups, and ideologically motivated hacktivists operating outside Iranian borders face no such constraint, and their activity has risen sharply.
Key threat actors identified
Sophos X-Ops and Unit 42 have identified the following groups as active or escalating since the strikes:
Attack types assessed as most likely
Based on historical Iran-linked campaigns and current observed activity, Sophos and Unit 42 assess the following tactics as most probable against US and Israeli-affiliated targets:
Who is at elevated risk
Sophos identifies the primary at-risk population as organisations with US or Israeli affiliation, including commercial suppliers, defence-adjacent contractors, and civilian infrastructure operators. Gulf Cooperation Council states are also assessed as likely targets given Iranian retaliatory missile activity in the region. The CISA advisory library on Iranian threats provides additional sector-specific guidance.
Sectors most commonly targeted in historical Iran-linked campaigns include energy, critical infrastructure, finance, telecoms, and healthcare. Organisations in these sectors with internet-facing systems, default credentials, or unpatched VPN appliances are particularly exposed to opportunistic intrusion attempts.
Recommended defensive posture
Sophos recommends organisations take the following actions immediately:
Build your threat intelligence skills on TryHackMe
Understanding how to read and respond to advisories like this is a core skill for SOC analysts and threat intelligence roles. The following TryHackMe rooms cover the relevant techniques.