Hackers Target Iranian Apps and Websites After U.S., Israeli Strikes
A wave of cyber operations struck Iranian digital infrastructure early Saturday morning, unfolding alongside joint U.S. and Israeli military strikes on targets across Iran, according to cybersecurity experts and observers.
The activity included the hacking of multiple Iranian news websites, which were defaced with various messages, as well as a high profile breach of BadeSaba, a widely used religious calendar app with more than five million downloads.
Users of BadeSaba were met with messages declaring “It’s time for reckoning” and urging members of the armed forces to lay down their weapons and join civilians. Reuters was unable to reach the company’s chief executive for comment, and a spokesperson for U.S. Cyber Command did not immediately respond to a request for comment.
Internet connectivity across Iran also appeared to be severely disrupted. Doug Madory, director of internet analysis at Kentik, said in a post on X that connectivity dropped sharply at 0706 GMT and again at 1147 GMT, leaving only minimal access in many areas.
Cybersecurity researchers say the choice of target may have been deliberate. Hamid Kashfi, founder of cybersecurity firm DarkCell, described the breach of BadeSaba as a strategically calculated move, noting that the app’s user base is believed to include many government supporters and religious citizens.
Reports in the Jerusalem Post suggested that cyber operations may also have struck Iranian government services and military targets in an effort to limit Tehran’s ability to coordinate a response. These claims have not been independently verified.
Experts are now warning that retaliatory cyber activity by Iran or Iran aligned groups could escalate in the coming days.
“As Iran considers its options, the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and U.S. affiliated military, commercial, or civilian targets,” said Rafe Pilling, director of threat intelligence at cybersecurity firm Sophos.
Such actions could include the resurfacing of previously stolen data presented as new breaches, crude attempts to compromise internet exposed industrial systems, or more direct offensive cyber operations, Pilling added.
Cynthia Kaiser, a former senior FBI cyber official and now senior vice president at anti ransomware firm Halcyon, said her firm has observed heightened activity across the region. Halcyon has also seen renewed calls to action from known pro Iranian cyber personas who have previously carried out hack and leak operations, ransomware campaigns and distributed denial of service attacks.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the company is already seeing signs of Iranian aligned actors preparing further activity.
“CrowdStrike is already seeing activity consistent with Iranian aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks,” Meyers said.
Cybersecurity firm Anomali reported that state backed Iranian hacking groups had already carried out so called wiper attacks, which are designed to erase data, against Israeli targets ahead of the strikes.
Despite Iran frequently being cited by U.S. officials alongside Russia and China as a major cyber threat, Tehran’s past digital responses to direct attacks on its territory have often been more restrained than anticipated.
In June, following U.S. strikes on Iranian nuclear facilities, there were no major disruptive cyberattacks attributed to Tehran beyond a brief interruption of services in Tirana, Albania, according to media reports.
Analysts caution that while initial responses may appear muted, the risk of delayed or indirect retaliation remains high, particularly through proxy groups or loosely affiliated hacktivists operating in the region and beyond.
As tensions rise, cybersecurity experts warn that the digital domain may become an increasingly active front in an already volatile conflict.