The First Cyberwar: 28 Days of Digital Darkness

The Jerusalem Post called February 28 "the largest cyberattack in history." For once, the headline undersold the story.

Within hours of the first airstrikes, Iran's internet connectivity collapsed to approximately 4% of normal traffic. Not a gradual degradation. A cliff. The National Information Network (NIN), Iran's domestically-controlled intranet designed to function independently of global infrastructure, was severed from the outside world. Bloomberg reported that hackers "skirted" the shutdown by routing through whitelisted IP addresses. Government and military systems that stayed online became the only entry points. The 4% that survived was institutional, not civilian.

NetBlocks confirmed the drop to 4% on February 28, falling further to approximately 1% by March 6. The cost: $35.7 million per day in lost economic activity. Twenty-eight days later, it hasn't recovered. A system of "white SIM cards" (sim-e sefid) provides approximately 16,000 regime loyalists with unrestricted internet access: a two-tier information architecture where the state sees everything and the population sees nothing.

This is not an internet disruption. This is an entire country of 88 million people operating in informational darkness for a month. Iran's civilian population cannot access global news, cannot communicate with diaspora family, cannot verify government claims about the war, cannot document what's happening to them. The 4% connectivity means the information environment is entirely controlled by IRIB state television (which was itself physically struck on March 3) and Tasnim News Agency, the only major outlet that maintained continuous service because it operates on IRGC-hardened infrastructure.

How was it done?

The cyber operation preceded the kinetic strikes by hours, a pattern now designated "Midnight Hammer" by defense analysts. Cyber attacks suppressed air defense networks, degraded command-and-control communications, and severed Iran's connection to the global internet before the first bomb fell. The sequencing was deliberate: blind the target, then hit it.

Anomali's threat assessment was blunt: cyber became Iran's "sole remaining instrument" of retaliation after conventional military options degraded. The interceptor crisis plays out in cyberspace too. Iran can't match the US in missiles, but it can punch well above its weight in networks.

The technical mechanisms combined multiple vectors. Iran's four major international fiber-optic connections (through Turkey, Iraq, the UAE submarine cable, and the Pakistan-Iran link) were all disrupted. Whether by physical damage, cyber intrusion, or Iranian government decision to sever connections (as they did during the 2019 protests) is unclear. Likely all three. The result is the same: Iran operates as a digital island.

Starlink, which was supposed to be the backup for exactly this scenario, failed. GPS L1 barrage jamming, consistent with Krasukha-4 electronic warfare systems that Russia has deployed in Syria and Iran, disrupted Starlink terminal positioning. Iran imposed the death penalty for possession of Starlink equipment. SpaceX provided no fix. In Ukraine, SpaceX adapted rapidly to Russian jamming; in Iran, the company has been silent. The contrast is telling. Iran successfully defeated the system that Russia, with far greater resources, could not suppress in Ukraine.

What has Predatory Sparrow done?

Predatory Sparrow, the cyber group widely attributed to Israeli intelligence, escalated from its pre-war harassment campaign to full wartime operations. The group had previously hacked Iranian steel mills in 2022 and disrupted gas station payment systems in 2023. This time, the targets were financial.

Bank Sepah, Iran's oldest bank, founded 1925, with $15.6 billion in assets, was hit with a destructive wipe. Customer data, transaction records, account balances: erased. The attack wasn't ransomware. There was no demand. It was pure destruction. Bank Sepah serves the Iranian military and defense procurement network. The wipe was strategic, not criminal.

Nobitex, Iran's largest cryptocurrency exchange, lost approximately $90 million in a separate operation. Iran's crypto economy, valued at $7.8 billion, with the IRGC controlling an estimated 50%+ of inflows, was a known vulnerability. The Central Bank of Iran held $507 million in USDT (Tether) as of late 2025. Cryptocurrency was Iran's primary sanctions evasion mechanism. Burning Nobitex didn't just cost $90 million. It degraded the financial infrastructure that funds missile production.

The BadeSaba mobile prayer app was hacked at 9:52 AM on February 28 to broadcast anti-regime messages to millions of users. The symbolism (hijacking a prayer app during Ramadan) was calculated to maximize psychological impact.

Who is attacking whom in the shadows?

The hacktivist surge has been the least covered and potentially most consequential dimension. IRGC-aligned groups, including a Basij-linked network of 289 accounts on X with 18+ million views, and Iranian TikTok AI-generated content exceeding 100 million views, have flooded social media with disinformation. EDMO documented 592 fact-checks of AI-generated or manipulated content in the war's first three weeks. X premium accounts spread 77% of the identified disinformation; only 2 of 34 flagged posts received community notes.

On the other side, hacktivist groups rallied to Iran's cause with speed that stunned analysts. Within 9 hours of the first strikes: 149 DDoS attacks against 110 organizations across 16 countries. Keymous+ and DieNet accounted for approximately 70% of attacks. Mr Hamza targeted the US Air Force. Team 313 targeted Bahrain. An Electronic Operations Room was established on February 28 to coordinate. Al-Qaeda's Cyber Jihad Movement announced its entry on March 4, launching coordinated DDoS campaigns alongside Iranian-aligned groups. The Cyber Jihad Movement's participation is historically extraordinary: the first confirmed Sunni-Shia cyber convergence, motivated by shared anti-American fury rather than theological alignment. Networks don't care about sectarian boundaries.

A Gallant deepfake, a fabricated video of former Israeli Defense Minister Yoav Gallant, was caught mid-broadcast before it could influence decision-making. The "liar's dividend" has arrived: the existence of deepfakes means real video evidence can now be dismissed as fabricated. Both sides benefit from this ambiguity. Both sides exploit it.

Nozomi Networks reported a 133% surge in Iranian-attributed cyberattacks in the first two weeks. Infy APT, a state-linked espionage group, resumed its command-and-control operations exactly one day before the internet blackout ended for institutional users, proving the infrastructure was pre-positioned. Shin Bet documented 200+ phishing attempts targeting senior Israeli officials.

Can the US defend itself?

CISA, the Cybersecurity and Infrastructure Security Agency, America's primary cyber defense body, is operating at 38% staffing. The DOGE restructuring placed a 28-year-old as undersecretary overseeing critical infrastructure protection. Experienced analysts were laid off or reassigned. This happened weeks before the largest state-sponsored cyber campaign in history hit American targets.

The sixteen undersea fiber-optic cables transiting the Red Sea and Persian Gulf carry 90% of Europe-Asia data traffic. Red Sea cables were already cut in September 2025, ostensibly by anchor damage, though Houthi involvement was suspected. If Iran or its proxies target the remaining cables, the disruption wouldn't just affect Iran's internet. It would affect everyone's.

The mine warfare in Hormuz threatens these cables physically. They cross the strait on the seabed. Every mine that detonates, every anchor that drags, every piece of debris that settles adds risk to the digital infrastructure that the global economy depends on.

We spend billions on interceptors and bunker-busters while the agency defending American networks from retaliation runs at 38% capacity. Iran's missiles kill dozens. A successful cyberattack on US critical infrastructure (power grids, water systems, financial networks) could affect millions. The asymmetry is not in Iran's favor militarily. In cyberspace, it might be.

---

FAQ

Is Iran's internet blackout the longest in history?

At 28 days and counting, it approaches the record. Myanmar's post-coup internet shutdown lasted months in some regions. Iran's own 2019 shutdown lasted 7 days. But this is the first wartime internet blackout of a country with 88 million people and a $7.8 billion digital economy. The scale and the wartime context make it unprecedented even if the duration is not the absolute longest.

Could Iran retaliate with a major cyberattack on US infrastructure?

Yes. Iran's APT groups (APT33, APT34, APT35) have previously targeted US utilities, banks, and government systems. The 2012 Shamoon attack destroyed 30,000 Saudi Aramco computers. Iran's capability has grown since then. CISA's depleted staffing makes the US more vulnerable than at any point since 9/11. The question is whether Iran views a major US cyberattack as escalatory (inviting kinetic retaliation) or as the one domain where it can fight without losing.

What happened to US offensive cyber operations?

Midnight Hammer, the cyber-kinetic integration that preceded the February 28 strikes, was the most sophisticated offensive cyber operation ever conducted, suppressing air defenses via network intrusion before missiles arrived. But offensive success doesn't guarantee defensive readiness. The US can attack better than it can defend, and CISA's staffing crisis means the defensive gap is widening while the offensive capability remains strong.