Overview
On 28 February 2026, U.S. and Israeli forces initiated strikes against Iranian nuclear, missile and IRGC-linked facilities. Iran responded with missile and drone attacks targeting U.S. and allied bases across Qatar, Bahrain, the UAE, Kuwait and Jordan, alongside reported maritime disruptions near the Strait of Hormuz. Physical impacts have extended to commercial infrastructure, including reported damage to regional facilities and disruptions to shipping traffic, underscoring the widening operational footprint of the conflict.
As expected, the conflict has also expanded into cyberspace. U.S. officials have confirmed offensive cyber operations targeting IRGC capabilities, while Iranian officials have threatened large-scale retaliation against U.S. and Israeli interests. Early cyber activity has largely followed patterns observed in previous regional escalations, including distributed denial-of-service (DDoS) attacks, website defacements, wiper activity and coordinated information operations.
Security researchers have identified more than 60 threat groups participating in cyber activity linked to the conflict. While much of this activity appears to originate from hacktivist collectives making exaggerated or unverified claims, cybersecurity firms have also reported activity from several Iran-nexus threat groups coinciding with the start of the conflict. These actors possess more advanced capabilities, including ransomware operations, destructive wipers, hack-and-leak campaigns, exploitation of pre-positioned access and potential targeting of operational technology (OT) and industrial control systems.
Cyber Impacts
The United States is reportedly leveraging offensive cyber operations to disrupt IRGC capabilities and apply pressure on Iranian leadership. In response, Iranian officials and IRGC-linked entities have threatened large-scale cyber retaliation against U.S. and Israeli critical infrastructure.
Observed retaliatory activity to date has largely taken the form of disruptive but low-impact operations, including DDoS attacks, website defacements, and unverified claims of infrastructure compromise. The U.S. Department of Homeland Security assesses that near-term cyber impacts are likely to remain limited to low-level disruptive activity targeting U.S. and allied networks.
Nevertheless, security firms including CrowdStrike, CyberKnow, Flashpoint, Sophos X-Ops and Anomali report measurable increases in activity across the threat landscape. Analysts caution that while early campaigns appear overstated or opportunistic, the presence of sophisticated Iranian advanced persistent threat (APT) groups introduces credible escalation risks. Actors such as MuddyWater have historically demonstrated capabilities including wiper malware deployment, ransomware operations, credential harvesting and exploitation of previously established network access.
Threats to Critical Infrastructure and Cross-Sector Impacts
For commercial space operators, the cyber dimension of this conflict introduces new operational risks. Iranian-aligned actors have demonstrated interest in satellite terminals, ground station networks and supporting telecommunications infrastructure, reinforcing that commercial space assets may be viable targets during regional cyber campaigns.
Hacktivist proxies and opportunistic actors further amplify exposure, particularly where pre-positioned access exists in cloud environments or OT systems supporting aerospace operations. Space ISAC monitoring has already identified 13 alleged cyber incidents targeting U.S. and Israeli organizations in the aerospace, defense and telecommunications sectors since the start of the conflict, highlighting the immediate cross-sector implications.
In addition, reporting suggests that Iranian threat actors are leveraging satellite communications services, including Starlink, to support command-and-control infrastructure and maintain connectivity amid regional internet disruptions. This development illustrates how commercial space services can become both targets and operational enablers in modern cyber conflict.
Threat Actors and Relevant Campaigns
Iran-nexus APT groups have a well-documented history of targeting critical infrastructure sectors including energy, government, telecommunications, water utilities and industrial environments. Several of these actors possess demonstrated capabilities relevant to the aerospace ecosystem.
Among them, APT33 (Peach Sandstorm) has previously targeted aerospace and defense organizations, deploying custom backdoors and destructive wiper malware to disrupt operations and collect intelligence. Other Iranian actors such as MuddyWater have conducted extensive espionage campaigns and demonstrated proficiency in exploiting enterprise networks and cloud infrastructure.
The presence of hacktivist operations alongside more capable threat actors also complicates analysis. While many attacks appear to have low impact, they may provide insight into reconnaissance activity, sector prioritization and potential credential harvesting. In some cases, such activity may also serve as operational cover for more sophisticated campaigns conducted by state-aligned groups.
Outlook
To date, the cyber dimension of the conflict remains largely disruptive and opportunistic. However, the participation of over 60 threat groups, the confirmed activity of several Iran-linked APT actors, and the targeting of aerospace, defense and telecommunications entities highlight the potential for escalation as the conflict evolves.
For commercial space organizations, the current environment underscores the importance of monitoring supply chain exposure, protecting satellite ground infrastructure and maintaining resilience across interconnected IT and OT systems. As geopolitical tensions increasingly intersect with cyber and space domains, commercial operators are likely to remain within the expanding threat surface of modern conflict.
