The modern hybrid war mixes missiles and malware

The field confrontation - identified by Washington and Tel Aviv as the Epic Fury and Roaring Lion operations - has also opened a second line of fire in the digital world. Cybersecurity researchers have detected a significant increase in hacktivist activity and actors linked to states or sympathetic groups that respond by computer to military escalation. What used to be isolated pulses is now perceived as a coordinated campaign on several fronts from denial-of-service attacks to mobile suplanting campaigns and data leaks.

A recent Radware report documents that a few collectives are moving most of the disruptive traffic: names like Keymous + and DieNet concentrated most of DDoS's claims in the early days of the conflict. You can read the full analysis in Radware's technical report published by the company which also details the chronology of the most used campaigns and vectors.

The first major distributed attack recorded around February 28 was attributed to Hier Nex (also known as Tunisian Maskers Cyber Force). As shared by Orange Cyberdefense, this group combines DDoS interruptions with data leaks to expand its political impact, a technique with which they seek to amplify narratives and press for specific objectives: Orange's intelligence lab offers more context about your modus operandi.

The figures speak for themselves: hundreds of claims of distributed attacks, dozens of organizations affected in more than a dozen countries and a clear geographical concentration in the Middle East. Radware and other suppliers agree that almost half of the targets were government entities, followed by financial institutions and telecommunications operators. This makes critical public infrastructure and services a priority target, with potential consequences that go beyond the simple temporary "blackout."

The geography of the claims shows an interesting pattern: Kuwait, Israel and Jordan concentrated a disproportionate share of the volume of attacks in the region, according to data analysed by Radware. At the same time, pro-Russian and other collective actors have claimed operations that, while sometimes difficult to verify immediately, add complexity to the picture because they mix ideological, geopolitical and, in some cases, criminal interests.

The escalation is not limited to DDoS. Researchers of Palo Alto Networks (Unit 42) have documented claims from pro-purpose groups that targeted military networks and sensitive systems, while companies like CloudSEK alerted about SMS phishing campaigns that distributed a malicious version of the Israeli civil alert app RedAlert to deploy mobile malware that steals data - a strategy designed to exploit population anxiety in crisis situations. You can check CloudSEK's technical report on that campaign here: CloudSEK: false RedAlert campaign.

At the same time, intelligence firms such as Flashpoint have identified operations attributed to Iranian state entities aimed at energy infrastructure and regional data centres - with clear economic impact objectives - while analysts from Check Point have identified the reappearance of actors with previous aliases seeking to take advantage of the climate of tension to expand their activity in the region. To deepen the evolution of Iranian offensive capacity, the Check Point blog offers a detailed reading: Check Point: Iranian cyber capabilities.

Nozomi Networks, specialized in industrial environments, has paid attention to more sophisticated groups that have taken care of their operations in sectors such as defence, aerospace and telecommunications, showing that the conflict can result in threats against OT / ICS systems. Its report on trends in OT and IoT describes these movements and recommendations for critical infrastructure operators: Nozomi Networks: trends OT / IoT.

At the economic level, Iranian cryptomoneda markets have remained operational, but with operational restrictions and precautionary measures. TRM Labs has closely followed how local exchanges have adjusted their withdrawal and operation policies to manage risk and limited connectivity: TRM Labs: Iran's Critical Market Response. Experts point out that, during crises, alternative financial infrastructure is subject to a "stress test" that reveals fragile dependencies and points.

Cybersecurity companies such as Sophos and SentinelOne have observed a rebound in actions of hackers and pro-state actors, although they differ in the immediate risk assessment: while some see an increase in low complexity and high noise activity, others warn about the possibility that capacities become more destructive or are mixed with criminal tactics such as the ansomware. Sophos published a notice about the situation and how to monitor the exposure: Sophos: cyber risk warning.

The authorities have also reacted. The UK National Cyber Security Centre (NCSC) has urged organizations to strengthen defenses against DDoS, phishing and threats to industrial systems, and has disseminated guidelines to mitigate impact while regional tension persists: NCSC recommendations. In the United States, the CISA agency keeps alerts about attacks on ICS environments and other critical infrastructure: CISA: Ads about ICS.

What does this mean for companies and administrations? In the short term, the priority is simple in its formulation but complex in implementation: to strengthen continuous detection, to reduce the area exposed to the Internet, to validate the segmentation between IT and OT, and to strengthen identity and access controls. Organizations with industrial assets should pay particular attention to visibility and response capacity in real time, as recommended by Nozomi Networks in their critical operator guides: Nozomi's recommendations.

On the strategic level, analysts such as Cynthia Kaiser and private company intelligence teams stress that Iran and other states have learned to use a mix of actors: official groups, proxies and criminals with hybrid agendas. This diversity allows states to deny responsibility or multiply impact without signing each action, a dynamic that complicates both attribution and deterrence. The reflection of specialists and former officials can be found in their professional publications and networks, for example in Kaiser's comment in LinkedIn: Cynthia Kaiser's post.

Finally, this episode recalls that digital security is already an inevitable extension of foreign policy and national security. The modern "hybrid war" blending missiles and malware, discourses and data leaks and requires a response that combines technical intelligence, international cooperation and operational preparedness in all critical sectors. For those who manage risks, the conclusion is clear: it is not just about reacting to an incident, but about anticipating it and designing resilience in layers that amortigüe both noise and real impact.