Amid the intense focus on missiles, escalation dynamics, and geopolitical fallout during the June 13-24 war between Iran and Israel, the cyber dimension — especially as it concerned Iranian actions — received comparatively little attention. Yet beneath the headlines, a quieter but significant battle played out in cyberspace, highlighting how Iran has refined its use of digital tools to shape the battlespace, control domestic narratives, and project influence abroad. While largely ineffective in operational terms, Iran’s cyber response marked a new phase in its strategic evolution characterized by greater coordination, doctrinal coherence, and integration across domains. From hacking surveillance systems and deploying artificial intelligence (AI)-driven disinformation in tandem with missile strikes to enforcing real-time digital repression at home, Tehran demonstrated that it now sees cyber capabilities as core instruments of warmaking and statecraft. Certainly, this evolution ought not to be mistaken for improved technical prowess given that Iran’s cyber defenses remain critically weak. Still, the observed shift in digital tool usage patterns a month and a half ago matters because it offers an important insight into the regime’s intent to embed cyber operations within a broader “hybrid warfare” doctrine.
What Iran did during the 12-day war
The 12-day war between Iran and Israel exposed a complex and multi-dimensional Iranian cyber campaign that extended far beyond isolated hacking incidents. The confrontation saw Iran-linked cyber actors execute a broad range of operations designed to exert psychological pressure, collect tactical intelligence, enforce deterrence against third countries, and maintain domestic control. The digital arena was a critical front in Iran’s hybrid strategy during the conflict — i.e., to more seamlessly meld conventional and unconventional instruments of power together with tools of subversion.
One of the most visible aspects of Iran’s cyber response was its rapid deployment of retaliatory disruptive operations, particularly following strikes by the United States on Iranian nuclear facilities. Hackers affiliated with the regime in Tehran launched distributed denial-of-service attacks targeting US digital platforms, including the temporary takedown of Donald Trump’s social media network, Truth Social. These technically unsophisticated attacks were not meant to paralyze systems in any sustained way but rather to signal responsiveness and demonstrate Tehran’s capability to strike symbolically in the digital domain.
Alongside disruptive tactics, Iran intensified its psychological operations through the use of AI to generate and disseminate disinformation. These efforts included the posting of fake news and synthetic media to pollute the online information environment with misleading or demoralizing content. Particularly noteworthy were Iranian attempts to impersonate Israeli citizens on social media by spreading defeatist messages in Hebrew in an effort to sap public morale. While the engagement and reach of these AI-generated campaigns appeared limited, they signaled a new willingness to integrate emerging technologies into Iran’s influence toolkit.
Another revealing feature of Iran’s cyber conduct during the war was its effort to gather tactical intelligence through cyber-enabled reconnaissance. Iranian operatives hijacked Israeli internet-connected closed-circuit television (CCTV) systems with the goal of exploiting them for real-time situational awareness, battle damage assessment, and adjustment of missile targets. This use of private civilian infrastructure for intelligence, surveillance, and reconnaissance (ISR) purposes reflected a more sophisticated approach to tactical cyber espionage. Iranian cyber units were able to extend their operational visibility deep into their adversary’s territory without deploying conventional ISR assets.
Tehran also used its cyber arsenal to exert strategic pressure on countries perceived to be supporting Iranian dissidents or aligning with its adversaries. This manifested in cyber intrusions into Albanian government systems and digital platforms, likely in response to Albania’s willingness to host elements of Mujahidin-e-Khalq (MEK), an exiled Iranian opposition group. While this action was not destructive, it conveyed the message that Iran could, and would, retaliate digitally against those who might seek to challenge the regime.
Finally, Tehran simultaneously intensified its digital repression at home, imposing internet blackouts under the pretext of network stability. This internal clampdown on information flows was not an isolated instance of censorship but part of a structured strategy to suppress dissent and maintain regime stability in a time of external crisis. By darkening the domestic information space during an active conflict, Tehran effectively blinded both internal and international observers, reinforcing the belief that domestic information control is an essential counterpart to external influence operations.
What Iran’s actions reveal about its evolving cyber strategy and foreign cyber partnerships
Iranian sources and cyber experts have offered revealing insights into how Tehran itself evaluate the war’s cyber dimension. While government officials project confidence in Iran’s resilience and future capabilities, this optimism stands in contrast to expert assessments from within Iran’s own cyber-industrial ecosystem. Behzad Akbari, the head of Iran’s Telecommunication Infrastructure Company, has publicly acknowledged the alarming scale of cyber threats: over 16,000 daily attacks from abroad and over 12,000 from inside the country, many of which stem from compromised domestic devices. Experts like Mohammad Asghari, a member of the Commission on Information Security at Iran’s ICT Guild Organization, have attributed these internal vulnerabilities to flawed filtering policies, widespread use of cracked software, and infrastructural mismanagement. Echoing these concerns, Afshin Sozani, head of Security Labs at the Communications Research Institute, warns that Iran’s cyberspace is currently dangerously insecure due to sanctions and the resulting lack of access to foreign technologies, along with regulatory confusion and institutional inertia. The divergence of views between officials and experts, in turn, reveals a country struggling with cognitive dissonance: seeking to claim success in integrating cyber tools while grappling with the persistent inability to defend against even routine intrusions.
Notwithstanding these deficiencies, Iran’s actions during the 12-day war reveal a cyber campaign that is not only multifaceted but strategically synchronized, at least in the offensive realm. The cyber operations deployed by Iran during the June confrontation with Israel reflect a significant and deliberate evolution in Tehran’s cyber strategy — one that is increasingly hybrid, politically adaptive, and strategically integrated across multiple domains. Rather than relying on isolated retaliatory hacks or symbolic defacements, Tehran showed the ability to execute cohesive, sustained, and multi-layered cyber campaigns that pursue both immediate tactical gains and long-term strategic influence.
At the core of this evolution is a shift in how Iran perceives the utility of cyber power. The emphasis has moved from infrastructure disruption to perception management, from episodic attacks to continuous operations, and from cyber as a supplement to cyber as strategy. This integrated model blends psychological manipulation, tactical intelligence gathering, strategic coercion, and internal information control into a seamless operational continuum.
Compared to past campaigns, this latest episode signaled a significant doctrinal transition but lacked evidence of substantial improvements in the underlying technical capabilities. Previous Iranian operations, such as the destructive Shamoon virus, which wiped Saudi Aramco data, or the espionage-focused Operation Newscaster, were often reactive and/or limited in scope. During the 12-day war, however, Iran launched a more tightly coordinated and multidimensional campaign that incorporated symbolic disinformation, tactical ISR, and domestic control in real time. Yet, as cybersecurity researchers have noted, the actual technical sophistication of these efforts was modest and their disruptive effects limited. Put differently, while the volume of attacks increased by over 700%, mainly targeting information systems of civilian bodies and private businesses like the Delek Group, they lacked the advanced capabilities or persistence seen in Israeli cyber operations such as the disabling of Iranian banks. Illustratively, over just two days, the pro-Israel group Predatory Sparrow crippled Bank Sepah, while a separate, unclaimed hack drained $90 million from Nobitex, Iran’s largest crypto exchange. These attacks underscored a stark asymmetry between Israel and Iran by demonstrating the latter’s, and its affiliates’, ability to target core financial systems with precision and inflict tangible economic pain.
The “so what” of Iran’s doctrinal innovation, therefore, lies in its potential, not its current performance. Iranian digital infrastructure may be weak, but the architecture of a more agile and holistic cyber doctrine is now in place. With further refinement, it could evolve into a significant threat vector in future hybrid confrontations and potentially serve as a model for other emerging cyber actors to try to emulate — or Iranians themselves may seek to “export” this know-how to others. In this sense, Iran’s evolving playbook potentially holds strategic value beyond its borders, offering a template for states seeking low-cost, politically deniable tools to offset conventional military disadvantages.
To this end, a key development is Iran’s growing sophistication in cognitive and psychological operations. The deployment of AI-generated disinformation aimed at Israeli and Western audiences reflects both technical progress and strategic adaptation. No longer confined to low-level trolling or fake social media accounts, Iran now leverages scalable AI tools to conduct targeted psychological operations, indicating a shift from simple narrative injection to sustained perception warfare. Iranian cyber strategists appear to be internalizing lessons from actors like Russia with regard to the utility of flooding information ecosystems with synthetic content to create ambiguity, erode institutional trust, and complicate attribution.
Equally significant is the operational-tactical fusion of Iran’s cyber and kinetic domains. The exploitation of civilian surveillance systems for real-time intelligence gathering during military operations points to a new level of battlefield integration. Iran is demonstrating the ability to use digital tools not only for pre-conflict espionage but as embedded assets within active combat zones. This approach allows Iran to gather ISR without exposing physical assets like drones, making cyber a cost-effective and low-risk force multiplier in asymmetric warfare.
Internally, Iran’s simultaneous use of cyber repression through the imposition of internet blackouts reveals how deeply cyber strategy is now embedded in the regime’s domestic security architecture. This is not mere censorship; it is anticipatory digital suppression. By blinding information flows and criminalizing online dissent, Tehran sought to shield its population from adversarial narratives during times of war while simultaneously maintaining regime cohesion and responsiveness even though this digital blackout came at a cost: it paralyzed domestic commerce, disrupted communications, and even interfered with the dissemination of critical alerts including warnings about incoming Israeli strikes. The blackout also served to obstruct external observers from monitoring unrest and state vulnerabilities in real time, thereby complicating any potential foreign efforts to destabilize the regime by disrupting the feedback loop on which such strategies often rely. In this model, internal information sovereignty is not a complement to external operations; it is a prerequisite. Cyber control at home and cyber influence abroad are part of the same strategic fabric.
This maturation also sheds light on Iran’s strategic partnerships, particularly with states like Russia. The recent signing of a technological cooperation agreement between Tehran and Moscow underscores the alignment of their respective cyber doctrines. Both states use cyber tools to suppress domestic dissent, disrupt liberal democracies, and challenge Western power without triggering traditional military retaliation. Their partnership increasingly appears not merely tactical but doctrinal; sharing approaches to cognitive warfare, infrastructure exploitation, and cross-border digital coercion.
Why Iran’s evolving cyber strategy matters
The evolution of Iran’s cyber strategy is important not because it demonstrates increased technical capability but because it reflects a deeper doctrinal shift — one that is strategically integrated, operationally disciplined, and politically purposeful. Iran is not pioneering new tools but rather a new configuration of cyber-enabled capabilities whereby influence, repression, intelligence, and coercion converge. In other words, what is new is not the existence of Iranian cyberattacks, AI-generated disinformation, or digital surveillance, but the simultaneous, interlocking use of these tools executed in real time, across domains, and anchored in state-level strategic planning. That trend is likely to strengthen further as Tehran establishes a Supreme National Defense Council. Iran’s cyber transformation, in turn, has implications for how other states ought to interpret Iranian intentions, defend against its actions, and conceptualize cyber conflict more broadly.
The first key implication lies in the strategic convergence across domains. Iran is no longer employing cyber operations in isolation or as post hoc responses to discrete events. Instead, it has begun integrating digital campaigns with kinetic strikes, propaganda efforts, and internal repression in a synchronized fashion. This type of convergence mirrors hybrid warfare models developed by more advanced cyber powers, particularly Russia, and signals that Iran is now engaging in sustained digital confrontation rather than episodic cyber skirmishes. The policy consequence is clear: cyber defense planning should anticipate coordinated digital-kinetic campaigns not as separate domains but as a single continuum of conflict.
A second critical implication arises from Iran’s operational coherence and campaign timing. The sequencing of cyber intrusions, disinformation, and kinetic activity shows a new level of planning discipline and command coordination. The AI-generated disinformation deployed before and after missile strikes, and the apparent synchronization of internal internet blackouts with moments of heightened external escalation, point to the existence of a centralized strategy capable of tightly coordinating cross-domain actions. This coherence will increasingly make Iranian cyber operations more effective and harder to counter reactively. The key takeaway here is that effective security in the cyber domain may now require anticipatory threat intelligence and preemptive threat monitoring through increased interagency and public-private coordination across multiple sectors and platforms.
Third, and perhaps most significantly, Tehran’s cyber behavior reflects a growing doctrinal maturity. This is no longer a strategy of disruption or retaliation. It is a strategy of strategic shaping. Iran is using cyber operations to influence enemy decision-making, degrade public morale, manipulate perception, and deter international support for adversaries. These are politically calibrated operations designed to impose costs, project resolve, and control narratives. In this sense, Iran is now a practitioner of cyber-enabled political warfare. Its strategic logic increasingly resembles doctrines such as Russia’s New Generation Warfare or China’s Three Warfares whereby cyber is not ancillary but foundational to modern statecraft. For policymakers, this demands a recalibration of how Iran’s cyber threats are understood — not just as matters of technical risk but as instruments of strategic influence and regime survival.
Last but not least, this evolution could signal an emerging shift in the deterrence dynamics between Israel and Iran. Israel’s ability to integrate cyberattacks into a broader kinetic and psychological campaign during this past June’s Operation Rising Lion underscored a high degree of sophistication and coordination. These cyber activities not only disrupted Iranian command structures but also eroded public confidence and contributed to a climate of internal panic. In contrast, while Iran demonstrated doctrinal evolution, its cyber operations failed to meaningfully alter the course of the conflict. This asymmetry may have reinforced Israeli cyber deterrence, projecting a message of superior readiness and operational reach.
Whether this perception holds in Tehran is less certain. Iranian officials have publicly emphasized their capacity to absorb and respond to attacks; while, privately, experts acknowledged a failure to defend even critical infrastructure. This duality suggests that although Iran was outmatched in this round, it is unlikely to retreat from the cyber domain. Instead, Tehran may draw lessons from its shortcomings and use the current experience as justification to deepen investment, nurture and recruit digitally savvy youth, and push for indigenous innovation — long-term steps that could reduce the existing deterrence imbalance in future conflicts. But the current structure of Iran’s innovation ecosystem does not bode well for the realization of this vision. The state’s heavy-handed role in the economy, combined with endemic corruption, creates a stifling environment for private-sector entrepreneurship and innovation. The experience of Digi Kala, Iran’s leading e-commerce platform, illustrates this dynamic. Initially a symbol of Iranian startup success, the company’s founders were compelled to relinquish control to a state-backed venture capital arm affiliated with the Supreme Leader’s Office. This pattern of state absorption stifles independent actors, accelerates talent flight, and undermines the very innovations the regime seeks to cultivate. It is a systemic weakness the regime will need to address.
Conclusion
Iran’s conduct in cyberspace during the 12-day war marked a turning point in its cyber strategy, reflecting greater coordination, clearer strategic intent, and the integration of digital tools across military, political, and psychological domains. This evolution also underscored the limitations of sanctions in constraining the doctrinal development of cyber strategies amongst authoritarian regimes. While sanctions have undeniably hindered Iran’s access to foreign technologies and thus contributed to its current cyber deficiencies, they have not prevented Tehran from deepening its partnerships with states like China and Russia in the cyber domain. In fact, sanctions have to a large extent driven Iran closer to Beijing and Moscow, a trajectory that is likely to accelerate in the war’s aftermath. Reports now indicate that Tehran is actively seeking to transition from relying on the US-owned-and-operated global positioning system (GPS) to China’s BeiDou navigation system in order to improve its ability to counter future drone and missile attacks. Equally important, this shift highlights the emergence, or at least the potential, of an authoritarian consensus or coordination not only in digital governance but also in the conduct of cyber-enabled political warfare.
However, this evolution in strategic posture should not be conflated with a linear improvement in technical capability. Despite Tehran’s growing sophistication in using cyber operations as instruments of war and statecraft, both its cyber infrastructure and toolbox remain glaringly inadequate when measured against the standards of major cyber powers. This was on clear display during the conflict, with two data-wiping operations targeting Bank Sepah and Nobitex Exchange attributed to the Israel-linked hacking group Predatory Sparrow; the same group is thought to have been behind the 2022 Khouzestan steel plant cyber-kinetic strike and the crippling disruption of Iran’s fuel distribution network in 2023. Those incidents reveal a persistent vulnerability in Iran’s critical digital infrastructure and, perhaps more importantly, Tehran’s inability to detect and thwart cyberattacks. Despite Iran’s triumphalist rhetorical posture and strategic recalibration, parity with its most capable cyber adversaries is still a ways away.
Ultimately, while Iran’s cyber strategy has become more methodical and multidimensional, the regime’s persistent failure to secure its own networks and critical infrastructure from repeated high-profile intrusions remains its Achilles’ heel. In the rapidly intensifying regional and global contest for cyber power, Tehran has shown that it can participate in the game but not yet necessarily win it.
Nima Khorrami is an analyst at NSSG Global, a research associate at the Arctic Institute in Washington, DC, and a former associate researcher at the OSCE Academy in Bishkek.
Photo by SASAN/Middle East Images/AFP via Getty Images
The Middle East Institute (MEI) is an independent, non-partisan, non-for-profit, educational organization. It does not engage in advocacy and its scholars’ opinions are their own. MEI welcomes financial donations, but retains sole editorial control over its work and its publications reflect only the authors’ views. For a listing of MEI donors, please click here.