Early Saturday morning, a series of cyber-enabled operations unfolded alongside joint U.S.-Israeli strikes targeting locations in Iran, according to cybersecurity observers and analysts. The digital activity included the defacement of a number of news websites and the compromise of BadeSaba, a religious calendar application that has been downloaded more than 5 million times.
Users of the BadeSaba app were presented with messages telling them "It's time for reckoning" and urging members of the armed forces to give up weapons and "join the people." Attempts to reach BadeSaba's chief executive for comment were unsuccessful. A spokesperson for U.S. Cyber Command did not immediately respond to requests for comment.
Network monitoring data showed abrupt reductions in Iran's internet connectivity at two distinct times on the same day. "Internet connectivity in Iran dropped precipitously at 0706 GMT, and then again at 1147 GMT, with only minimal connectivity remaining," Doug Madory, director of internet analysis at Kentik, said in a post on X.
Security researchers described the hack of BadeSaba as tactically significant. Hamid Kashfi, a security researcher and founder of cybersecurity firm DarkCell, said the compromise was a smart move because the app is used by government supporters who tend to be more religious.
In addition to the app and media defacements, there were reports that cyber operations hit a range of Iranian government services and military targets with the stated aim of limiting a coordinated Iranian response. Those claims were reported by the Jerusalem Post; independent verification of those specific assertions was not available at the time this report was filed.
Cybersecurity experts warned that the immediate activity could presage further online actions. "As Iran considers its options, the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and U.S.-affiliated military, commercial, or civilian targets," said Rafe Pilling, director of threat intelligence at cybersecurity firm Sophos. Pilling added that such attacks could include "the amplification of old data breaches presented as new, unsophisticated attempts to compromise internet-exposed industrial systems, and potentially direct offensive cyber operations."
Observers at anti-ransomware and security firms reported rising activity in the region. Cynthia Kaiser, a former senior FBI cyber official and now senior vice president at Halcyon, said activity in the Middle East had increased. Kaiser noted that her firm had seen calls to action from known pro-Iranian cyber personas that have previously carried out hack-and-leak operations, ransomware attacks and distributed denial-of-service attacks, commonly known as DDoS, which flood internet services and render them inaccessible.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the current cyber activity could be a precursor to more forceful operations. "CrowdStrike is already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks," he said.
Cybersecurity firm Anomali reported in analysis shared with this outlet that state-backed Iranian hacking groups were carrying out "wiper" attacks that erase data on Israeli targets ahead of the strikes.
Though U.S. cyber officials often cite Iran alongside Russia and China as a threat to American networks, Tehran's past responses to attacks on its soil have sometimes been limited in their digital impact. For example, after U.S. strikes on Iranian nuclear targets in June, there was little evidence of broad disruptive cyberattacks beyond a short-lived interruption of services in Tirana, the capital of Albania, according to media reports at the time.
At present, cybersecurity firms and analysts continue to monitor for additional waves of activity, including hack-and-leak operations, ransomware, DDoS campaigns, and potential attempts to disrupt internet-exposed industrial systems. The evolving situation underscores how kinetic strikes and cyber operations can unfold in parallel and create complex risk dynamics for governments, critical infrastructure and commercial networks.