A wave of cyber operations struck Iranian digital infrastructure early Saturday, coinciding with joint US-Israeli military strikes across the country, according to cybersecurity researchers and threat analysts.
Among the targets was BadeSaba, a popular religious calendar app with more than 5 million downloads. The app was defaced with messages reading “It’s time for reckoning” and urging members of Iran’s armed forces to lay down their weapons and join civilians. Reuters was unable to reach the company’s chief executive for comment.
Multiple Iranian news websites were also hacked to display unauthorized messages, according to cybersecurity observers.
Internet connectivity across Iran dropped sharply at 0706 GMT and again at 1147 GMT, leaving only minimal access in parts of the country, Doug Madory, director of internet analysis at Kentik, said in a post on X.
Hamid Kashfi, founder of cybersecurity firm DarkCell, said targeting BadeSaba was strategically significant because it is widely used by religious and pro-government audiences.
The Jerusalem Post reported that cyber operations also targeted Iranian government services and military systems to disrupt any coordinated response. Reuters could not independently verify those claims.
Security experts warned that further escalation in cyberspace is likely.
“As Iran considers its options, the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and US-affiliated military, commercial or civilian targets,” said Rafe Pilling, director of threat intelligence at Sophos.
Such activity could include resurfacing old data breaches as new, attempts to compromise internet-exposed industrial systems and potentially direct offensive cyber operations, Pilling said.
Cynthia Kaiser, a former senior FBI cyber official and now a senior vice president at Halcyon, said her firm has observed increased activity in the region, including calls to action from known pro-Iranian cyber actors who previously carried out hack-and-leak campaigns, ransomware attacks and distributed denial-of-service operations.
Adam Meyers, senior vice president at CrowdStrike, said the company is already seeing activity consistent with Iranian-aligned threat actors conducting reconnaissance and launching DDoS attacks.
Cybersecurity firm Anomali said in analysis shared with Reuters that Iranian state-backed hacking groups were carrying out “wiper” attacks designed to erase data on Israeli targets ahead of the strikes.
Although US officials often cite Iran alongside Russia and China as a major cyber threat, Tehran’s past digital responses to military strikes have been relatively restrained. After US strikes on Iranian nuclear facilities in June, there was limited evidence of sustained disruptive cyberattacks beyond a brief service interruption in Tirana, Albania, according to media reports.
