The debate about whether cyberspace would ever be used to directly support kinetic military operations used to be a theoretical one. The 2026 Iran conflict ended that debate.
When coordinated airstrikes against Iran began on 28 February 2026, they were preceded by cyber operations that, according to US Chairman of the Joint Chiefs General Dan Caine, “effectively disrupted communications and sensor networks” with the explicit goal of leaving Iranian forces “disrupted, disoriented and confused.” Within 60 hours, internet connectivity in Iran had fallen to between 1 and 4 percent of normal levels — a combination, according to NetBlocks and other monitors, of physical strikes on data centres and large-scale cyber disruption that Israeli sources described, with some rhetorical exuberance, as “the largest cyberattack in history.”
This framing is probably overstated. But what followed over the subsequent weeks was not.
Targeting from Hacked Cameras
The detail that has attracted the most sustained attention among intelligence analysts is the CCTV story — specifically, the documented pattern in which Iranian-linked cyber operations were used to access live camera feeds in locations of military significance, and that access was then leveraged to inform kinetic targeting.
Amazon’s threat intelligence team, which has documented these incidents, describes two specific cases it characterises as representative of a broader pattern. In one, access to CCTV infrastructure in Jerusalem was established in the weeks before Iranian missile strikes on the city, with Israeli authorities subsequently confirming that attackers had used compromised cameras to gather real-time intelligence and adjust targeting. In another, maritime systems were accessed before attacks in the Red Sea, with vessel AIS data used to map ship positions and routes in the days preceding strike attempts.
The attribution involves groups already well-known to Western threat intelligence teams — MuddyWater (the MOIS-linked group the FBI has described as part of the Iranian Ministry of Intelligence and Security) and Imperial Kitten (IRGC-affiliated, tracked by CrowdStrike and others under various designations). What is new is not who is responsible but what they were tasked with. These groups have historically been associated with espionage, data theft, and occasionally disruptive operations. The Iran conflict appears to have integrated them into a targeting chain that runs from cyber reconnaissance through to missile guidance.
This is the thing that changes what “critical infrastructure” means as a threat category.
The Limits of Perimeter Security When Your Assets Are the Intelligence Source
Security leaders in CNI sectors have spent the last several years being told — correctly — that their operational networks are targets for pre-positioning by state actors who want to be ready to disrupt or destroy when a geopolitical crisis warrants it. The Volt Typhoon playbook. The Sandworm precedent in Ukraine. The well-documented CISA warnings about living-off-the-land techniques used to maintain persistent, silent access inside Western water, energy, and transport networks.
What the Iran conflict adds to this picture is a distinct, and in some ways more immediately concerning, threat model: not pre-positioning for future disruption, but using civilian infrastructure as an active intelligence asset in a running conflict. The security cameras don’t need to be destroyed. The AIS systems don’t need to be switched off. They just need to be watched.
This has obvious implications. A CCTV system on a government building, a transport hub, a port facility, or a hospital is not typically thought of as a military intelligence asset. It is typically thought of as a health-and-safety system with a laggy interface and a password that hasn’t been changed since installation. That’s the problem. If MuddyWater can compromise those cameras and stream their output to support missile targeting in a conflict that nobody on the asset owner’s side anticipated, then the question is not what happens in the next major conflict — it’s what has already been accessed and is being held in reserve.
GPS and AIS: The Electronic Warfare Dimension
The Iran conflict also brought into sharp focus the scale of GPS and AIS disruption as warfare tools. Across the Gulf region, monitoring services documented disruption affecting more than 1,100 vessels — not as a side effect of combat, but as a deliberate tool to confuse maritime navigation and complicate any coordinated military or commercial response. Ships reporting GPS spoofing that repositioned their displayed location to airports, inland cities, and navigational hazards that didn’t exist.
This is not a new technique. GPS spoofing has been observed in the eastern Mediterranean and the Black Sea in various forms since at least 2019. But the scale of the 2026 Gulf disruption, and the evident coordination with kinetic operations, marks a qualitative shift. For shipping operators, port operators, energy infrastructure owners with maritime exposure, and logistics operators in the region: the assumption that GPS provides reliable positional data in a conflict adjacent geography needs to be reassessed. The infrastructure this disruption targets is the same infrastructure that underpins fuel distribution, emergency response logistics, and supply chains that reach well beyond any active combat zone.
The Iranian Retaliation Picture
Iran’s cyber response to the conflict has not matched the sophistication of the combined Western/Israeli operations, which tracks with longstanding assessments of the asymmetric nature of the cyber contest. More than 60 hacktivist groups claimed actions within days of the initial strikes, ranging from DDoS campaigns against Israeli and US government websites to website defacements and targeted phishing campaigns. The most significant attributed disruption was to fuel distribution systems in Jordan — a third party whose neutrality in the conflict did not protect its infrastructure from the blast radius of the information operations underway.
The Iranian government’s established APT groups — MuddyWater, Charming Kitten, Tortoiseshell, and others — have maintained operational tempo against Western targets since the conflict began, with the NCSC and US CISA continuing to update advisories on active campaigns. The focus appears to have shifted toward intelligence collection on governmental and military decision-making, consistent with Iran’s need to understand Western positions on any ceasefire or escalation options.
What Security Leaders Need to Recalibrate
The Iran conflict should change how CISOs and CNI security teams frame their threat model in two specific ways.
First, the targeting doctrine: state actors are now demonstrably willing and able to use compromised civilian infrastructure as a kinetic intelligence asset. That means internet-connected cameras, AIS transponders, building management systems, and any other sensor network that might reveal the location, movement, or status of militarily or economically significant assets deserves re-evaluation. Not because your organisation is a military target — but because in a conflict scenario, civilian infrastructure becomes military intelligence by default.
Second, the retaliation spillover: Iran’s cyber response to the conflict disrupted Jordanian fuel distribution despite Jordan not being a party to the conflict. Organisations in sectors adjacent to active conflicts — transport, logistics, energy, financial services with regional exposure — should expect to be caught in retaliation campaigns targeting infrastructure their governments or clients depend on. Geopolitical neutrality is not a cyber defence.
The convergence of cyber and kinetic operations in 2026 is not unprecedented — Ukraine has provided the doctrine’s proof of concept since 2014. But the Iran conflict has demonstrated that this approach is now generalisable across multiple state actors, multiple conflict theatres, and multiple infrastructure types simultaneously. The era of cyber operations as a discrete, separable threat domain is over. The question for security leaders is whether their defensive architecture reflects that.
Adversary Wire covers Iranian threat actors including MuddyWater and UNC1549 in dedicated deep-dive profiles. The CISA advisory on Iranian-Affiliated Cyber Actors Exploiting PLCs Across US Critical Infrastructure (AA26-097A) covers overlapping OT targeting.