Last updated on 4 March 2026 at 2000 GMT.

Recorded Future's Insikt Group® is actively monitoring the rapidly evolving situation following coordinated US-Israeli strikes against Iran, the death of Supreme Leader Ali Khamenei and the widening regional war. This analysis serves as a continuously updated compilation on the geopolitical, cyber and influence operation aspects of the war, including key indicators to watch in the coming days, weeks and months.

The Insikt Group will provide updates as new findings emerge surrounding these incidents or cyber threat activity related to them is detected. See these links for additional background on how Iran previously responded to the killing of Qassem Suleimani, prior intelligence briefing from June 2025 on the Israel-Iran conflict, and how Iranian-aligned actors have run complex influence campaigns to exploit prior conflicts.

This report will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.

What Happened

On February 28, 2026, the United States and Israel launched coordinated air strikes against Iran in what is likely to be a prolonged military operation. The US designated the campaign "Operation Epic Fury"; Israel named its component "Operation Lion's Roar." Within hours, Supreme Leader Ali Khamenei and several senior members of Iran's strategic leadership were killed, a new temporary governing council was established, and retaliatory Iranian missile and drone strikes were underway across the Middle East. The cyber dimension of this conflict is active and escalating.

The Initial Strikes

US-Israeli forces conducted approximately 900 strikes during the first twelve hours of operations, targeting Iran's ballistic missile program, senior military leadership, and defense infrastructure. The IDF confirmed striking 500 Iranian targets. Key confirmed outcomes include:

• Supreme Leader Ali Khamenei killed, along with senior advisors including IRGC Chief Mohammad Pakpour, Armed Forces Chief of Staff Abdolrahim Mousavi, Defense Minister Aziz Nasirzadeh, and Defense Council Secretary Ali Shamkhani
• 40 senior IRGC commanders reportedly killed across the country
• Iranian naval assets targeted, including an Iranian Jamaran-class corvette destroyed at Chah Bahar pier — a signal of US-Israeli intent to mitigate the threat to the Strait of Hormuz
• Iran claimed that its Natanz nuclear facility was struck, and the IAEA confirmed satellite imagery suggesting the entrances to Natanz had been damaged as well as two buildings near Isfahan nuclear site. However, the IAEA also said that it had not observed any damage to Iranian facilities containing nuclear material and no radiological risk.
  • On March 4, the IDF claimed to have destroyed a covert underground nuclear complex, called the Minzadehei compound, allegedly linked to weapons development.

Iran's Response

Iran's retaliation has been immediate and broad. Under "Operation Truthful Promise 4," the IRGC launched missile and drone strikes against US military installations and regional allies across at least nine countries — including Bahrain, Qatar, Kuwait, the UAE, Saudi Arabia, Jordan, Iraq, Israel, and Cyprus.

As of March 4:

• Six US service members have been killed and five seriously wounded, confirmed by US CENTCOM
• An Iranian ballistic missile killed at least nine Israelis west of Jerusalem
• Attacks on Abu Dhabi and Dubai killed three UAE residents and injured dozens; most incoming missiles were intercepted by UAE and partner air defenses.
• Iran-backed Iraqi Shi'ite militias (the Islamic Resistance in Iraq) have claimed dozens of separate attacks against US bases
• Iran broadcast VHF warnings that the Strait of Hormuz is closed to passage, prompting several major maritime companies to suspend transits, though the waterway is not formally closed.

Iran's Leadership Situation

On March 4, 2026, international news reported that Mojtaba Khamenei, son of the late Ali Khamenei, will likely become the next Supreme Leader, but the political decision-making process and public announcement are likely complicated by the perceived threat of United States (US) and Israeli targeting.

However, the Iranian government had not issued any formal statement confirming Mojtaba Khamenei had been chosen as Supreme Leader; Ayatollah Ahmad Khatami, a member of the Assembly of Experts and its powerful Guardian Council, said that the election process was “close to a conclusion,” but cited the “war situation” for the delay.

Geopolitical Updates

This conflict represents a significant escalation from June 2025's Operation Rising Lion in three critical ways.

First, the Supreme Leader's death is a historic crisis for Iran's leadership. The regime is navigating a succession process during dual crises — an external war and a domestic legitimacy crisis simultaneously. After June 2025, Iran created a new Defense Council to centralize strategic military decision-making — but the Defense Council Secretary and many of its members were killed alongside Khamenei, creating a serious leadership continuity problem.

Second, Iran's retaliation has widened considerably in both breadth of targets and geographic reach. In June 2025, Iran's response to US strikes was narrowly directed at Al Udeid Air Base in Qatar. Now, Iran has drawn in US regional allies by targeting their energy infrastructure, civilian sites, and transportation hubs — and has issued a fatwa calling on Muslims to take revenge worldwide.

Third, all sides appear to be preparing for a prolonged conflict. A diplomatic solution or ceasefire appears unlikely in the near term. The US has deployed additional forces to the region, and Iran is using Khamenei's death to justify an expanded regional campaign.

Commercial Risks

According to vessel activity analysis by Marine Traffic, Strait of Hormuz transits have declined by 90% since last week. Relatedly, on March 4, Qatar declared force majeure on gas exports due to the conflict; according to Reuters, it will take at least one month to resume normal production. The shutdown includes Qatar Energy, which has ceased gas production for at least two weeks and is expected to stop gas liquefaction on March 5.

Physical Threat Risk: North America, Western Europe, and Australia

The scope of US-Israeli operations will very likely prompt a significant increase in Tehran's efforts to asymmetrically target Western countries through violent non-state actors, and heighten the risk of homegrown and domestic violent extremist activity.

Based on prior targeting by Iran-nexus groups, the most likely targets are high-profile US, Israeli, and Western foreign policy and military officials; Iranian dissidents residing abroad; targets associated with Israeli or Jewish communities; and private sector organizations affiliated with the US or Israeli military — particularly defense contractors, insurance companies, banks and financial institutions, and critical infrastructure service providers.

The kinetic conflict also appears poised to widen geographically. The conflict has already reached Europe with an intercepted drone over Cyprus and NATO intercepting a missile in Turkish airspace.

What to Watch

Three intelligence gaps will shape how this conflict develops.

1. What does Iran's new leadership structure look like, and what strategic direction will it take?
2. What military capabilities does Iran retain after sustained strikes? At least 17 Iranian naval vessels have been sunk and approximately half of Iran's ballistic missile sites have reportedly been taken out.
3. And critically, does the regime maintain domestic control? The Internet blackout makes this difficult to assess in real time.

Cyber Threat Landscape

At the tactical and operational level, Khamenei's death does not directly impact the day-to-day operations of Iran's cyber groups. Strategically, however, cyber remains a key asymmetric capability for Iran, and its new leadership will need to decide which path to pursue. If new leadership follows the strategies of Khamenei's era, we are likely to see retaliatory and destructive cyber attacks in the near term.

Three Areas to Monitor

Intent to Recalibrate. After this round of hostilities, cyber operations will likely expand to include new regional targets, mirroring what we've seen on the kinetic front. Iranian cyber groups will likely be active across new targeted networks and operationalized for disruptive use.

Proliferation. In line with that recalibration, Iranian cyber groups will likely be tasked to acquire and deploy more disruptive capabilities.

Time. Iran is currently experiencing a digital blackout, and cyber operations are likely impacted as a result. There are already reports suggesting aerial bombardments have hit at least one facility used by a major group. If cyber centers remain intact, Iran will still require time to re-operationalize — and if more physical centers have been targeted, that timeline extends further. For historical context: after the Qasem Soleimani killing in January 2020, Iran took approximately two months before launching what became multi-year, highly targeted campaigns against Israeli government, private sector, and academic institutions.

Targeted Industries

Critical infrastructure, government, defense, and the defense industrial base will be at the top of the targeting list. US critical infrastructure is absolutely part of that target set — Iranian APT groups are known to be opportunistic, acquiring exploits and collaborating with ransomware groups to gain network access, and the threshold for retaliation following Khamenei's death will be very high. Pro-Iran hacktivist groups — including Handala Hack Team, Cyber Islamic Resistance, RipperSec, APT IRAN, and Cyber Fattah — have announced coordinated cyber operations against Israeli and regional targets. While large-scale independently verified intrusions had not been confirmed as of March 2, organizations should not mistake this for low risk.

Watch for each major group's distinct TTPs: Peach Sandstorm, APT34, MuddyWater, Cotton Sandstorm, and APT42 each have established patterns for initial access and lateral movement. Also watch for new hacktivist fronts emerging — this is typically a signal of where Iran is directing its efforts, as seen previously with Homeland Justice in Albania and Moses Staff targeting Israel.

What to Watch

When the digital blackout lifts, look for scanning, brute forcing, password spraying, and probing against your networks as early signals of Iranian cyber forces re-operationalizing. A temporal overlap between the blackout lifting and increased probing against previously untargeted networks would be a significant indicator. DDoS campaigns may also be an early signal. Ensure all public-facing technologies are patched — you can't control geopolitics, but you can control your exposure.

Additionally, watch for infrastructure repurposing: groups known for traditional espionage may suddenly shift to IO-driven domains, as seen after June 2025 when espionage infrastructure pivoted to hybrid theft-and-influence operations.

Influence Operations

Iran is fully implementing its influence operations capabilities. Initial indicators emerged within the first 12 hours of the conflict, and activity is expected to continue building — especially as the situation recalibrates post-kinetic strikes. Iran has had significant practice layering influence operations with kinetic and cyber activity since at least 2023, and over the last two and a half years has demonstrated iterative, sophisticated approaches.

Three Phases of Iran's IO Approach

Phase 1 — Strategic Narrative Shaping (Active Now). Iran is attempting to shape narratives down to the tactical battlefield level. Key early examples include Iran state media publishing unverified claims about civilian casualties from airstrikes on a school in southern Iran; false narratives claiming up to 50 US casualties, quickly refuted by US CENTCOM; and viral claims about ballistic missiles hitting the USS Abraham Lincoln strike group, also debunked. Iran is capitalizing on the fog of war to inflate perceived military capabilities and complicate damage assessment.

Phase 2 — Covert Network Surge (Initiating Now). Known influence operation networks are pivoting focus to the conflict. Expect coordinated inauthentic behavior on social media — sock puppet accounts impersonating journalists and activists — amplifying false narratives and attempting to delegitimize US-Israeli strikes. One AI-generated image related to the Lincoln claims reportedly reached over 5 million views within hours before being debunked.

Phase 3 — Psychological Deterrence (Weeks to Months). This will be a hybrid campaign targeting both international audiences to control deterrence perceptions, and Iran's domestic population to reinforce a narrative of regime survivability.

Active Threat Networks

Insikt Group is currently tracking at least three networks as fully engaged on this conflict.

Storm-2035 (ION-24) — one of the more prolific Iranian IO networks, previously active in 2024 targeting US elections and most recently focused on Venezuela during the US operation to capture Maduro. Within the last 48 hours, a deliberate content shift on their inauthentic accounts was observed directly tied to this conflict. The network appears focused on exaggerating Iranian military capabilities and complicating battlefield damage assessment, including unverified claims of shooting down a US MQ-9 Reaper drone and claims that Iranian attacks on US bases resulted in 200 military casualties.

Handala Hack Team — an Iran-affiliated hacktivist front. Activity is still early and under investigation; they have claimed to have compromised an Israeli oil and gas company, though indicators of compromise are not yet robust. Using hacktivist fronts to claim a successful attack where none occurred is a persistent psychological tactic employed by Iranian cyber-enabled influence operations.

ION-79 — affiliated with the IRGC Basij, previously tracked producing counter-protest narratives during Iran's nationwide protests. Inauthentic accounts are now actively producing content tied to the current conflict.

Additional networks are being tracked, and more are expected to pivot and fully engage as the conflict develops.

What to Watch

Monitor your organization's brand closely — other nation-state actors are actively exploiting the conflict. Insikt Group recently published an analysis on Operation Overload, a Russian influence operation impersonating legitimate entities in France and Germany to advance geopolitical interests under cover of Middle East conflict. Brand abuse and impersonation by threat actors have increased significantly over the past year.

Also watch for physically focused influence operations: Insikt Group has tracked networks over the past two years that actively attempt to recruit individuals to commit physical acts of violence, including offering financial incentives. Intent levels following Khamenei's death are likely unprecedented.

How Recorded Future Can Help

Following standard operation procedure for high-priority global events, the Insikt Group® published same-day flash analysis on both the kinetic strikes and the emerging cyber threat landscape.

Upon log-in, customers were also pointed to resources within the platform via an updated Middle East Resource Center, which included pre-built queries and alerts to complement finished intelligence from the Insikt Group. These queries ranged from suggested threat actors to track, from the Handala Hack Team to RipperSec, to generative AI prompts for continually generating situation reports.

Recorded Future customers have immediate access to the resources your team needs right now:

• Resource Center
• Middle East Regional Conflict Intelligence Kit
• Islamic Republic of Iran Intelligence Kit

Customer’s Threat Maps will automatically update based on the latest cyber attacks and targets to include any relevant threat actors to track, including hacktivist groups.

Recorded Future customers can easily configure queries as a real-time alert to receive immediate notification as the situation develops — including new hacktivist claims, threat actor activity, and Insikt Group assessment updates.

To provide extra support to our customers in the region, Recorded Future’s support team automatically enabled Geopolitical Intelligence access on 28 February. Other customers interested in a free Geopolitical Intelligence trial should contact their account team to gain access to the full suite of Insikt Group geopolitical notes, advanced queries, and associated alerts.

Stay Informed

The situation in Iran is moving fast. Recorded Future's Insikt Group is publishing continuous updates as the conflict evolves. To learn how Recorded Future can give your team the intelligence to stay ahead of this and future geopolitical crises, contact us to speak with one of our threat intelligence experts.