The anatomy of a near-total national internet blackout, selective base-station disruption, DNS and BGP weaponisation, and the broader campaign that brought banks, airports and prayer apps to their knees.
On the morning that kinetic strikes targeted IRGC leadership compounds, missile infrastructure and nuclear-adjacent facilities across Tehran, Isfahan and Qom, Iran’s digital nervous system underwent a simultaneous, coordinated failure of a severity and precision that has no recorded precedent in the history of nation-state cyber operations. Independent network-measurement organisations, tracking BGP route announcements and live traffic volumes at Iran’s border routers, recorded national internet connectivity collapse to approximately four percent of ordinary operational levels — a figure that places this event in a category entirely distinct from the government-ordered shutdowns Iran had itself imposed during the 2019 and 2022 protest cycles, which typically preserved twenty to forty percent of baseline traffic.
What follows is a technical examination of how that collapse was engineered, what infrastructure it targeted, and what the cascading effects across aviation, energy, banking and civilian applications reveal about the contemporary architecture of cyber-enabled conflict. The politics of who struck whom and why are outside NSH’s editorial scope; the engineering of how a modern industrial nation’s digital infrastructure can be brought to near-zero in hours is not.
Operation Roar of the Lion / Epic Fury: The Dual-Track Campaign
Public reporting, threat-intelligence briefings from vendors including Radware, CloudSEK, Outpost24 and Unit 42, and independent traffic analysis by NetBlocks and Cloudflare Radar collectively confirm the broad architecture of what Israeli sources referred to as Operation Roar of the Lion and US Defence Department communications described as Epic Fury. Kinetic and cyber components ran in close synchronisation, with the cyber campaign serving three distinct operational functions: degrading Iran’s ability to coordinate a rapid military response; disrupting the civilian infrastructure that IRGC logistics and command nodes relied upon; and generating broad systemic confusion that compressed the defensive decision cycle.
Three observable outcomes at the national infrastructure level were independently confirmed across multiple monitoring platforms: nationwide connectivity collapsed to between one and four percent of normal levels for a sustained multi-hour period; government portals, national media properties and major consumer applications became unreachable or functionally degraded; and critical operational systems in the energy, aviation and financial sectors suffered significant disruption. The sequence, depth and simultaneity of these failures are inconsistent with independent hacktivist activity and consistent with coordinated, pre-planned intrusions leveraging long-term access established well before the operational date.
Technical Anatomy of a National Blackout: How You Drop a Country to 4%
Iran’s internet connectivity to the global network flows through a narrow set of autonomous systems, historically dominated by the Telecommunication Infrastructure Company of Iran (TCI, AS12880), with secondary paths through a small number of licensed international gateway operators. This architecture — the product of deliberate policy choices intended to enable government-controlled shutdown capability — paradoxically created exactly the concentrated attack surface that offensive operations could exploit.
Border Gateway Protocol (BGP) manipulation constitutes the most upstream attack vector. BGP is the routing protocol through which autonomous systems announce the IP address prefixes they can reach; withdrawing or corrupting these announcements makes entire blocks of Iranian address space unreachable from the global internet. An actor with access to Iran’s core routing infrastructure — either through direct compromise of TCI’s edge routers or through control of an upstream transit provider — can execute this with a small number of configuration changes that propagate within minutes across the global routing table.
DNS infrastructure disruption provides a complementary attack surface one layer up the stack. Authoritative DNS servers for the .ir country-code top-level domain, along with those operated by major Iranian government ministries, banking institutions and consumer platforms, when targeted simultaneously cause resolution failures that render nominally reachable IP addresses functionally inaccessible. Applications — mobile apps, browsers, API clients — depend on DNS resolution for every connection attempt. When resolvers fail or return negative responses, connectivity ceases even where underlying network paths remain technically intact.
Internet exchange point (IXP) and backbone link degradation completes the triad. Iran operates a limited number of IXPs through which domestic traffic between ISPs is exchanged without traversing international links. Saturating or disabling these through volumetric DDoS, physical attack on co-location facilities, or prior compromise of IXP management systems pins traffic at the last mile even when transit routes are nominally available.
Getting a nation’s internet to four percent of normal traffic requires simultaneous action at the routing layer, the naming layer and the physical interconnection layer. Each alone produces disruption; all three in coordination produce near-collapse.
TECHNICAL NOTE BGP route withdrawal propagates globally within approximately 90 seconds under normal conditions, as route update messages traverse the internet’s transit hierarchy. Recovery, however, requires re-announcement and re-convergence — a process that can take minutes to hours depending on the number of affected prefixes and the complexity of the routing topology involved. An attacker who understands this asymmetry can engineer a recovery timeline rather than simply causing an outage.
Selective Base-Station Disruption: The Pasteur Street Cell Cluster
One technically precise and operationally significant component of the cyber-kinetic campaign — as documented in Financial Times reporting and corroborated by signals intelligence analysis — was the selective degradation of approximately a dozen mobile base stations in the vicinity of Pasteur Street, timed to coincide with the strike on Khamenei’s compound.
This was not a broad-area jamming operation, which would have been detectable in advance and would have affected all users indiscriminately. It was a targeted misconfiguration or access-denial operation conducted through the base-station management plane: the O&M (operations and maintenance) interface through which network engineers remotely configure radio parameters, capacity allocation, handover thresholds and service availability flags. By setting specific cells to a ‘busy’ state or by blocking selective call attempts at the core network level — using compromised access to the HLR or MSC — it is possible to cause handsets in a defined geographic area to experience call failure while maintaining data services and leaving adjacent cells fully operational.
The operational effect — that Khamenei’s protection detail could not receive warning calls because their phones appeared to connect but returned busy signals — is consistent with MSC-level call blocking for a defined set of Mobile Subscriber Integrated Services Digital Network Numbers (MSISDNs), rather than RF-layer jamming. This is more surgically precise, harder to attribute in real time, and requires the kind of persistent, privileged access to core network elements that is consistent with long-term, pre-positioned compromise of Iranian telecom infrastructure.
Hitting More Than Websites: Aviation, Power and Banking Systems
The February 2026 blackout did not occur in isolation. Threat-intelligence reporting documents a sequence of ‘precursor’ operations in the preceding weeks that targeted physical industrial control systems, positioning the broader campaign as a sustained campaign against critical national infrastructure rather than a single-event cyber operation.
In January 2026, attacks attributed to the same operational cluster reportedly struck port-management and cargo-handling systems at Bandar Abbas and Chabahar, Iran’s two primary maritime gateways, halting container operations and degrading logistics throughput. Substation control systems serving areas of Tehran, Isfahan and Shiraz experienced disruptions consistent with SCADA-level intrusions — a pattern previously associated with attacks on Iran’s power infrastructure by the Predatory Sparrow group (Gonjeshke Darande). Aviation-adjacent systems, including airport IT infrastructure and ATC-supporting ground networks, suffered slowdowns that complicated both civil and military flight coordination during the operational period.
The banking sector attack merits particular technical attention. Radware and CloudSEK reporting documents that campaigns associated with pro-Israel actors had previously achieved destructive access to systems at Sepah Bank, Iran’s state-owned defence-linked financial institution, destroying data and taking ATM networks and card-payment infrastructure offline. This class of attack — data destruction rather than data exfiltration — is characteristic of wiper-malware deployment, a technique that was refined in the Shamoon attacks against Saudi Aramco in 2012 and has since become a standard tool in destructive cyber campaigns. The targeting of a bank’s payment-processing backend simultaneously disrupts retail fuel distribution, government salary payments and the civilian economy broadly — effects that propagate far beyond the compromised servers.
Everyday Apps as Weapons: Prayer Apps, E-Government and Psychological Operations
Parallel to infrastructure-level attacks, a subtler and technically distinct class of operation targeted the civilian application layer. Reporting from Iran International and CloudSEK documents the hijacking or degradation of widely used consumer applications during the operational period, serving both informational disruption and psychological operations objectives.
National ‘super-apps’ — platforms that aggregate bill payment, government services, mobile-data top-ups, transport booking and social functions into a single application — represent an attractive target because they are simultaneously critical civilian infrastructure and high-bandwidth channels to the entire urban population. Disrupting or defacing these applications during a crisis compounds civilian confusion, degrades the government’s ability to communicate with the public through official channels, and creates an environment in which alternative information — including adversary messaging — can fill the vacuum.
The reported compromise of a widely used Islamic prayer-time and religious-calendar application to push adversary messaging during the operation is analytically significant beyond its immediate effect. It demonstrates the willingness to weaponise applications that carry strong cultural and religious significance — maximising psychological impact precisely because the intrusion is so unexpected and violates a space considered private and sacred. From a technical standpoint, mobile application compromise at the notification-infrastructure level — hijacking Firebase Cloud Messaging or Apple Push Notification Service channels — allows an attacker to deliver messages to all registered users simultaneously without requiring access to individual devices.
Retaliation and the Hacktivist Swarm: Mapping the Cyber Battleground
The Iranian and pro-Iran hacktivist response to Israeli and US operations constituted a separate but concurrent dimension of the cyber conflict, documented extensively by Outpost24, Unit 42 (Palo Alto Networks) and other threat-intelligence vendors. Understanding this ecosystem is essential for organisations — including Indian enterprises and infrastructure operators — assessing their own exposure.
Pro-Iran hacktivist groups including Cyber Av3ngers, Handala Hack and Cyber Islamic Resistance conducted coordinated distributed denial-of-service campaigns against Israeli government, financial, media and transport properties, supplemented by hack-and-leak operations and defacement of public-facing web infrastructure. Several groups attempted intrusions into Israeli and allied water utilities, energy facilities and industrial control systems, exploiting exposed Programmable Logic Controllers (PLCs) and unpatched VPN appliances — the same class of vulnerabilities that the Cyber Av3ngers exploited in attacks on US water systems in 2023.
This hacktivist ecosystem exhibits a hybrid character that complicates attribution and response: ideologically motivated volunteers blend with state-sponsored contractor talent and opportunistic criminal actors who share tools, infrastructure and targeting intelligence. The result is a persistent background pressure of low-to-medium sophistication attacks that forces defenders to maintain broad-spectrum monitoring across all their perimeter surfaces simultaneously, creating capacity constraints that sophisticated state actors can exploit.
Engineering Lessons for Telecom, Cloud and Infrastructure Architects
Iran’s experience in February 2026 is an operational case study whose technical lessons apply with equal force to any nation whose critical infrastructure exhibits analogous architectural characteristics. The following priorities are not theoretical; they are derived directly from the failure modes observed.
Network path diversity is the foundational defence against BGP-level attack. Iran’s dependence on a small number of state-controlled transit autonomous systems created a topology in which a handful of router configurations determined national connectivity. Organisations that maintained independent satellite connectivity — low-earth-orbit broadband or traditional VSAT links to non-Iranian upstream providers — reportedly maintained partial operational capability through the blackout. For Indian critical infrastructure operators, multi-homed connectivity across physically diverse carriers with independent international gateway relationships is an architectural requirement, not a cost optimisation decision.
DNS and BGP must be treated as security perimeters of equivalent importance to application-layer defences. Most enterprise and government security programmes invest heavily in web application firewalls, endpoint detection, and network intrusion detection at the application and transport layers while leaving routing and naming infrastructure under-monitored and under-hardened. Deploying RPKI (Resource Public Key Infrastructure) for BGP route origin validation and DNSSEC for authoritative DNS signing are baseline controls that dramatically raise the cost of the manipulation observed in Iran.
IT-OT segmentation is a non-negotiable architectural requirement for any industrial facility. The attacks on Iranian ports, substations and SCADA systems exploited the persistent failure of industrial operators to implement meaningful network segmentation between information technology networks — connected to the internet and corporate infrastructure — and operational technology networks — controlling physical processes. Designing ‘blast walls’ between these domains, implementing unidirectional data diodes for monitoring traffic, and deploying industrial-protocol anomaly detection are now baseline requirements for any facility whose disruption would have national consequence.
Hacktivist swarms must be modelled as a persistent threat tier, not background noise. Security operations centres that dimension their DDoS mitigation, log-triage capacity and incident-response workflows against elite APT activity alone will find themselves overwhelmed when concurrent hacktivist activity creates thousands of low-priority alerts that conceal sophisticated intrusions. Automation in threat classification, DDoS scrubbing and first-response playbook execution is essential to preserve human analyst capacity for genuine strategic threats.
–Sudhakar Garlanka
