The coordinated strikes and escalating tensions across the broader Middle East are setting the stage for a renewed phase of Iranian cyber operations, including espionage and possible attacks on U.S. critical infrastructure, they say.

CrowdStrike has “not observed large-scale state-sponsored cyber campaigns” but is seeing “a surge in claimed activity from Iran-aligned and sympathetic hacktivist groups, including assertions of disruptive actions such as [denial-of-service] operations, defacements and alleged interference across targets in the Middle East, the United States and parts of Asia,” said Adam Meyers, the firm’s head of counter adversary operations. 

Denial-of-service attacks seek to overwhelm a website with artificial traffic and knock it offline.

At this point, much of the publicized hacks are claim-driven, but critical infrastructure and financial sector firms “should remain vigilant for follow-on activity that moves beyond nuisance-level disruption into more coordinated or destructive operations,” he said.

“We expect Iran to target the U.S., Israel, and Gulf Cooperation Council (GCC) countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure,” said John Hultquist, the chief analyst at Google’s Threat Intelligence Group.

That said, Iran “has historically had mixed results with disruptive cyberattacks, and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact,” he added. “Though they can have serious impacts on individual enterprises, it’s important to take their claims with a grain of salt.” 

Industry research has previously documented these theatrics.

U.S. officials said Monday the Iran operation was in its initial phases, with additional forces expected to be deployed to the Middle East amid escalating attacks that risk inflating into a full-scale regional conflict. 

Worldwide critical economic infrastructure is now a primary target for Iranian-tied hackers, according to Flashpoint findings emailed to Nextgov/FCW. Pro-Iranian hacktivist groups claimed to have breached a major Jordanian grain silo company’s control systems, including alleged manipulation of temperature controls and weighing systems, Flashpoint said. It’s not clear if those claims are legitimate.

Every U.S. multinational firm is at risk of being targeted, said Christopher Burgess, a former CIA official focused on cybersecurity, intelligence and technology. “You have to prepare by talking to your personnel in Abu Dhabi. You have to talk to your personnel in Kuwait. Your generic safety briefings no longer hold any water.”

“In the United States … we tend to see an event and we go, ‘That can’t happen to us,’ and then we move on,” he added. “But here’s the question I’d ask every company: If your personnel or your offices abroad lose water, power or communications for two weeks, what’s your plan? What’s your plan in the U.S. if that happens?”

The war is expected to test U.S. cyber defenses, which have been significantly impacted in the last year amid broad workforce cuts across the federal government. A further diminished workforce in the Department of Homeland Security, which has not been fully funded for some two weeks, is also amplifying concerns.

The Cybersecurity and Infrastructure Security Agency, the cyberdefense bureau housed in DHS, is operating with a reduced capacity. Some furloughed CISA workers are on standby orders, where they are directed to monitor work communications and prepare to potentially be called in, according to a current agency employee who spoke on the condition of anonymity due to fear of retribution.

“Some in the private sector are surprised that there’s a furlough right now going on at CISA,” said the employee, noting that it’s uncertain when the agency will receive full funding again. “It feels like there’s not a lot of push on either side [of the political aisle] to really come to a budget resolution immediately.”

Some Republicans have used the ensuing conflict to push Democrats to reach a DHS funding deal. 

“Because of Democrats’ refusal to fund DHS, the Cybersecurity and Infrastructure Security Agency (CISA) is operating at ~38% staffing,” Tennessee Rep. Matt Van Epps said in an X post that linked earlier reporting from Nextgov/FCW and Defense One. “This is putting our nation’s critical infrastructure at risk, especially considering Tehran’s history of retaliatory cyber attacks.”

DHS Secretary Kristi Noem is expected to testify tomorrow before the Senate Judiciary Committee and may face questions about staffing at the cyber agency.

“I am in direct coordination with our federal intelligence and law enforcement partners as we continue to closely monitor and thwart any potential threats to the homeland,” Noem said in a statement to Nextgov/FCW.

“Iranian regime-backed cyber actors continue to pose a serious threat to the United States and our allies, from probing our water utilities to running influence operations that undermine our democracy,” House Homeland Security Committee chairman Rep. Andrew Garbarino, R-N.Y., said in a statement. “CISA and its skilled personnel need to remain fully operational — and paid — to ensure our nation is ready to deter and respond to cyber threats against critical infrastructure across the public and private sectors.”

The war’s timing came from an intelligence tip about “a meeting of top Iranian officials [that] would take place on Saturday morning at a leadership compound in the heart of Tehran,” the New York Times reported Sunday. “Most critically, the C.I.A. learned that the supreme leader would be at the site.” U.S. and Israeli forces had been preparing for months to launch a new series of strikes inside Iran. But the tip spurred them “to adjust the timing” in the hopes of accomplishing one of Netanyahu’s longtime goals: killing Ayatollah Ali Khamenei. 

Israeli officials said they had confirmed Khamenei’s death just hours after the initial attack. Trump confirmed it shortly afterward. The following morning, Iranian officials confirmed it as well. Top Iranian officials Defence Minister Amir Nasirzadeh and Revolutionary Guards commander Mohammed Pakpour were killed Saturday, too.

The U.S. troops were killed during the initial Iranian response, with another four wounded in those strikes targeting U.S. and allied forces across the region, Central Command officials said in an initial statement and a follow-up Monday morning. No further details were provided.

Trump reax: “Sadly, there will likely be more [U.S. deaths] before it ends. That’s the way it is—likely to be more,” the president said in a video posted to social media Sunday evening. “But America will avenge their deaths, and deliver the most punishing blow to the terrorists who have waged war against, basically, civilization. They have waged war against civilization itself. Our resolve, and likewise that of Israel, has never been stronger.”

Regional blowback: At least 10 people in Israel have perished along with five others across the Gulf region as a result of retaliatory attacks from Iranian forces throughout the weekend, according to al-Jazeera. Protesters raged against the U.S. in Pakistan, where at least 23 were killed after demonstrators breached the outer wall of the American Consulate in Karachi; that death toll included 11 in Skardu, and two others in Islamabad, according to Reuters. A British airbase in Cyprus was hit by a drone overnight as well; later, the civilian airport at Paphos was evacuated after an object was spotted on radars. In Bahrain, a tanker reportedly linked to refueling U.S. naval vessels was also hit in port Monday morning, triggering a crew evacuation. 

Kuwaiti air defense systems mistakenly shot down three U.S. F-15 fighter jets Monday morning, officials from both countries announced afterward. “All six aircrew ejected safely, have been safely recovered, and are in stable condition,” the U.S. military said in a statement.

More after the jump…

Welcome to this Monday edition of The D Brief, a newsletter focused on developments affecting the future of U.S. national security, brought to you by Ben Watson with Bradley Peniston. It’s more important than ever to stay informed, so we’d like to take a moment to thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1867, Congress passed the First Reconstruction Act, imposing military government on most of the rebel states and conditioning their readmission to the Union on ratifying the 14th Amendment.

Oil and gas production across the Middle East has slowed, with facilities in Qatar, Saudi Arabia, Iraq, and Israel temporarily shut down amid Iranian ballistic missile and drone attacks since Saturday. “Brent crude was last up 9% at $78.9 a barrel, set for its biggest daily jump since 2020's COVID-19-related turbulence and just surpassing its surge after Russia launched its full-scale invasion of Ukraine in 2022,” Reuters reported Monday morning. The war also “ground shipping to a near halt in the Strait of Hormuz, through which a fifth of global oil supply flows,” the wire service reported separately, noting Iran is “the third largest producer in the Organization of the Petroleum Exporting Countries,” and provides “about 4.5% of global oil supplies.” 

Suddenly chatty: After weeks of avoiding an opportunity to make his case to the American public—and to Congress, which the Constitution charges with authorizing war—Trump spoke by phone with several media outlets about the new war over the weekend. But he gave a variety of justifications and warnings about why and what might come next. 

• He told Axios the military strikes are intended to stop Iran’s nuclear program and to keep it from building missiles. 
• He told the Washington Post the attacks this weekend are aimed at regime change and giving freedom to the Iranian people. 
• He told the New York Times he hoped Iranian troops would turn over their weapons to the people. 
• He told The Atlantic he plans to talk to Iran’s new leaders but that the previous, now-deceased leadership “waited too long” and “played too cute.”  

Trump’s war forecast: “We figured it will be four weeks or so,” he told the Daily Mail. “It's always been about a four-week process so—as strong as it is, it's a big country, it'll take four weeks, or less,” he predicted Sunday. He gave the Times a similar window (“four to five weeks”).

Rewind: Trump campaigned as an anti-war candidate. That’s not how he has governed. “No president in the modern era has ordered more military strikes against as many different countries as Trump,” Zachary Basu of Axios pointed out Monday. “He's attacked seven nations, three of which—Iran, Nigeria and Venezuela—had never been targeted by U.S. military strikes. He authorized more individual air strikes in 2025 than President Biden did in four years.”

Latest poll: Just 27% of Americans approved of the strikes on Iran, while 43% disapproved and 29% were not sure, Reuters reported Sunday. And more than half of those surveyed (56%) said they think Trump “is too willing to use military force to advance U.S. interests.”

Notable: In launching the war, Trump claimed in a video address Saturday, “Our objective is to defend the American people by eliminating imminent threats from the Iranian regime.”

But Iran was, in fact, not preparing to preemptively attack the U.S., White House officials told Congressional staff members Sunday, citing U.S. intelligence, the Associated Press reports. State Secretary Marco Rubio is expected to brief Congressional leadership on the Iran war sometime today. 

Pentagon chief Pete Hegseth did not dispute that assessment in a press conference Monday. But he claimed Iran had amassed too many missiles for Trump to continue negotiations over Tehran’s nuclear and missile programs. “The former regime had every chance to make a peaceful and sensible deal,” Hegseth said Monday. “Tehran was not negotiating. They were stalling, buying time to reload their missile stockpiles and restart their nuclear ambitions…Our bases, our people, our allies—Iran had a conventional gun to our head as they tried to lie their way to a nuclear bomb.” Defense One’s Meghann Myers has more from that press conference, in which Hegseth did not mention the U.S. casualties.

Next: Hegseth is set to join Rubio and Joint Chiefs Chairman Gen. Dan Caine in a briefing before all lawmakers Tuesday on Capitol Hill. 

Notable: The White House did not send any administration officials to Sunday talk shows to help make their case for war with Iran. But Trump confidant and longtime Iran hawk Sen. Lindsey Graham told NBC News, “Our goal is to make sure Iran cannot become again the largest state sponsor of terrorism.” When asked if Trump has a plan to guarantee that happens, Graham replied, “No. It's not his job.” 

Outside advice: “Killing the supreme leader was one thing. Ousting the regime will be another,” six reporters for The Atlantic warned, writing Saturday. 

Historian reax: “The president is supposed to get Congress’s buy-in to go to war in part because that requirement forces an executive to convince the American people that a contemplated military action is worth their tax dollars and their lives,” Heather Cox Richardson of Boston College wrote Saturday. “Trump’s attack on Iran scorns the will of the people and their constitutional right to decide whether they want to pay for a war with their money and their lives.” 

According to a Pentagon fact sheet, B-2 bombers, stealth fighter jets, recon aircraft, and other weapons were used to strike more than 1,000 targets in the first day of the U.S. war on Iran. On Sunday, U.S. Central Command released a list of U.S. weapons and platforms used in the first 24 hours of Operation Epic Fury, which began at 1:15 a.m. Eastern time on Feb. 28. Initial targets included aerospace forces and joint headquarters facilities of the Islamic Revolutionary Guard, Iranian navy ships and submarines, anti-ship and ballistic missile sites, command and control centers, military communications capabilities, and air defense systems, Defense One’s Thomas Novelly reports. 

The operation also marked the combat debut of the Pentagon’s new LUCAS one-way attack drones—which, as Defense One’s Patrick Tucker reported, are near-clones of Iran’s Shahed-136. 

U.S. combat jets used in the war’s first day included F-16, F/A-18, F-16, F-22, and F-35 fighter jets; and the A-10 Warthog. Electronic warfare, warning, and reconnaissance aircraft included the EA-18G, P-8 maritime patrol aircraft, unspecified RC-135s, and MQ-9 Reapers. Mobility aircraft included tankers and C-17 and C-130 airlifters. 

Munitions and defenses used against Iranian attacks included Patriot Interceptors, THAAD anti-ballistic missile systems, and M-142 high mobility artillery rockets.

Iranian drones and missiles began hitting facilities in Bahrain roughly two hours after the first U.S. and Israeli strikes on Tehran on Saturday morning, Hlad reports. Many targeted the headquarters of U.S. Naval Forces Central Command at Naval Support Activity Bahrain, while others hit residential buildings, and the Crowne Plaza—one of a handful of hotels popular with visiting U.S. officials and a frequent choice for military and embassy events.

When the drones came, “they sounded like lawnmowers or mopeds, and so loud it was like they were right outside,” an American connected to the U.S. military base in Bahrain said. “It sounded relentless.” 

When the Navy base in Bahrain was attacked, it was nearly empty because an exercise drill the night before put it on “mission critical” status, the American said. However, the authorized departure of dependents was not called until an hour after the first strikes on Iran, so no families had left. Missile warnings started roughly 45 minutes later, and then the explosions began. Continue reading, here.

A fake memo also surfaced shortly after the attacks began, claiming that multiple apps were “compromised” and could be revealing servicemembers’ locations, Nextgov’s David Dimolfetta reports. The fake message claimed that Uber, Snapchat, and Talabat —a Middle East grocery service— were compromised and could reveal the location of service members. Some versions circulated also appear to say that locations of service members within the continental U.S. were also compromised. 

CYBERCOM reax: “The command did not issue messages to U.S. service members to turn off location services on their electronic devices and did not issue messages that applications had been compromised,” an official said. Read more, here. 

Related reading: 

• “Thousands of Iranian government supporters mourning Khamenei chant 'Death to America',” AP reported in video Sunday; 
• “Hundreds of Iranians cross border into Turkey, witness says,” Reuters reported Monday; 
• “Amazon's cloud unit reports fire after objects hit UAE data center,” the wire service reported Sunday; 
• In commentary, read “Why the US attack on Iran is unlikely to produce regime change in Tehran,” via veteran diplomat Donald Heflin, a leader at Tufts University's Fletcher School, speaking to The Conversation on Saturday; 
• “Polymarket Iran Bets Hit $529 Million as New Wallets Win Big,” Bloomberg reported Saturday, flagging six new accounts that made more than a million apiece betting for the first time this weekend, which could indicate possible insider trading; 
• “Polymarket defends its decision to allow betting on war as ‘invaluable’,” The Verge reported Saturday. 

Around the Defense Department

Anthropic to be ejected from Pentagon service. In what had seemed like it might be the big news of the weekend, President Trump on Friday directed all federal agencies—including the Defense Department—to “immediately cease all use” of frontier AI firm Anthropic’s technology, though he also said there would be a six-month "phase out period."

Hegseth subsequently said he would designate Anthropic a “supply chain risk,” a step the company said had never before been imposed on a U.S. firm. He did not explain why a supply-chain risk would be permitted to operate in the Pentagon’s classified networks for up to six more months.

Why? Earlier on Thursday, Pentagon spokesperson Sean Parnell said that DOD wanted unfettered use of Anthropic's tools “for all lawful purposes”—and said that the notion that DOD wants fully autonomous weapons or mass surveillance is a false narrative “peddled by leftists in the media.” 

But Anthropic’s CEO said those are the only two limits he insists on. In “a narrow set of cases, we believe AI can undermine, rather than defend, democratic values. Some uses are also simply outside the bounds of what today’s technology can safely and reliably do,” Dario Amodei said in a Thursday statement.

Notable: Emil Michael “had been hammering out an alternative to Anthropic with its rival, OpenAI,” the New York Times reported Sunday. But after sealing that agreement, the Wall Street Journal reported Friday, “Altman claims his deal with the Pentagon includes the same prohibitions that Anthropic had wanted.”

Anthropic is not done, and officials vowed to sue the Defense Department over labeling it a “supply-chain risk,” the Times reports. 

In his first press conference since the last time the U.S. struck Iran, in June, Hegseth said the U.S. chose to strike conventional Iranian military assets because they were part of Tehran’s plan to build nuclear weapons. 

“Iran was building powerful missiles and drones to create a conventional shield for their nuclear blackmail ambitions,” he said. “Our bases, our people, our allies—Iran had a conventional gun to our head as they tried to lie their way to a nuclear bomb.”

The administration’s claims that Iran had restarted its nuclear program, had enough material to build a bomb, and that it is developing long-range ballistic missiles with the ability to strike the United States are “false or unproven,” the New York Times reported last week. Last year, the Defense Intelligence Agency assessed that Iran has no such missiles, and that it would take a decade to amass 60 of them.

As has been Hegseth’s custom, but a stark departure from his predecessors, the secretary used the press conference to deliver a political speech that praised President Trump for his leadership and castigated former president Biden. 

But Hegseth spared operational details, including a way ahead. He also made no mention of the casualties the U.S. has taken thus far, including four confirmed deaths as of Monday morning.

At the press conference, streamed from the Pentagon’s briefing room, Joint Chiefs Chairman Gen. Dan Caine confirmed that the overnight downing of three F-15E fighters was not the result of enemy fire, though he would not elaborate. 

An hour before the press conference began, U.S. Central Command officials confirmed the jets were accidentally shot down by Kuwaiti forces.

In his remarks detailing the planning and execution of the operation, Caine started off by offering condolences to the family and friends of the fallen.

“As the secretary said, they are heroes and represent the best our nation has to offer,” Caine said as he read his prepared remarks, apparently having assumed that he would be echoing a sentiment that Hegseth never offered. 

Instead, the secretary gloated over the operation’s success and called on Iranians to “take advantage” of the country’s power vacuum.

“Turns out the regime who chanted 'death to America' and 'death to Israel' was gifted death from America and death from Israel,” Hegseth said. “This is not a so-called regime-change war, but regime sure did change." 

Later, in a direct appeal to U.S. troops, Hegseth encouraged them to ignore “the noise” and “stay focused.” 

In his prepared remarks, Caine acknowledged the U.S. personnel abroad still in harm’s way, including at a U.S. Navy base in Bahrain that took fire over the weekend, later prompting an evacuation of its personnel still in the city.

“I am proud of all of you as you take the fight to the enemy,” he said.

The way forward

After the June strikes, Hegseth and other administration officials repeatedly said Iran’s nuclear capabilities were “obliterated.” On Monday, Hegseth said that Iran’s refusal to negotiate a deal that would end its nuclear ambitions required further strikes. 

“The former regime had every chance to make a peaceful and sensible deal,” he said. “Tehran was not negotiating. They were stalling, buying time to reload their missile stockpiles and restart their nuclear ambitions.”

He did not mention the 2015 nuclear deal that Trump scuttled during his first term in office.

Trump has offered several possible timelines for the operation, including telling the Daily Mail on Sunday that it could take “four weeks or less.”

When a reporter asked Hegseth about the timeline, the secretary called it a “typical NBC, sort of gotcha-type question.”

“So you can play games about four weeks, five weeks—he has all the latitude, and I'm glad he does, because there's no better communicator than our president at expressing those things,” he said.

After calling the U.S. goals “realistic” and “not utopian” in his prepared remarks, Hegseth responded to a reporter’s question about the administration’s objectives with a short list of capabilities the administration doesn’t want Iran to have, including long-range ballistic missiles and attack drones.

“So that's a discrete reason of what is being addressed here, to ensure that they can’t use that conventional umbrella to continue a pursuit of nuclear ambitions,” he said.

And asked whether there were any U.S. troops in Iran at the moment, Hegseth scoffed.

“No, but we're not going to go into the exercise of what we will not do,” he said, calling it a “fallacy” that past administrations would preemptively draw lines in the sand about how far they would go.

“Why in the world would we tell you, the enemy, anybody, what we will or will not do in pursuit of an objective?” he said. “We fight to win. We fight to achieve objectives the president of the United States has laid out, and we will do so unapologetically.”

Caine said that more tactical aviation assets are heading into the Middle East, adding to the largest U.S. buildup in the region since the Global War on Terror.

“We’re just about where we want to be in terms of total combat capacity,” he added.

Iranian drones and missiles began hitting facilities in Bahrain roughly two hours after the first U.S. and Israeli strikes on Tehran on Saturday morning. Many targeted the headquarters of U.S. Naval Forces Central Command at Naval Support Activity Bahrain, while others hit residential buildings, and the Crowne Plaza—one of a handful of hotels popular with visiting U.S. officials and a frequent choice for military and embassy events.

Strikes on Bahrain, as well as Kuwait, United Arab Emirates, Qatar and Saudi Arabia—all hosts to U.S. military personnel and facilities—continued on Sunday and Monday.

When the Navy base in Bahrain was attacked, it was nearly empty because an exercise drill the night before put it on “mission critical” status, the American said. However, the authorized departure of dependents was not called until an hour after the first strikes on Iran, so no families had left. Missile warnings started roughly 45 minutes later, and then the explosions began. 

Now, Bahrain airspace is closed and all flights out of the civilian airport are suspended. And while the military had told troops and civilian employees that live in the Juffair district that they could get reimbursed to stay elsewhere, the U.S. embassy on Monday warned American citizens to avoid hotels in Manama, as they may be targeted. 

“Terrorist groups continue plotting possible attacks in Bahrain. Terrorists may attack with little or no warning,” reads a March 2 embassy update.

The American lives close to the base, but outside the Juffair district, which was completely evacuated Saturday. They told Defense One they are now staying in a different area because if they had stayed, they would have a “nervous breakdown with constant barrage of sirens, missile impacts, Patriot interceptors, drones, and jet engines.” 

Still, everyone in Bahrain is getting a steady stream of missile warnings, “but the drones usually accompany them in waves. All of us are braced all the time anyway.” 

“The command did not issue messages to U.S. service members to turn off location services on their electronic devices and did not issue messages that applications had been compromised,” the official wrote. “Due to operational security concerns, U.S. Cyber Command does not comment nor discuss cyber intelligence, plans, operations, capabilities or effects.”

The fake message claimed that Uber, Snapchat, and Talabat —a Middle East grocery service— were compromised and could reveal the location of service members. Some versions circulated also appear to say that locations of service members within the continental U.S. were also compromised. 

Uber late Sunday said there were no indications of compromise. A Snapchat spokesperson echoed that sentiment. Talabat did not return a request for comment by publishing time. 

The message began circulating in military service member chats, social media groups on Sunday evening, one day after the United States and Israel began attacking Iran. It was also shared in non-public Defense Department channels.

Some servicemembers familiar with standard military communications and dissemination protocols were skeptical of the message, another official told Defense One. But its wide dissemination made it difficult to initially ascertain its veracity. 

The message was just part of a wave of false information that flooded social media platforms after the bombing began. The episode highlights the speed at which inauthentic information can gain traction during active conflict, especially when it reaches those serving in the military. 

Iran has been known to generate and amplify misinformation and disinformation to sow confusion and chaos. It’s not clear at this time whether this particular memo is tied to Iran. 

Thomas Novelly contributed to this report.