Before the U.S. and Israeli military campaign against Iran launched in late February 2026, American and allied cyber forces had already begun a systematic dismantling of Iran’s electronic defenses. In what military analysts described as Operation Epic Fury, cyber operations began weeks before the first kinetic strikes, with attackers deliberately taking down radar systems, severing command-and-control networks, and collapsing communications infrastructure to “disrupt, disorient and confuse the enemy,” according to security analysts at CSIS. This cyber-first approach wasn’t incidental to the bombing campaign—it was foundational to it, designed to create a window of vulnerability in Iran’s air defense systems before any conventional attacks began.
The operation represents a modern turning point in how the U.S. coordinates cyber warfare with traditional military action. Rather than treating cyber operations as a separate domain, planners embedded them into the kinetic campaign timeline itself, using compromised traffic cameras, infiltrated mobile phone networks, and deeply embedded threat actors to gather real-time intelligence on Iranian military movements while simultaneously dismantling the infrastructure those forces relied on to respond. This article explains how these cyber operations unfolded, what systems were targeted, and what this integrated approach reveals about the future of U.S. military strategy.
Table of Contents
- How Did the U.S. Conduct Cyber Operations Before Kinetic Strikes?
- Disabling Iran’s Defense Infrastructure Through Cyber Means
- Intelligence Collection and Real-Time Monitoring
- The Role of Pre-positioned Threat Actors
- Coordinating Cyber and Kinetic Operations
- Iranian Cyber Retaliation Response
- The Future of Integrated Cyber-Kinetic Warfare
- Conclusion
How Did the U.S. Conduct Cyber Operations Before Kinetic Strikes?
The cyber campaign wasn’t a sudden escalation launched without warning—it had roots in months of prior infiltration and access development. According to security researchers tracking state-backed activity, a threat actor known as MuddyWater was identified on multiple U.S. networks in the weeks leading up to the bombing campaign, suggesting that iranian intelligence services may have been attempting their own reconnaissance or preparation. However, U.S. and Israeli cyber operators had positioned themselves inside Iran’s critical infrastructure far earlier, with deep access to communications systems, air defense networks, and command-and-control facilities. When the actual cyber offensive began, the timing and sequence mattered as much as the targets themselves.
The operation started by disabling radars—the sensory organs of Iran’s air defense system—making it impossible for human operators to track incoming aircraft or issue coordinated responses. Simultaneously, cyber teams severed the connections between military command centers and their field units, leaving Iranian commanders blind and unable to communicate orders to the forces defending against the impending strikes. According to analysis from Lawfare and CSIS, this created what military planners call “electromagnetic dominance”—a condition where one side can see and communicate while the other cannot. The timing was precise. Cyber disruptions didn’t occur days in advance, where defenders might have time to recognize the problem and implement workarounds. Instead, they were coordinated to begin in the hours immediately before kinetic strikes, maximizing the window where Iran’s defenses were simultaneously disabled and under physical attack. This simultaneity was essential; had there been hours of delay, Iranian technical personnel might have restored systems or shifted to backup communications networks.
Disabling Iran’s Defense Infrastructure Through Cyber Means
Iran’s air defense infrastructure is layered and redundant by design—no single radar station or communications node controls the entire system. This redundancy is specifically built to survive cyber attacks or losses of individual facilities. However, when cyber operations are coordinated with kinetic strikes, that redundancy becomes a liability: operators can’t fall back to secondary systems if those systems are also being disabled simultaneously through cyber means. The U.S. approach didn’t rely on destroying one critical node; instead, it targeted the network connections and protocols that allowed the system to function as a coherent whole.
The specific infrastructure targeted included what Lawfare researchers identified as “the electromagnetic environment over Iran”—meaning not just the military communications networks, but also civilian infrastructure that the military depends on. This included traffic control systems, electrical grid components that power radar installations, and telephone networks used for backup communications. By attacking this broader ecosystem rather than just military-labeled systems, cyber operators ensured that even if Iranian military personnel found workarounds for compromised military networks, they wouldn’t be able to improvise solutions using civilian infrastructure as backups. However, if Iran had maintained truly offline backup systems—radar stations with independent power generation, radio communications networks that don’t rely on internet infrastructure—some portions might have survived the cyber onslaught. This is likely why Iranian military planners have invested heavily in decentralized communications and older, less-networked defense systems. The trade-off is that these legacy systems are slower to operate and coordinate, making them vulnerable to the kind of sudden, overwhelming kinetic assault that followed the cyber operations.
Intelligence Collection and Real-Time Monitoring
Alongside the cyber offensive against Iranian defenses, U.S. intelligence services were conducting what amounts to cyber-enabled surveillance at scale. According to reports from ORF Online, traffic cameras throughout Tehran—nearly all of them, by some accounts—were being monitored in real time during the operation. These weren’t specialized military cameras; they were civilian infrastructure that had been compromised by cyber teams, providing a detailed picture of civilian and military movements across the capital. This real-time intelligence served multiple purposes. First, it allowed U.S.
and Israeli planners to confirm where Iranian air defense units had been positioned, how they were moving in response to initial strikes, and where senior military officers were located. Second, it provided tactical feedback: as cyber attacks began and defenses started failing, camera feeds confirmed what was actually happening on the ground, allowing operations commanders to adjust the timing and targeting of kinetic strikes. This closed-loop intelligence system—where cyber operations provide feedback that shapes the next wave of kinetic operations—was unprecedented in scale. Additionally, compromised mobile phone networks provided access to communications that were still attempting to function despite the wider network disruptions. Iranian military personnel trying to coordinate responses were using personal phones on civilian networks, not realizing those calls were being intercepted. The combination of camera surveillance, communications intercepts, and information from the cyber attacks themselves gave U.S. commanders an almost real-time understanding of Iranian military readiness and response capabilities.
The Role of Pre-positioned Threat Actors
The presence of MuddyWater on U.S. networks in the weeks before the bombing campaign suggests a broader pattern: both sides were pre-positioning cyber operators and malware in preparation for anticipated conflict. While this Iranian activity was likely defensive—attempting to gather intelligence about U.S. intentions and capabilities—it also indicates that cyber warfare had already begun in a lower-intensity form weeks or months before the kinetic strikes. Pre-positioning is essential for cyber warfare effectiveness. You cannot simply launch a major cyber attack against a nation’s critical infrastructure without months or years of advance setup. Attackers need to map out the network, identify entry points, plant persistence mechanisms (malware that maintains access even if one compromise is discovered), and establish backup access routes.
The U.S. cyber campaign against Iran benefited from exactly this kind of advance preparation, with operators having spent considerable time inside Iranian military networks, documenting their structure and identifying which systems were most critical to protect. The comparison to kinetic warfare is instructive: you wouldn’t plan a bombing campaign without first sending in reconnaissance assets and gathering intelligence on target locations. Cyber operations follow the same logic. The presence of activity from Iranian threat actors like MuddyWater suggests that both sides recognized the likelihood of conflict and were attempting to position themselves for advantage. However, U.S. cyber capabilities appear to have been significantly more mature and better integrated with kinetic planning than Iranian capabilities, resulting in the coordinated campaign we observed.
Coordinating Cyber and Kinetic Operations
The integration of cyber and kinetic operations represents a fundamental shift in how the U.S. military thinks about warfare. Historically, these domains were separate: cyber operations might occur in peacetime to gather intelligence or disrupt adversary capabilities, while kinetic operations followed their own logic and timeline. In the Iranian campaign, they were fully merged. The cyber attacks weren’t a preliminary skirmish; they were the first salvo of the main campaign, with timing and sequencing coordinated minute-by-minute with the arrival of the first aircraft. This coordination required unprecedented information sharing between cyber and kinetic commanders.
Real-time battlefield intelligence from compromised cameras and communications networks had to flow back to the cyber teams, allowing them to adjust which systems to target next based on how Iranian defenders were responding. Simultaneously, kinetic commanders needed real-time feedback on what cyber operations had actually accomplished—which radars were truly down, where Iranian forces were moving—to adjust flight paths and targeting. This level of integration requires both technical infrastructure and significant changes to how military chains of command operate. A limitation of this approach became evident in the Iranian retaliation that followed. Because the operation was so coordinated and visible (Iran could see that its systems were being attacked), it provided clear warning of the impending kinetic strikes. Some analysts have questioned whether a more gradual, less obvious cyber campaign might have achieved similar disabling of defenses while maintaining operational surprise. The choice to conduct an overwhelming, coordinated cyber-kinetic assault achieved military objectives but at the cost of eliminating the possibility of a purely cyber-based disruption that might have prevented kinetic escalation altogether.
Iranian Cyber Retaliation Response
The cyber warfare didn’t end with the kinetic strikes. According to the Canadian Centre for Cyber Security, Iran responded with its own cyber offensive against U.S. and allied networks in the weeks following the bombing campaign. These retaliatory operations targeted U.S.
government networks, infrastructure providers, and allied nations, with Iranian threat actors attempting to gain access to critical systems and exfiltrate sensitive information. What made Iranian cyber retaliation notable was its timing: even as Iran’s military was dealing with conventional strikes, its cyber forces—which operate through organizations like the Islamic Revolutionary Guard Corps and entities like MuddyWater—were simultaneously launching offensive operations against the nations that had attacked it. The DHS and intelligence agencies issued warnings that Iran’s cyber forces would specifically target U.S. networks related to nuclear sites, power generation, and transportation infrastructure. This suggests that Iranian planners had pre-positioned their own cyber capabilities in advance, anticipating conflict and preparing retaliatory options.
The Future of Integrated Cyber-Kinetic Warfare
The Operation Epic Fury campaign established a template that will likely shape future U.S. military operations. Unit 42 at Palo Alto Networks documented the escalation of Iranian cyber capabilities and threat patterns throughout 2026, noting that both the U.S. and Iran are investing heavily in more sophisticated cyber weapons and better integration with conventional military planning. This suggests that future conflicts—whether with Iran, China, Russia, or other state actors—will feature increasingly coordinated cyber-kinetic operations.
The question now facing military planners and cybersecurity professionals is how to defend against this kind of integrated attack. Traditional cyber defense assumes that an organization has time to detect, respond, and recover from cyber incidents. But when cyber attacks are synchronized with physical, kinetic strikes, defenders don’t have that luxury. Protecting critical infrastructure against this threat requires new approaches: truly offline backup systems, decentralized decision-making structures that don’t rely on communications networks, and intelligence capabilities that can detect preparation for large-scale coordinated attacks before they’re launched. The operation against Iran demonstrated both the power of integrated cyber-kinetic warfare and the vulnerabilities it exploits.
Conclusion
The U.S. cyber operations against Iran before the bombing campaign started were not separate from the kinetic campaign—they were its essential prerequisite. By disabling radars, severing communications, and monitoring Iranian military movements through compromised civilian infrastructure, cyber teams created conditions where air defense systems became largely ineffective, giving conventional forces overwhelming advantage.
The operation demonstrated that modern warfare at the state level now requires seamless integration between cyber and kinetic domains, with each enabling the other in real time. For anyone seeking to understand modern military conflict, the Iranian campaign offers a clear lesson: cyber warfare is no longer a specialized tool used in peacetime or as a supporting element of conventional operations. It has become the opening move, the sensory apparatus, and the coordination mechanism for integrated military campaigns. As adversaries—including Iran, China, and Russia—continue to develop their own integrated cyber-kinetic capabilities, understanding how these operations work is essential for policymakers, security professionals, and informed citizens alike.
