Iran’s cyber front and ripple effects in Lebanon

As a fragile ceasefire takes hold in the Israel–Iran war, the conflict has made clear that cyber operations ran in parallel with conventional warfare.

“Cyber is not replacing warfighting here; it is amplifying it,” said Tiffany Saade, a Lebanese AI security and cyber policy expert, in an interview with The Beiruter.

From the opening phase of the war, cyber activity moved in tandem with kinetic operations, targeting digital platforms, government systems, and commercial networks. This pattern reflects longstanding assessments of Iranian cyber doctrine. A 2023 analysis by the Center for Strategic and International Studies (CSIS) finds that Iran’s cyber strategy prioritizes disruption, espionage, and signaling rather than decisive battlefield effects. Saade echoes this assessment, describing cyber operations in the conflict as “primarily disruptive and symbolic, with pockets of strategic utility.” While not altering the core military balance, they expanded the scope of the conflict and the range of systems it could disrupt.

Coordination over innovation

This conflict was defined less by new technology than by how existing tools were used. Drawing on threat intelligence from Google and Mandiant, a U.S.-based cybersecurity firm that tracks state-linked hacking groups, Saade points to a recognizable Iranian playbook: phishing, credential theft, social engineering, and exploitation of trusted networks.

What was new, she argues, was the level of coordination. Saade identifies four defining shifts in how Iranian cyber operations were conducted during the war.

First is tempo. Wartime conditions produced a surge in activity, she said, a pattern consistent with Microsoft’s 2024 findings that Iranian cyber groups adopt an “all hands on deck” posture during periods of escalation.

Second is the expanded role of proxies and claim-making ecosystems. Hacktivist groups and Iran-aligned personas amplified operations, often exaggerating impact while broadening the range of targets.

Third is the growing focus on critical infrastructure and operational technology. During the conflict, cybersecurity advisories highlighted attempts to access systems linked to water and energy networks, building on earlier incidents involving Iranian-linked actors targeting industrial control devices such as programmable logic controllers.

Fourth is geographic and sectoral expansion. Iranian cyber activity extended beyond immediate adversaries to include partners, logistics networks, telecom providers, and cloud infrastructure, reflecting a wider targeting aperture.

“The real distinction is less new malware than broader wartime orchestration,” Saade said.

Infrastructure as a pressure point

The increasing focus on infrastructure represented one of the most consequential dimensions of the conflict.

Cyber operations targeting energy, water, and telecommunications systems carried risks that extended beyond digital disruption. “These systems are vulnerable in practice, but their vulnerability varies enormously,” Saade said.

Saade notes that many weaknesses stem from basic security gaps, including outdated systems, poor credential management, and weak separation between IT networks and the systems that run physical infrastructure. A 2026 analysis by the International Institute for Strategic Studies (IISS) makes a similar point, finding that cyber-physical risk often stems less from sophisticated hacking and more from poorly secured systems.

In practice, most of the cyber activity seen during the war fell into the lower-impact category: websites going offline, temporary service disruptions, or accounts being compromised. A truly high-impact attack would have looked very different, involving sustained disruption such as shutting down parts of the power grid, interrupting fuel distribution, interfering with water treatment systems, or knocking out telecom networks for an extended period.

These kinds of operations are harder to carry out. But the war showed that even relatively limited intrusions into sensitive sectors could still create panic, disrupt daily life, and carry significant economic consequences.

Proxies and the problem of escalation

Beyond infrastructure, Saade explains, the war’s cyber dynamics were increasingly shaped by proxy actors.

Iran’s use of hacktivist groups and affiliated personas allowed it to exert pressure while maintaining plausible deniability. During the war, multiple cyber incidents were claimed by such groups, often with limited verification, contributing to a crowded and ambiguous threat environment.

“The proxy ecosystem makes cyber conflict significantly harder to control, attribute cleanly, and deter reliably,” Saade said.

This ambiguity complicates response. Governments must assess whether an attack reflects state intent, independent activity, or disinformation. The risk is twofold: underreaction due to uncertainty, or overreaction based on misattribution.

As Saade explains, this layered ecosystem of state actors, proxies, and loosely affiliated groups created a more unstable escalation environment, where signals were harder to interpret and responses harder to calibrate. The result was a persistent background of low-level disruption, inflated claims, and overlapping actors that strained defensive resources and blurred escalation thresholds.

Lebanon and the question of cyber sovereignty

For Lebanon, the cyber risks are immediate. The war underscored how vulnerabilities extend beyond physical infrastructure into the digital systems that underpin economic and social stability. Lebanon’s fragmented energy sector, reliance on private generators, and uneven telecommunications infrastructure create a complex risk environment in which even limited cyber disruption could have cascading effects.

Saade frames the issue as one of sovereignty. “A nation’s sovereignty is no longer defined only by the integrity of its physical borders,” she said. “For Lebanon, true sovereignty also requires cyber sovereignty.”

This includes securing networks, protecting infrastructure, and safeguarding data. In a context of constrained state capacity, the margin for disruption is narrow.

As Saade put it, protecting the nation today requires securing not only land, air, and sea, but also “the digital systems that underpin government, security, the economy, and public trust.”