Iran's Internet Collapsed to 4% of Normal. Here's the Technical Breakdown.

On February 28, 2026, something unprecedented happened on the internet. Iran's total internet traffic collapsed to approximately 4% of its normal levels — not because of a power failure, not because of a natural disaster, but because of a coordinated nation-state cyberattack launched alongside a military operation.

The operation had two names: Israel called it Operation Roar of the Lion. The US DoD referred to their component as Epic Fury. Together, they represent the most extensive documented cyberattack ever carried out against a nation's digital infrastructure in coordination with kinetic military strikes.

This piece breaks down what happened technically, why it worked, and what developers and infrastructure teams should understand about how modern nation-state cyber operations actually function.

What Happened on February 28

The cyberattack was timed to coincide with military strikes targeting Iranian Revolutionary Guard Corps (IRGC) leadership. The digital component had a specific operational purpose: prevent IRGC communications infrastructure from coordinating drone and missile retaliation in the hours immediately following the strikes.

The result was a digital blackout that lasted more than 48 hours at peak severity:

• Government websites went dark
• State media went offline
• Security and surveillance systems lost connectivity
• Citizens reported near-total loss of internet access

The 4% figure comes from network traffic monitoring companies tracking BGP routes and internet exchange data from Iran's border routers. For context: during Iran's own deliberate shutdowns (which the government has imposed during protests), traffic typically drops to 20-40%. Getting to 4% required something far more sophisticated than simply pressuring ISPs to pull routes.

How You Take Down a Nation's Internet

Most people assume shutting down a country's internet means cutting a cable or flipping a switch. Modern nation-state attacks are far more surgical.

Layer 1: BGP Route Manipulation

Iran's internet connects to the global internet through a small number of Autonomous Systems (AS) — primarily controlled by state telecom operator TCI (Telecommunication Company of Iran). By targeting the routing infrastructure at these border ASes, traffic can be black-holed without physically cutting anything. Attackers with deep access can withdraw route advertisements, making Iran's IP ranges unreachable from the outside while also disrupting internal routing.

Layer 2: DNS Infrastructure Attacks

Iran operates its own national DNS resolvers and has a partially filtered DNS system (the National Information Network, or NIN). Disrupting authoritative DNS servers for .ir domains and major government services causes cascading failures — browsers can't resolve addresses, APIs break, authentication systems fail.

Layer 3: SCADA/ICS Targeting

Earlier attacks in January 2026 (which preceded February's operation) hit port management systems at Bandar Abbas and Chabahar, and targeted power substations. These aren't IT systems — they're operational technology (OT) running SCADA software, often on Windows XP or legacy industrial control platforms that haven't been patched in years. Disrupting these created real-world physical consequences: port operations halted, container management stopped, oil exports were delayed causing tens of millions in daily losses.

Layer 4: IRGC-Specific Communications

The military targeting component focused specifically on communications infrastructure used by IRGC units for coordinating drone and missile launches. This included encrypted military comms relays and the physical infrastructure supporting them.

Why This Worked When Iran's Own Shutdowns Don't Go This Far

Iran's government regularly shuts down the internet during protests — they've done it in 2019, 2021, and 2022. But those shutdowns never got below roughly 20% because the government still needs the internet to function. Banks, government services, military logistics — all depend on connectivity.

A nation-state attacker doesn't have that constraint. They can target the infrastructure the Iranian government itself relies on. That's the asymmetry that enabled the 4% figure.

What Was Restored First (And Why That Matters)

Recovery from this kind of attack isn't uniform. The sequence of what comes back online first reveals what was prioritized:

• Military and government secure communications (highest priority, restored via backup channels)
• Banking and financial infrastructure (economic stability)
• State media (information control)
• General civilian internet (lowest priority)

For developers building critical systems, this recovery sequence is a useful model: what would your own incident response look like if you had to triage which services came back first?

The January Precursor Attacks

The February blackout didn't happen in isolation. A pattern of escalating attacks had been building for weeks:

• January 20: Port authority systems at Bandar Abbas and Chabahar were disrupted. Container management systems went offline. Oil export operations halted.
• January 22: Power substations in Tehran, Isfahan, and Shiraz were hit. Rolling blackouts followed across major Iranian cities.
• Late January: IRGC internal communications were increasingly degraded, a pattern consistent with preparation for the larger February operation.

This escalation pattern — probing critical infrastructure over weeks before a major coordinated strike — is consistent with documented offensive cyber doctrine.

What Developers and Infrastructure Teams Should Take From This

1. Your dependencies have dependencies

The Iranian port systems went offline not because someone hacked the port directly, but because the underlying network infrastructure failed. If your application depends on third-party APIs, cloud regions, or services with operations in geopolitically sensitive areas, you now have documented evidence that those dependencies can vanish without warning.

2. SCADA/ICS security is not optional anymore

The January attacks specifically targeted operational technology — the systems running physical infrastructure. These systems are frequently internet-connected, running decades-old software, and have almost no security tooling. If you work in energy, utilities, manufacturing, or logistics, your OT attack surface is actively being studied by nation-state actors.

3. Redundant connectivity paths matter

Iranian businesses that maintained Starlink connections (technically illegal in Iran but widely used via black market) had internet access throughout the blackout. The lesson for infrastructure architects: single-path connectivity is a single point of failure, regardless of how reliable that path seems in normal conditions.

4. BGP is fundamentally fragile

The entire global internet routing system runs on BGP, a protocol designed in the 1980s for a trusted network. There is no authentication requirement to withdraw another network's routes. This has been a known problem for decades. The Iran blackout is another reminder that any organization with significant internet exposure should monitor their own BGP health and have contingency plans for routing disruptions.

The Broader Pattern: Cyber-Kinetic Coordination

What makes February 28 historically significant isn't just the scale — it's the coordination. Cyberattacks running in precise synchrony with military strikes, timed to degrade communications in the hours when the target most needs them, represents a doctrinal shift in how nation-states conduct conflict.

This is the template that future conflicts will follow. Understanding it isn't just geopolitical interest — it's infrastructure literacy for anyone building systems that need to keep running.

Related: What the USA-Israel Strikes on Iran Mean for Technology and Cyberwar in 2026