How US Cyber Command Struck Iran Before the First Bomb: The Cyber Ops Behind Operation Epic Fury

The first weapon fired against Iran in Operation Epic Fury wasn't a bomb or a missile. It was a packet.

US Cyber Command and US Space Command were officially designated "first movers" in the operation — cyber and space effects began before a single kinetic weapon was released. A top general confirmed: operations "effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively."

That sentence is worth reading twice. Iran's radar networks and air defense systems were blinded by software before American warplanes entered Iranian airspace. This is how it happened.

CYBERCOM's Doctrine: Blind First, Strike Second

The term "first mover" is operationally significant. In US military doctrine, cyber effects have historically been treated as a supporting operation — something done alongside kinetic strikes. Operation Epic Fury represents a documented shift: cyber was the opening move, not a parallel one.

The targets were what defense analysts call "digital aim-points": vulnerable nodes connected to the command infrastructure of radar systems and integrated air defense networks — routers, servers, peripheral devices that sit on the edge of classified military networks but are reachable through exposed interfaces.

By degrading these nodes before the strike packages arrived, Iranian surface-to-air missile systems at Fordow, Natanz, and Isfahan couldn't receive targeting data or coordinate a response. The Cyber Command mission wasn't to destroy hardware — it was to sever the information flow that makes air defense work.

The Prayer App Hack

The most developer-relevant specific incident of the operation: a mobile prayer app called BadeSaba Calendar, with more than 5 million downloads on Google Play, was compromised.

The attackers — US Cyber Command or affiliated intelligence units, per multiple reports — gained access to the app's push notification infrastructure and used it to send messages to Iranian military personnel urging defection.

Let that sink in as an application security scenario:

• Attack surface: FCM (Firebase Cloud Messaging) credentials, app signing keys, or developer console access
• Impact: 5 million devices received a psyop payload via a trusted channel
• Detection difficulty: Push notifications from a legitimate app don't trigger antivirus or firewall alerts

This is psychological warfare delivered through your app's notification system. For any developer with a significant install base: your push notification credentials, your app developer console, your signing keys — these are now established weapons-grade targets in a geopolitical conflict playbook.

IRNA and State News Websites Seized

Iran's state news agency IRNA and several other government-controlled news websites were simultaneously hijacked to display pro-strike messaging. The timing was coordinated with the physical strikes — replacing Iranian state propaganda with counter-messaging at the exact moment Iranians were searching for information about what was happening.

This is a cyber information warfare technique: seize the information channel your adversary relies on at the exact moment of crisis, when traffic to that channel spikes.

Natanz: Cyber and Kinetic Fusion

The strikes on Iran's nuclear facilities at Natanz, Fordow, and Isfahan combined cyber and kinetic effects in a way that has no clean historical precedent.

Stuxnet (2007-2010) was covert, deployed years in advance via USB, and designed specifically to avoid attribution. The 2026 operations were overt, timed to the minute with kinetic strikes, and openly acknowledged.

At Natanz specifically, a cyberattack on military systems connected to nuclear air defense networks was used to prevent Iran from launching surface-to-air missiles against incoming aircraft. Cyber wasn't the main event — it was the enabler that made the kinetic strike survivable for the attacking aircraft.

CSIS's post-attack assessment notes the cyber component was integrated into the first 12 days of strikes as a continuous operation, not a one-time event. Cyber Command was actively maintaining access and disrupting Iranian recovery efforts throughout the opening phase of the conflict.

Iran's Retaliation: The Electronic Operations Room

Within hours of the initial strikes, Iran established what it called the "Electronic Operations Room" — a coordination body for state-aligned hacktivist groups. By March 2, roughly 60 individual groups, including pro-Russian factions, were operating under this umbrella.

Key actors:

• DieNet: Claimed DDoS attacks on Bahrain Airport, Sharjah Airport, and regional banks
• Handala Hack (linked to Iran's MOIS): Data exfiltration combined with targeted cyber ops against Israeli political and defense targets
• Iran-linked groups claimed breaches of industrial control systems (ICS) in Israel, targeting manufacturing and energy distribution

The operational irony: Iran's own internet connectivity dropped to 1% during this same period. One former NSA operative described it to Fortune as being "in the hands of a 19-year-old hacker in a Telegram room" — the near-total blackout degraded Iran's ability to coordinate sophisticated state-level cyber operations, pushing activity toward loosely affiliated, harder-to-predict actors.

CISA at 38% Staffing

Here's the part that should alarm every US-based developer: CISA is operating at approximately 38% staffing during the highest-threat cyber period the US has faced in years.

The US government's primary civilian cyber defense agency — the entity responsible for coordinating incident response when Iranian actors hit US critical infrastructure — is running at less than half capacity. If you're building systems that serve US critical infrastructure, or if your company is in a sector Iran has historically targeted (energy, water, financial services), you cannot assume CISA will have the capacity to respond quickly.

The private sector security vendors are filling this gap: CrowdStrike, Palo Alto Unit42, Cloudflare, and Recorded Future are publishing the most actionable real-time threat intelligence. Subscribe to their feeds. Don't wait for a government advisory.

What Developers Should Do Right Now

If you build mobile apps:

• Audit who has access to your FCM/APNs push notification credentials
• Review your Google Play Console and App Store Connect access logs
• Rotate app signing credentials if you haven't in 6+ months
• Enable login alerts on all developer accounts

If you run web infrastructure:

• Enable Cloudflare's Under Attack Mode as a precaution if you serve Middle East or Israeli users
• Review WAF rulesets — Iranian-linked groups are conducting mass reconnaissance
• Patch Unitronics PLCs and Siemens-adjacent ICS systems immediately (CISA advisory AA23-335a vector is still active)

If you're in security:

• Hunt for dormant implants — pre-positioning before kinetic conflict is the established playbook (same as Sandworm in Ukraine)
• The 38% CISA staffing gap means private sector threat sharing is essential, not optional

The Bigger Picture

Operation Epic Fury is the clearest public documentation yet of cyber operations used as a real-time force multiplier in conventional war — not espionage, not pre-positioning for a future conflict, but active cyber effects timed to the second alongside kinetic strikes.

The implications extend well beyond the Middle East. Every nation-state military is studying this operation right now. The integration of Cyber Command as a first mover is a template. The prayer app hack is a technique. The IRNA seizure is a playbook.

The cybersecurity landscape in 2026 isn't theoretical anymore. It's operational.