Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations

In the aftermath of the joint military operation known as Operation Epic Fury, which saw the United States and Israel launch a series of military operations against Iran on February 28, 2026, Tenable Research Special Operations (RSO) team has been monitoring potential cyber counteroffensive operations conducted by Iran-linked threat actors. This post will delve into the details of these operations and their potential impact on critical infrastructure providers and other opportunistic targets.

As a result of Operation Epic Fury, it is expected that Iran-linked threat actors will launch cyber counteroffensive operations against the United States, Israel, and other countries. These attacks are likely to be destructive and retaliatory in nature, with Iranian-nexus threat groups having shifted from stealthy espionage activity to more aggressive forms of attack over the past few years. Wiper malware and ransomware attacks have become increasingly prevalent, with critical infrastructure being targeted by these attackers.

Iranian state-sponsored cyber operations are carried out by multiple groups, including advanced persistent threat (APT) actors and hacktivist fronts linked to both military and civilian agencies. These groups operate under or maintain ties to various organizations, including Mint Sandstorm (which spans APT35 and APT42). Recent reports have highlighted probing and staging activities linked to Iranian threat actors, including the revival of the ALTOUFAN TEAM persona tied to Cotton Sandstorm.

There have been reports on social media from Iran government-linked hackers warning of “massive cyber attacks in the coming hours.” While it is unclear if successful attacks have taken place, cybersecurity analysts should expect increased botnet and distributed denial-of-service (DDoS) activity. Tenable's RSO continues to monitor for new intelligence on counteroffensive attacks by Iran-linked threat actors and will publish updates as these developments are confirmed.

In the past, Iranian threat actors have exploited known vulnerabilities in internet-facing devices and applications. A list of Tenable plugins associated with Iranian threat actors can be found here. It is essential to note that these groups often rely on exploiting known vulnerabilities, making it crucial for organizations to keep their systems and software up-to-date.

For those interested in staying informed about the latest cyber threats, joining Tenable's Research Special Operations (RSO) Team on Tenable Connect can provide valuable insights and contextualized exposure intelligence. Additionally, learning more about Tenable One, the Exposure Management Platform for the modern attack surface, can help organizations better manage risks to critical business assets.

In conclusion, the potential Iranian cyber counteroffensive operations following Operation Epic Fury highlight the ongoing threats posed by Iran-linked threat actors. It is essential for organizations to remain vigilant and take proactive measures to protect themselves against these types of attacks.