WASHINGTON — The opening of Operation Epic Fury, the joint US-Israel operation to topple Iran’s government, has been defined by surprise kinetic strikes and Iran’s retaliation to its neighbors. But underneath the visible attacks, there may have been invisible strikes brought about through cyber operations.
To be clear, there has been no official word from the US or Israel that cyber effects were brought to bear in the first 48 hours of the conflict, though there have been reports of cyber activities inside Iran having taken place. However, given the reality of modern day warfare, as well as the long history of cyber war specifically around Iran, it seems implausible that cyber capabilities have not played a role so far.
Breaking Defense spoke to seven sources, ranging from former senior level cyber officials to operators to military cyber lawyers, to understand how the early days of a cyber operation such as Epic Fury would likely unfold. All seven sources said they had no inside knowledge of the actual operations, but their insights are likely to match up to the kind of efforts US Cyber Command and US Central Command would be exploring. (CYBERCOM did not respond to a request for comment.)
One former pentagon cyber official noted that following the operations in Venezuela to capture former president Nicolás Maduro, there is a greater appreciation for the role of cyber, with current officials seemingly more willing to talk about the use of cyber in planning and integration of kinetic operations.
But that doesn’t mean the use of cyber in such operations is new. Several former officials said cyber has been part of the planning and integration with operations going back 10-plus years, and one of CYBERCOM’s three stated missions is to conduct cyber operations for combatant commanders and the joint force.
“It’s taken some time for people not directly exposed to that in witnessing to that, to understand it,” a former senior cyber commander said. “Some of these recent operations have made people, whether they’re civilians that are in the legislative branch, or whether they’re civilians or senior people in the Department of Defense and the executive branch that weren’t exposed to it, to finally realize, yeah, we know what we’re doing, we know how to do this, and if we give the resources and the ability to get after the targets and not hold them back, our cyber warriors can make it happen.”
Ahead of any action, the sources said, the first move planners would have been undertaken is a defensive posture to protect military communications systems and networks. Iran has reasonably capable cyber operators that have gotten significantly better over the last handful of years, the former senior cyber commander said.
Meeting Zero Trust goals while maintaining information dominance
Balancing security and access to data are critical to providing users with trustworthy, reliable data for real-time decisions.
Ahead of any strikes, cyber would also be used to provide some intelligence value, either conducting reconnaissance of targets to strike physically or providing insights into the thinking of certain members of the regime.
Those insights could include the location of high value individuals, what the current intentions of the regime are in terms of where they might move those people, how they might be defending them, or how they may be preparing to respond and shoot missiles at what targets, the former senior military cyber commander said.
All those insights can provide the ability to take action before the adversary can achieve what they’re trying or to posture people to be prepared to defend themselves.
There would also be work to see what the adversary’s networks look like, so if there’s an operation that requires an effect on those networks, they can be understood and deconflicted with other activities, another former cyber commander said.
When it came time for the kinetic strikes to start, cyber could prove complimentary, targeting enemy defenses and communications to not only allow friendly forces to strike with less risk, but also make it harder for the enemy to execute their own operations. This could include targeting integrated air defense systems, early warning radar, command and control and communications networks.
One former operator, however, noted that they thought it is unlikely cyber played a part in disrupting Iran’s early warning or air defense systems, noting that the US likely burned a lot of access the last time it undertook operations like that in 2019 in Iran and the generally degraded nature of the Iranian air defenses after last summer’s Operation Midnight Hammer.
Experts also pointed out that cyber could play a role in the information operations front. Those could include messaging the people of Iran prior to, or even during, this operation to determine how the populace could rise up while the Iranian regime is in disarray.
It could also manifest itself in messages to members of the Iranian regime and military apparatus, such as the Islamic Revolutionary Guard, telling them things along the lines of “’you can still save you and your family, here’s what you need to do. But if you continue to listen to what the regime is telling you, you don’t have much of a future,’” the former senior military cyber commander said.
In fact, in his address announcing the strikes President Donald Trump told members of the IRGC and others “you must lay down your weapons and have complete immunity. Or in the alternative, face certain death. So, lay down your arms. You will be treated fairly with total immunity, or you will face certain death.”
Given the multi-day nature of Epic Fury, it likely will require a greater use of messaging and information operations than one-off strikes such as those that took place in Iran last year and Venezuela in January, another former senior cyber commander said.
More than likely, cyber has and will continue to play a supporting intelligence role, a former cyber operator said, collecting on adversary intent and plans while trying to determine battle damage assessment for the strike operations. It will also likely help determine if the initial wave of strikes killed any senior leaders, what senior leaders still alive are planning to do in response and where those targets are located for secondary strikes.