![](\"https:\/\/fortune.com\/img-assets\/wp-content\/uploads\/2026\/03\/GettyImages-2262208174-e1772398589118.jpg?w=2048\")
<\/p>\n<\/p>\n
As strikes hit Tehran on Saturday morning, millions of Iranians got a strange push notification on their phones. The BadeSaba Calendar prayer app, which has more than 5 million downloads, had been compromised, and the app issued alerts saying, \u201cHelp has arrived!\u201d and called for a \u201cPeople\u2019s Army\u201d to defend their \u201cIranian brothers,\u201d according to an assessment from cyber intel firm Flashpoint. On Sunday, the app sent with surrender instructions for rank-and-file members of the Islamic Revolutionary Guard and safe locations for protesters to gather.\u00a0<\/p>\n
Then regime loyalists quickly struck back. <\/p>\n
According to Flashpoint, what followed on Sunday was the \u201cmost aggressive\u201d use so far of what\u2019s known as Iran\u2019s \u201cGreat Epic\u201d cyber campaign, which is a loosely coordinated group of cyber operatives under a channel called the \u201cCyber Islamic Resistance.\u201d Under the group\u2019s umbrella, various cyber attackers have shut down gas stations in Jordan, and led attacks against U.S. and Israeli military providers to destroy data as well as conduct psychological operations mimicking the BadeSaba hack. <\/p>\n
The next 48 hours are likely to be a period of \u201cextreme volatility\u201d where hacktivists and proxies \u201ctake the lead in escalation to fill the vacuum left by Tehran\u2019s central command,\u201d Flashpoint noted in an update. These actors are allegedly using Telegram and Reddit as a coordination hub, posting screenshots of alleged attacks as proof, although it takes weeks and sometimes months to verify accuracy, said Kathryn Raines, a former NSA expert who is now a threat intel team lead at Flashpoint.\u00a0<\/p>\n
The BadeSaba hack demonstrates the template that Iranian proxy groups could now try to deploy in reverse against Western companies and others. Plus, with Iranian leadership effectively decimated by Saturday\u2019s strikes, the command structure that oversaw Tehran\u2019s cyber operations is essentially gone, said Raines.<\/p>\n
\u201cThe Iranian leadership vacuum is likely going to lead to more unpredictable, decentralized proxy attacks,\u201d she told Fortune<\/em>. <\/p>\n In practice, that means aligned hacktivists and proxy groups are making their own targeting decisions, without approval from central authorities. So if a highly aggressive group decides to hit a mid-sized logistics firm because to make a statement, the risk cascades beyond Tehran, Washington, D.C., or New York, said Raines.\u00a0<\/p>\n \u201cIt\u2019s in the hands of a 19-year-old hacker in a Telegram room with really no oversight or direction,\u201d she warned.\u00a0<\/p>\n Accordingly, U.S. business leaders need to be prepared for continued uncertainty, said Brian Carbaugh, co-founder and CEO of AI-based security firm Andesite and former director of the CIA\u2019s elite Special Activities Center (SAC). Iranians have consistently shown over the years that they are incredibly resilient as a government and resistance force. And given that the regime is bombarding its neighbors, people should expect Iran to continue unleashing their formidable offensive cyber capabilities in addition to other aspects of national power like their missiles and armed proxies around the world, he said.\u00a0\u00a0<\/p>\n \u201cAggressive and creative resistance is baked into the ethos of the Iranian security apparatus and across the Islamic Republic of Iran,\u201d said Carbaugh, who previously served as chief of staff to two CIA directors. \u201cFor business leaders and those protecting businesses and making decisions at a very high level, they need to be prepared for this to continue on for some time and for the conflict to take a number of different courses of direction and swerve around the road.\u201d<\/p>\n As U.S. and Israeli attacks degrade Iran\u2019s conventional military capabilities, cyber attacks appear more attractive, said Carbaugh. It\u2019s low-cost to deploy, difficult to attribute, and extremely capable of creating outsized psychological and operational disruption relative to the investment required. Iran has shown that it is capable of emulating and building on cyber attack methods first shown by Russia, for example.<\/p>\n \u201cThe Islamic Republic has always had great pride in cyber capabilities within the security services,\u201d said Carbaugh. That pride isn\u2019t likely to evaporate with the loss of senior leadership, and may intensify as other options narrow.\u00a0<\/p>\n According to Raines, most corporate security plans aren\u2019t ready for attacks like the BadeSaba hack, which pushed a notification to potentially millions of Muslims in Iran who use the app to track daily religious schedules at the moment the strikes were starting.\u00a0<\/p>\n \u201cCompanies aren\u2019t really prepared for what I\u2019ll call nihilistic psychological operations that are really meant to target the mental state and trust of their workforce,\u201d she explained, contrasting them with attacks designed to steal data and disable systems.<\/p>\n It could manifest in businesses like this: Staff in the Gulf region start getting what appear to be urgent messages, perhaps deepfake audio attributed to their regional leader or CEO, or communications purportedly from the company on evacuations. But with local news offline and scant internet service, people will have very little ability to fact check anything. <\/p>\n Few companies have plans in place for what employees\u2019 reality will be in the hours that follow, while risk modeling is often based on state behavior and assumed \u201cred lines\u201d that prevent total war, Raines noted.\u00a0<\/p>\n For boards and C-suites convening this upcoming week, key questions for security leaders will have to do with the maximum amount of time business functions can be offline before it hits revenue and reputation, she predicted.\u00a0<\/p>\n \u201cWe\u2019re less interested in the block rate, and more interested in recovery time,\u201d said Raines.<\/p>\n Carbaugh said if he were on a board call this week, he would want to know if the business was at an elevated level of risk based on what\u2019s happening in Iran. If the answer is yes, he would want to know what\u2019s being done to mitigate. If the answer is no, he would ask even more questions. <\/p>\n Leaders should find out what steps have been taken to ensure businesses aren\u2019t at risk, figure out how companies have engaged with partners and others to find out how they\u2019re detecting attacks, and how AI is currently being used in doing so, Carbaugh said.\u00a0<\/p>\n He reiterated that this isn\u2019t a crisis with a near-term resolution, and it translates into cyber risk that won\u2019t immediately dissipate.\u00a0<\/p>\n \u201cThis conflict could take many twists and turns and move in a lot of different directions,\u201d said Carbaugh. \u201cI don\u2019t think this is going to be one we\u2019re going to tidily wrap up and move on from in a few days. This will require constant vigilance and protection of our cyber networks, physical security, and all other assets.\u201d<\/p>\n<\/div>\n #Cyber #retaliation #Iran #problem #U.S #companies<\/p>\n","protected":false},"excerpt":{"rendered":" As strikes hit Tehran on Satur… <\/p>\n","protected":false},"author":1,"featured_media":26117,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[648,768,6466,9182,1131,7681,441,764],"_links":{"self":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/26116"}],"collection":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=26116"}],"version-history":[{"count":0,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/26116\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/media\/26117"}],"wp:attachment":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=26116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=26116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=26116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}