Before the first Tomahawk left its tube on February 28, the war against Iran had already started. The first movers in Operation Epic Fury weren't pilots. They were cyber operators.
Joint Chiefs Chairman General Dan Caine said it plainly: "Coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate or respond effectively."
Cyber Command and Space Command were described as "the first movers" — non-kinetic effects that blinded Iran before the kinetic effects destroyed it.
What "Blinding" Looks Like
On the night of February 28, Iran's internet connectivity dropped to between 1% and 4% of normal, according to NetBlocks. It stayed there for over 72 hours.
Israel launched what the Jerusalem Post described as the "largest cyberattack in history," concurrent with kinetic strikes. The operation severed IRGC security communications during the strike window, preventing drone and missile counterattack coordination. Iranian state media — IRNA, Tasnim — were hacked to broadcast anti-regime messages. The BadeSaba Calendar app, installed on over 5 million Iranian phones, was compromised to display messages urging armed forces to surrender.
Even Iranian satellite broadcasts were hijacked, airing regime-overthrow content to millions of households. That campaign had started quietly in January, weeks before the first missile.
This is what modern warfare looks like. The kinetic strike gets the headline. The cyber operation creates the conditions that make the headline possible.
Iran's Cyber Response
With conventional military options crippled, Iran pivoted to the one domain where it still has capacity: cyber.
On the same day as the kinetic strikes, Iran stood up an "Electronic Operations Room" — an umbrella coordination structure marshaling dozens of state-aligned hacktivist groups for synchronized cyber operations. Palo Alto's Unit 42 estimates over 60 individual groups are now active, including Iranian-aligned actors and pro-Russian groups operating in solidarity.
The groups are diverse and dangerous. DieNet is running large-scale DDoS campaigns against government portals, telecom providers, airports, and financial institutions across Bahrain, Qatar, UAE, Kuwait, Saudi Arabia, and the United States. The FAD Team (Fatimiyoun Cyber Team) claims SCADA/PLC access in Israel and is deploying wiper malware designed for permanent data destruction. The 313 Team is targeting Kuwait's armed forces and ministry of defense.
CyberAv3ngers — the IRGC's Cyber-Electronic Command unit — have a track record. In 2023, they compromised at least 75 Unitronics PLC devices, including 34 in the US wastewater sector. They got in using default passwords. In 2024, they deployed custom malware for remote control of water and fuel management systems in the US and Israel.
The cyber retaliation isn't theoretical. These groups have already demonstrated access to American water systems, industrial controls, and critical infrastructure. The question is whether they escalate from reconnaissance to destruction.
The Home Front Problem
Here's where the story turns from impressive to alarming.
CISA — the Cybersecurity and Infrastructure Security Agency, our primary civilian cyber defense agency — is operating at approximately 38% capacity. It has 888 staff out of an authorized 2,341. Over the past year, CISA has lost roughly one-third of its workforce.
The proposed FY2026 budget cuts CISA by another $500 million. The election security program — 14 positions, $39.6 million — is eliminated. The National Risk Management Center loses $70 million and 35 positions. The Joint Cyber Defense Collaborative loses $14 million. The incentive pay program covering nearly half of CISA employees has been terminated.
Meanwhile, the FBI's cyber budget was cut by $560 million with approximately 1,900 staff reductions.
The Pentagon's own cyber budget increased 4.1% to $14.3-15.1 billion. The DoD can project cyber power — Epic Fury proved that. But the civilian agencies tasked with defending American infrastructure at home are being hollowed out at exactly the moment the threat is escalating.
The Typhoon in the Room
Iran isn't even the most sophisticated cyber threat we face. That distinction belongs to China.
Salt Typhoon — a Chinese MSS-affiliated operation — infiltrated at least 9 US telecom providers, including AT&T, Verizon, and T-Mobile. They breached the lawful intercept systems required under CALEA, accessing communications of senior US government officials. The FBI described it in February 2026 as "still very much ongoing." It's been called the largest telecommunications hack in US history.
Volt Typhoon — PLA-affiliated — has maintained persistent access to US critical infrastructure for over five years. Water systems, energy grids, transportation networks. An Air Force cyber leader warned it could enable China to wage "total war" against the United States.
And on the criminal side, North Korea's Lazarus Group stole $1.5 billion from Bybit in a single heist in February 2026 — the largest crypto exchange theft in history. Cumulative DPRK crypto theft now exceeds $6.75 billion.
These are not hypothetical threats. They are active, ongoing operations against American systems, happening right now, while we cut the agencies responsible for defending against them.
Offense vs. Defense
Operation Epic Fury was a masterclass in offensive cyber operations. Cyber Command blinded Iran's defenses. Israel destroyed its communications. Combined electronic warfare jammed navigation and coordination systems. The cyber operators created the conditions for kinetic success.
But offense and defense are not the same mission, and they don't draw from the same budget. The Pentagon's $15 billion cyber budget funds the sword. CISA's shrinking budget is supposed to fund the shield.
Right now, we're building a force that can blind any adversary's communications — while leaving our own water systems, power grids, and telecom networks defended by an agency at 38% capacity.
The UK's National Cyber Security Centre has already warned British organizations to "harden defenses amid Iran conflict risk." Google Threat Intelligence expects Iran to target US, Israel, and GCC nations with disruptive attacks on "targets of opportunity and critical infrastructure." CrowdStrike is observing reconnaissance and DDoS as potential precursors to "more aggressive operations."
The first movers in Operation Epic Fury proved that cyber is no longer a supporting function. It's the opening act of modern warfare. The question is whether we're ready for the second act — when the same capability is turned against us.
We proved we can blind an adversary. But offense without defense is a glass cannon — and right now, 60+ groups are trying to return the favor while a third of our cyber defense agency is gone.
Quick Answers
Why does this article say the first movers were not pilots?
Because the opening phase of Operation Epic Fury was shaped by cyber and electronic warfare actions that degraded communications and defenses before kinetic strikes began.
What is the strategic warning behind this piece?
The warning is that offensive cyber capability is growing faster than domestic cyber defense capacity, creating a dangerous gap if retaliation shifts toward American infrastructure and telecom systems.
Sources: Joint Chiefs Chairman Gen. Dan Caine (SpaceNews, Mar 2026), NetBlocks Internet Monitoring, Palo Alto Unit 42 Threat Brief (Mar 2026), Jerusalem Post, The Record, CISA.gov, TechCrunch (CISA Staffing), CyberScoop (Salt Typhoon), DefenseScoop, SecurityWeek, CloudSEK Situation Report, Check Point Research, Sophos Cyber Advisory, CrowdStrike, Nozomi Networks, UK NCSC Advisory