When Algorithms Strike First: Cyber Weapons, AI, and the Digital Kill Chain in the 2026 Trump-Israel War on Iran

As of March 15, 2026 | OSRS Intelligence Brief

I. CURRENT STATE OF THE KINETIC WAR

The conflict, now in its 15th day, was triggered on February 28, 2026, when the U.S. and Israel launched Operation Epic Fury, a surprise joint strike campaign against Iran's military command, nuclear infrastructure, and senior leadership. Israel and the United States launched surprise airstrikes on multiple sites and cities across Iran, killing Supreme Leader Ali Khamenei and numerous other Iranian officials.

The U.S. and Israel have launched thousands of bombs against Iran, killing at least 1,300 people. Tehran has continued to fire drones and missiles against Israel, while also targeting U.S. assets across the Middle East and energy and civilian sites in the Gulf region.

As of today, the U.S. and Israel continue attacks on Iran, with missiles striking multiple sites across the central Isfahan province. Iran has launched multiple barrages of missiles at Israel and claimed attacks on U.S. bases in Iraq and Kuwait.

Trump confirmed that the U.S. has begun hitting Iran's drone facilities and the facilities where Iranian missiles are made and delivered, while signaling that critical electricity production sites have been held in reserve as leverage.

A critical geoeconomic pressure point: Iran has managed to keep the Strait of Hormuz largely shut to commercial shipping, disrupting the flow of oil out of the region, sending oil prices soaring, and spreading economic uncertainty across the world.

II. THE CYBER DIMENSION: A PARALLEL WAR

Perhaps the most strategically significant revelation of this conflict is the openly acknowledged, integrated role of cyber operations, marking a watershed moment in the history of hybrid warfare.

A. The Opening Strike Was Cyber, Not Kinetic

The U.S. military's very first move in the Iran war was in cyberspace. Gen. Dan Caine, Chairman of the Joint Chiefs of Staff, confirmed that "coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively."

From the first strike, cyber operations ran in parallel, designed to blind and isolate Iranian command before bombs landed. Israeli sources claimed it was "the largest cyberattack in history." Western intelligence confirmed that the damage to the IRGC's communications infrastructure was deliberate. The goal was to prevent counterattack coordination and disrupt drone and ballistic missile launch capabilities.

In parallel with the opening kinetic strikes, Iran's internet connectivity dropped to 4% of normal, the IRNA news agency was taken offline, and the IRGC-linked Tasnim agency was hacked and forced to display anti-Khamenei messages.

B. AI-Enabled Intelligence Fusion Killed Khamenei

The Israeli military had access to "nearly all" of the traffic cameras in Tehran, which the Financial Times reported were used in partnership with the CIA to target the airstrike that killed Supreme Leader Ali Khamenei.

Real-time intelligence from compromised traffic cameras and "deeply penetrated" mobile phone networks was used to confirm that Khamenei's meeting with senior officials was going ahead as planned. One particular camera pinpointed where bodyguards and drivers of senior Iranian officials preferred to park at his compound. A separate cyber operation disrupted the mobile phone system near the compound, preventing his protection detail from receiving warnings about the impending attack.

Israel synthesized that traffic footage and billions of data points to create a target bank. Cybersecurity reporter Omer Benjakob of Haaretz described it as "very cutting-edge data processing or big data fusion techniques that, from a layman or citizen perspective, you would call AI."

C. Psychological Cyber Operations

Israel hacked a popular Muslim prayer app in Iran to send messages to Iranian soldiers urging them to defect at the start of the war. The prayer app BadeSaba pushed notifications to users stating "help has arrived," while a message targeted at army personnel read: "For the freedom of our Iranian brothers and sisters, this is a call to all oppressive forces, lay down your weapons or join the forces of liberation."

Iranian state television satellite broadcasts were hacked, and regime-change content was aired to millions of Iranian households, assessed as a cyber precursor to psychological and electronic warfare.

Separately, researchers at the University of Toronto's Citizen Lab documented a coordinated Israeli-backed network called "PRISONBREAK" that leveraged dozens of social media accounts to push anti-government propaganda to Iranians. The campaign routinely used AI-generated imagery and video, mimicked real news outlets, and deployed deepfakes during periods of actual kinetic attacks, with the explicit goal of stoking unrest and encouraging the overthrow of the Iranian government.

D. Iran's Retaliatory Cyber Campaign

Iran's cyber retaliation has been asymmetric but steadily escalating. Iran "lacks symmetric conventional response options against the United States and Israel," which is why the regime "has historically relied on cyber operations." Dozens of pro-Iran hacktivist groups have launched several cyberattacks since February 28, mostly targeting critical infrastructure, claiming responsibility for attacks against Israeli payment systems, the shutdown of Kuwaiti government websites, and incidents affecting airport online services.

The most significant retaliatory strike came on March 11: A major cyberattack crippled the global networks of Stryker, one of the world's largest medical device companies, with the Iran-linked hacking group Handala claiming responsibility and warning it marks "the beginning of a new chapter in cyber warfare." Stryker confirmed it was "experiencing a global network disruption to its Microsoft environment as a result of a cyberattack." Stryker reported revenues of over $25 billion in 2025 and serves more than 150 million patients across 61 countries, making it a high-impact target of civilian-critical infrastructure.

Additional electronic warfare activity has emerged, with GPS and automatic identification systems disrupting more than 1,100 ships across the Gulf region, spanning Iranian, UAE, Qatari, and Omani waters, consistent with the broader pattern of cyber and electronic operations accompanying the conflict.

E. Third-Party Actors Entering the Cyber Battlefield

Pro-Russian political hackers, NoName057(16), teamed up with Iranian hacktivists on March 2 to target Israeli defense and municipal organizations, including defense contractor Elbit Systems. The same Russian hacktivists also claimed they broke into an Israeli water management system and other industrial control systems, though researchers could not independently verify the claim.

CrowdStrike has identified Hydro Kitten as making specific threats targeting the financial services sector, the first state-aligned actor explicitly targeting Western financial infrastructure in this conflict.

F. The "Four-Hour Cyber Window" Doctrine

One of the most analytically important findings to emerge from this conflict is what Lawfare has termed the "four-hour cyber window." About four hours into the attacks, the Iranian regime imposed a country-wide internet blackout, suggesting there may be a wartime dynamic that places a cap on the usefulness of offensive cyber operations. While cyber-enabled intelligence gathering was instrumental in the opening attack, Israeli sources confirmed that these feeds become less useful once a war kicks off, as falling bombs disrupt patterns of life and targets move to underground bunkers with preplanned countermeasures.

III. THE DISINFORMATION WAR: COGNITION AS A BATTLEFIELD

Alongside the kinetic and cyber campaigns, a third front has emerged that may prove to be the most consequential for long-term public trust, policy coherence, and strategic stability. This conflict has become the most AI-saturated information war in recorded history.

A. The Netanyahu Death Hoax: A Case Study in State-Directed Disinformation

The single most viral disinformation operation of the conflict centers on a sustained Iranian campaign to convince global audiences that Israeli Prime Minister Benjamin Netanyahu is dead or critically wounded.

Starting on March 8, Iranian state media and pro-Iran social media accounts claimed that Iran had killed an ever-growing list of Israeli government officials and their family members, including Prime Minister Benjamin Netanyahu and David Barnea, director of Israeli intelligence agency Mossad. None of these claims were true. Iran-affiliated outlet Tasnim News Agency baselessly claimed that Netanyahu was "eliminated." The claims appeared intended to tout Iran's military achievements and to project an image of political instability within Israel.

Tasnim's reporting assembled a series of circumstantial points, including the absence of recent video clips of Netanyahu, reports in Hebrew-language media about tightened security around his home, the postponement of a visit by Jared Kushner and U.S. special envoy Steve Witkoff, and a French readout of a call between President Macron and Netanyahu that did not specify the date of the conversation. The piece fits a familiar pattern in Iranian and pro-Iranian information warfare, with real fragments of public information stitched together into a dramatic narrative, then circulated as if they point to a hidden event.

The campaign rapidly mutated and metastasized across platforms. A pro-Iran X account posted: "Breaking News: Israeli media reports the killing of Benjamin Netanyahu in the aftermath of the Iranian attacks." The post received 2.2 million views and 11,000 likes in two days. In fact, there were no such reports in Israeli media.

When Netanyahu held a virtual press conference on March 12 to put the rumors to rest, the disinformation operation entered a second, more sophisticated phase. Many claimed the video of the press conference was AI-generated. Either Netanyahu was dead or recovering from injuries inflicted by

Iran's ballistic missiles, they claimed. Some argued the background of the video was clearly digitized, while others claimed the Prime Minister had six fingers in the video. Since Netanyahu is known to have no extra fingers, the sixth finger was cited as evidence that the press conference video was AI-generated. However, none of the users who claimed to have seen six fingers could post the video itself; they only had images. Throughout the original footage, the Israeli PM moved his hands as he spoke and had five fingers on each.

Snopes debunked the claims as false after Netanyahu spoke at a news conference that was broadcast live on X and by multiple media outlets. The rumors appeared to originate from Tasnim News Agency, an Iranian media outlet affiliated with the Islamic Revolutionary Guard Corps.

This episode illustrates a doctrine OSRS designates as "the liar's dividend": even a thoroughly debunked claim achieves its strategic objective if it consumes enough adversary attention, triggers institutional denials, and injects doubt into public perception during a critical decision-making window.

B. AI-Generated Deepfakes and Synthetic Satellite Imagery

The Netanyahu hoax is only one node in a far larger AI-driven disinformation ecosystem. Fake videos and images that experts have identified as AI-created racked up tens of millions of views on social media platforms in the nearly two weeks since the Iran war began. One fake video shows a fictional barrage of Iranian missiles supposedly striking Tel Aviv, Israel. A second fake video depicts panicked people fleeing a supposed Iranian attack on an airport in Tel Aviv.

The disinformation campaign has extended into satellite imagery, a domain previously considered more reliable. Iran's state-aligned Tehran Times posted on X a "before vs. after" image claiming to show "completely destroyed" U.S. radar equipment at a base in Qatar. In fact, it was an AI-manipulated version of a Google Earth image of a U.S. base in Bahrain. AFP detected a SynthID, an invisible watermark identifying images created using Google AI.

Political scientist Steven Feldstein warned of the emergence of the "shallowfake," a more subtle form of manipulation. "Rather than present something that would look completely false, they present shades of the truth, manipulate what's there," he said, meaning content creators provide details and nuance good enough to pass people's initial scrutiny while still fundamentally misrepresenting reality.

C. Platform Response and Its Limits

X announced it would suspend creators from its revenue-sharing program for 90 days if they post AI-generated war videos without disclosing they were artificially made, with subsequent violations resulting in permanent suspension. The new policy was described as "a reasonable countermeasure" by Alexios Mantzarlis, director of the Security, Trust, and Safety Initiative at Cornell Tech, though he noted the devil would be in implementation, as metadata on AI content can be removed and Community Notes are relatively rare.

Disinformation researchers remain skeptical. "The feeds I monitor are still flooded with AI-generated content about the war," Joe Bodnar of the Institute for Strategic Dialogue told AFP. "It doesn't seem like creators have been dissuaded from pushing misleading AI-generated images and videos about the conflict."

Researchers at the Atlantic Council's Digital Forensic Research Lab tabulated more than 300 responses by Grok, X's integrated AI bot, to a single fake AI-generated video of a bombed airport. The bot's responses contradicted each other, sometimes minute to minute, one stating "the video likely shows real damage" and another saying it was "likely not authentic." DFRLab director Emerson Brooking observed: "What we're seeing is AI mediating the experience of warfare."

IV. STRATEGIC ASSESSMENT

The 2026 Iran conflict has definitively established several doctrinal precedents with lasting implications for cybersecurity, national security, and hybrid conflict strategy.

Cyber as D-Day minus zero. For the first time publicly acknowledged, U.S. Cyber Command executed offensive cyber strikes as the opening move, not a supporting operation, of a major military campaign.

AI-ISR convergence. The Khamenei assassination demonstrates that AI-fused, multi-source intelligence drawing from traffic cameras, mobile networks, and pattern-of-life analysis is now operationally decisive at the strategic level.

The Iran Cyber Paradox. Iran imposed its own internet blackout as a defensive cyber measure, limiting its own outbound cyber capabilities to protect regime communications. This self-inflicted connectivity collapse has constrained state-sponsored groups while dispersed hacktivist proxies continue operating globally.

Healthcare and critical infrastructure as retaliation vectors. The Stryker attack signals that Iranian-aligned actors are deliberately targeting civilian critical infrastructure, including healthcare, energy, and financial systems, as escalation instruments outside the kinetic battlefield.

Cognition is now the battleground. The Netanyahu death hoax and the avalanche of AI-generated deepfakes confirm that modern hybrid warfare no longer targets only infrastructure or personnel. It targets perception, judgment, and public trust itself. Narratives can be massively distorted by AI-generated misinformation, synthetic media, and automated bot amplification. Deepfakes are now being used as weapons to mold perceptions, obscure facts, and produce epistemic ambiguity. The danger of the liar's dividend was demonstrated clearly during this conflict.

For intelligence practitioners, policymakers, and cybersecurity professionals, the ability to rapidly authenticate information and counter synthetic narratives has become as operationally critical as any kinetic or technical capability.

OGUN Security Research and Strategic Consulting LLC (OSRS) | www.ogunsecurity.com This brief is prepared for cybersecurity professionals, intelligence practitioners, policymakers, and academic researchers.