1,200 to 4,800 Attacks Per Month — The Iran-Israel War That the Peace Deal Didn't End
By The Squirrels·
No Ceasefire in Cyberspace
The ships are moving through Hormuz. The bombs have stopped. The MOU has been signed. The war, by every kinetic measure, is over.
But Israel's national cyber chief, Yossi Karadi, told a German publication this week that Iranian cyberattacks on Israel have surged from approximately 1,200 incidents per month before the war to 4,800 per month in 2026 — a 300% increase.
"Some groups are very skilled," Karadi said. "We can handle them, but we have to take them seriously."
Then the sentence that frames the entire story: "Unlike in the kinetic realm, there's no ceasefire in cyberspace."
The peace deal that The Squirrels documented two weeks ago — the 14-point MOU, the Strait reopening, the $25 billion in assets — does not contain a single clause addressing cyber operations. The war that everyone can see has ended. The war that nobody can see has not.
The Numbers: What Happened in Cyberspace Since February 28
When the US and Israel launched Operation Epic Fury on February 28, 2026, the cyber dimension exploded simultaneously with the kinetic one.
The opening salvo was digital as well as physical. US Chairman of the Joint Chiefs of Staff General Dan Caine stated that "coordinated space and cyber operations effectively disrupted communications and sensor networks" in Iran prior to the main airstrikes. Israeli operators compromised Iran's popular Saba Wind prayer app, pushing messages reading "Help has arrived" to millions of Iranian devices. State broadcaster IRNA was taken offline. IRGC-linked Tasnim agency was hacked and forced to display anti-Khamenei messages.
Iran's internet connectivity dropped to 1–4% of normal levels for over 60 hours, then remained at near-blackout levels for 47 days — the longest state-level internet shutdown in modern history. Some Israeli sources described the combined operation as "the largest cyberattack in history."
Iran's retaliation was asymmetric — and ongoing:
60+ hacktivist groups claimed cyber operations within four days of the strikes
Handala Hack — linked to Iran's Ministry of Intelligence (MOIS) — compromised Israeli energy firms, Jordanian fuel systems, and healthcare targets
8.3 million Israeli voter records were leaked on March 18
Israeli power grid maps were published online on March 23
The Stryker Corporation (US medical device manufacturer) suffered a destructive wiper attack on March 11 — a qualitative escalation, executed without malware by abusing legitimate mobile device management infrastructure
Cyber Av3ngers (tracked as CL-STA-1128) shifted from targeting Unitronics programmable logic controllers to Rockwell Automation industrial control systems — expanding the attack surface to operational technology used globally
What the Attacks Target
Karadi specified the categories under active targeting:
Critical infrastructure: Energy grids, water systems, transport networks. Karadi said that "so far — and hopefully it stays that way — we've managed to fend off attacks on critical infrastructure."
Central organisations: Government ministries, defence-adjacent entities, intelligence agencies.
Small and medium businesses: Law practices, accounting firms, smaller companies with weaker cyber defences. These are the organisations that "often ended up having their computer systems wiped," according to Karadi.
The public: Phishing campaigns, fake applications (including a malicious replica of the RedAlert emergency warning app), data exfiltration from civilian databases.
The strategy is clear: if you cannot penetrate hardened critical infrastructure, wipe softer targets. The psychological and economic impact of destroying hundreds of small-firm computer systems is significant — even if it doesn't make international headlines.
Why the Peace Deal Doesn't Cover This
The US-Iran MOU signed on June 14 addresses:
Cessation of military hostilities ✅
Strait of Hormuz reopening ✅
US naval blockade removal ✅
Sanctions suspension ✅
60-day nuclear talks ✅
Cyber operations ❌
The absence is not accidental. No international peace agreement in history has successfully included binding cyber ceasefire provisions. The Tallinn Manual — the most authoritative academic treatment of international law in cyberspace — acknowledges that existing laws of armed conflict apply to cyber operations in theory, but enforcement is functionally impossible.
Cyber operations exist in a grey zone: they are deniable (conducted through proxies), attributable only after forensic analysis (which can take months), and escalatory without being conventionally "military." A DDoS attack on a hospital network is an act of aggression, but no peace deal has ever defined the conditions under which it constitutes a violation of a ceasefire.
This means that the peace deal creates a split reality: the physical war has ended, but the digital war continues at 4x the pre-war rate — and there is no legal or diplomatic mechanism to stop it.
What This Means Beyond Israel
The Iran-Israel cyber conflict is not contained to two countries. The attack surface is global.
Operational technology at risk: The shift by Cyber Av3ngers from Unitronics PLCs to Rockwell Automation industrial control systems means that any facility worldwide using these systems is a potential target. Rockwell Automation products are used in water treatment, manufacturing, energy, and pharmaceutical production across dozens of countries — including India.
Gulf states under fire: Hacktivist groups have claimed compromises of Jordanian grain silo control systems (including temperature and weighing system manipulation), Bahraini organisations, and entities across the GCC.
US homeland targets: Iranian-affiliated groups confirmed compromise of Unitronics PLCs in US wastewater facilities before the war began. The Stryker Corporation wiper attack demonstrated willingness to target US corporate infrastructure destructively.
Supply chain exposure: Indian companies operating in the Gulf, Israeli-origin defence technology deployed in India, and globally distributed OT/ICS infrastructure create indirect exposure pathways for Indian critical infrastructure — even without direct targeting.
Frequently Asked Questions
How much have Iran cyberattacks on Israel increased?
From approximately 1,200 incidents per month before the war to 4,800 per month in 2026 — a 300% increase, according to Israeli national cyber chief Yossi Karadi.
Does the US-Iran peace deal address cyber operations?
No. The MOU contains no provisions related to cyber operations. As Karadi stated, "there's no ceasefire in cyberspace."
Who are the main Iranian cyber threat actors?
Key groups include Handala Hack (linked to Iran's MOIS), Cyber Av3ngers (targeting industrial control systems), and over 60 hacktivist collectives active since the war began.
Is India at risk?
Indirectly, yes. Iranian cyber groups have shifted to targeting Rockwell Automation industrial control systems, which are used globally — including in Indian manufacturing, energy, and water treatment facilities.
The Bottom Line
The kinetic war produced a peace deal. The cyber war produced a 300% increase in attacks — and zero provisions to stop them.
1,200 attacks per month was the baseline. 4,800 is the new normal. And as Karadi's statement makes explicit, this is not a temporary escalation that the peace deal will resolve. It is a permanent shift in the threat landscape — one that operates outside the framework of any ceasefire, any MOU, and any diplomatic mechanism currently in existence.
The Iran-Israel conflict did not end on June 14. It migrated to a domain where peace deals have never worked — and may never work.