top of page
Search

Cyber attacks in the US strikes on Iran's nuclear facilities

  • Writer: Matthew Parish
    Matthew Parish
  • 5 minutes ago
  • 5 min read

Wednesday 11 February 2026


Operation Midnight Hammer, the American strike package against Iranian nuclear sites on 21–22 June 2025, was presented to the public in the familiar language of airpower—stealth bombers, bunker-busting munitions, cruise missiles and the theatre choreography of decoys and suppression. Yet the most consequential detail may be the one that was least described: that the strike package was explicitly “supported” by US Cyber Command and that, according to subsequent reporting citing US officials, cyber capabilities were used to disrupt digitally elements of Iranian air and missile defence systems during the operation. 


If that account is broadly accurate, it marks a pivot worth dwelling upon—not because cyber operations have suddenly arrived on the battlefield, but because their function appears to have matured from sabotage-in-the-shadows into an enabling arm of combined operations: cyber as the quiet hand that helps an aircraft survive long enough to do its loud work.


What the open sources let us say, and what they do not


The public Pentagon narrative was, in essence, that Iran’s fighters did not fly and her surface-to-air missile systems did not engage—the strike retained surprise. The operation’s structure is now well-documented: B-2 bombers delivering GBU-57 Massive Ordnance Penetrators against Fordow and Natanz and submarine-launched Tomahawks against surface infrastructure at Isfahan, with supporting aircraft and decoys. 


What is not in the official public record is the mechanism by which Iranian air defences failed to respond. That absence matters—because there are several plausible, overlapping explanations, ranging from operational surprise and electronic warfare (jamming and deception) through to pre-emptive kinetic suppression, and finally to cyber effects against the networks that connect sensors to shooters. In practice, modern strike packages often use more than one of these at the same time.


The most specific open-source claim comes from reporting that US operators “digitally disrupted” Iranian air and missile defence systems by attacking an “aim point” on a network—described as a mapped node such as a router, server, or peripheral device—rather than attempting to penetrate deeply into hardened systems physically located at the nuclear sites themselves. The same reporting describes NSA-enabled intelligence support and an “upstream” approach that found an “Achilles heel”, while withholding technical particulars. 


This is important: it implies the cyber action was not a Stuxnet-style industrial sabotage aimed at centrifuges, but a time-sensitive operational effect aimed at blinding, confusing, or slowing defensive decision-making long enough for a narrow window of penetration and weapons release.


The likely nature of the cyber effect: less ‘Stuxnet’, more ‘escort’


Stuxnet, the emblematic cyber operation against Iran’s nuclear programme in the late 2000s, sought physical damage through malicious manipulation of industrial control systems at Natanz—software reaching down into the logic that governs machines. Its strategic genius lay in being covert, deniable, and slow-burning—its operational weakness was that it required deep access and careful tailoring. 


The 2025 operation, by contrast, appears—on the limited open reporting—to have used cyber offence in a way closer to what some practitioners describe as a ‘cyber escort’: a supporting action that reduces risk to the force by disrupting the adversary’s ability to detect and engage. Defence reporting at the time of the strike noted that officials publicly acknowledged Cyber Command’s participation while refusing to provide details, and it canvassed possibilities that align with escort logic—ensuring the strike package’s enabling systems and routes were protected and that adversary defensive networks were degraded at the right moment. 


If we keep the analysis at a responsible level of generality, there are three broad categories of effect consistent with the “aim point” description in open reporting:


  1. Disruption of command-and-control connectivity—interrupting how radar tracks, identification data, and engagement orders move between sensors, decision nodes and launchers.


  2. Degradation of ‘air picture’ integrity—introducing confusion, delay or mistrust in what operators see, which is often operationally equivalent to blindness during a fast-moving penetration.


  3. Defensive inhibition—preventing, delaying or complicating the authorised firing sequence, which in modern systems can depend on network services, time synchronisation, remote authentication, or shared track data.


None of this requires the attacker to ‘take over’ the entire air defence system. It requires finding something mundane that must work for the whole arrangement to work—an interconnection, a dependency, a bottleneck. That is precisely the logic of the “Achilles heel” framing in the reporting. 


Why the upstream approach matters strategically


The phrase “upstream” is doing a great deal of work. In cyber operations, it often implies that rather than assaulting the most protected target directly, the attacker compromises something adjacent—an enabling network, a supplier, a gateway, a maintenance path, a management layer, a less-guarded node that the high-value system cannot easily function without.


In conventional targeting language, this is not new. Air campaigns have long sought to collapse systems by striking their connective tissue—communications relays, fuel depots, command posts, bridges. Cyber, however, extends the concept into the invisible architecture of modern militaries: the software-defined ‘plumbing’ that ties together radars, launchers, aircraft, databases and operators.


The implication is sobering: the most defended facility may be operationally vulnerable not because its walls are weak, but because its dependencies are wide.


What this suggests about the future of cyber warfare in global conflict


The 2025 strike, seen through this cyber lens, points to five larger conclusions about where warfare is heading.


First, cyber is becoming less a separate theatre and more an embedded function of combined arms. When senior commanders list Cyber Command alongside Transportation Command and Space Command as part of the support structure, they are describing an integrated machine—cyber as routinely present as refuelling or satellite communications. 


Secondly, cyber effects will increasingly be designed to be temporary, precise and operationally timed. Sabotage that takes months to unfold has strategic value, but operational commanders prize certainty in minutes. The future may belong to cyber capabilities that can be dialled up for a narrow window—then withdrawn or allowed to decay—because that reduces political blowback and limits unintended spillover.


Thirdly, air defence and long-range strike will drive cyber competition. Any state that relies upon integrated air defence will face the same dilemma: it must network its sensors and shooters to be effective—yet networking expands the attack surface. Conversely, any state planning deep strike will see cyber (and electronic warfare) as a way to buy survivability without escalating to wider destruction.


Fourthly, attribution and escalation will become more ambiguous even as cyber becomes more ‘normal’. A bomb crater is evidence. A radar screen that went strange at the wrong moment is suspicion. In crisis, that ambiguity can be stabilising—providing off-ramps and deniability—but it can also be destabilising, because leaders may assume the worst and retaliate across domains. The laws of armed conflict struggle with this territory precisely because cyber actions can range from nuisance to lethal enablement without obvious thresholds.


Fifthly, the gap between great powers and others may narrow in at least one respect. Only a handful of states can fly a stealth bomber from another continent and deliver specialised munitions. Far more can fund, train and deploy capable cyber units—and far more can purchase access in criminal markets. That does not mean cyber replaces conventional power. It means cyber offers weaker actors leverage—particularly against civilian infrastructure, logistics, and the political cohesion behind war efforts.


A final inference: the most dangerous cyber target is often the one nobody thinks of as ‘cyber’


When people speak of cyber warfare, they often imagine it as a contest over data—spies stealing secrets or criminals encrypting files. But the more strategically significant form of cyber conflict is about function: the ability to make complex systems fail at the moment they are needed most.


An integrated air defence system is, at heart, a machine for turning information into action. If the open reporting about 2025 is broadly right, the United States did not need to destroy that machine to defeat it—she only needed to interrupt its ability to cohere, briefly, at the decisive time. 


That is what cyber’s future in warfare is likely to look like—not glamorous, not cinematic, and often not publicly describable. Quiet hands on invisible joints—so that, elsewhere, steel can pass through the sky unchallenged.


And for every military planner on earth, that raises the same question: in the next war, what will fail first—the armour on the target, or the assumptions inside the system?

 
 

Note from Matthew Parish, Editor-in-Chief. The Lviv Herald is a unique and independent source of analytical journalism about the war in Ukraine and its aftermath, and all the geopolitical and diplomatic consequences of the war as well as the tremendous advances in military technology the war has yielded. To achieve this independence, we rely exclusively on donations. Please donate if you can, either with the buttons at the top of this page or become a subscriber via www.patreon.com/lvivherald.

Copyright (c) Lviv Herald 2024-25. All rights reserved.  Accredited by the Armed Forces of Ukraine after approval by the State Security Service of Ukraine. To view our policy on the anonymity of authors, please click the "About" page.

bottom of page