On February 28, 2026, the United States and Israel launched major military strikes against Iran, killing Iran’s Supreme Leader. Iran has responded with retaliatory missile and drone strikes across the Middle East. While the situation is still unfolding, Iran has the capability to respond through cyberattacks against critical infrastructure, including election offices and systems. According to Reuters, a wave of cyber-enabled operations took place alongside the joint U.S.-Israeli attack, including the hacking of multiple Iranian websites and government digital services. The conflict is ongoing and expected to continue.

Key takeaways

• The Threat: The U.S.-Iran conflict has elevated the risk of Iranian cyberattacks against U.S. targets. Iran has a documented history of using cyberattacks to retaliate.
• Immediate Action: Exercise caution, strengthen passwords, and enable MFA today. Be suspicious of unexpected emails, calls, and login requests. Update software quickly. Know who to call.
• Stay Alert: The threat level is likely to increase as this conflict continues to unfold. Remain vigilant, watch for suspicious activity, and monitor for ongoing updates.

Why this matters

An analysis by the Center for Strategic and International Studies (CSIS) documents Iran’s playbook for responding to U.S. military action, highlighting a spectrum of cyber operations that typically follow. They range from low-level website defacement and coordinated influence campaigns to more sophisticated attacks against critical infrastructure. The threat to election-adjacent infrastructure is not hypothetical. In 2024, the Justice Department indicted three Islamic Revolutionary Guard Corps (IRGC) employees for a hack-and-leak operation that targeted U.S. presidential campaign systems, stealing confidential material in a deliberate effort to erode confidence in the electoral process. As this conflict plays out, cyber tools are among Iran’s preferred methods because they allow the country to inflict damage while maintaining plausible deniability, causing disruption, sowing distrust, and undermining Western institutions without triggering the kinds of escalation that would compel a broader military response.

Election officials should know what to watch for:

• Phishing emails - Messages appearing to come from a trusted source or a colleague expressing urgency. Do not click. Call the sender directly using a number you already know.
• Fake login requests - Unexpected prompts asking you to approve a login you didn’t initiate. Decline them and notify IT immediately.
• Social engineering calls - Phone calls requesting your password or login credentials. No legitimate entity will ever ask you this by phone. 
• False or misleading information - False claims that systems have been hacked or manipulated, designed to sow discord. Do not share unverified reports and ensure the public knows where to find accurate information.
• Website or service outages - Iran has previously knocked government websites offline during conflict. A sudden outage may not be routine. Report it to IT immediately.

What to do now

These steps are recommended by CISA, the FBI, the NSA, and the Election Security Exchange to help election offices improve their security posture. 

• Change any default or weak passwords on all internet-connected devices.
• Turn on two-step login (MFA) for all accounts and use an authenticator app, not text messages.
• Ask your IT team to install all pending software updates immediately.
• Review your incident response plan and confirm staff know who to call if something goes wrong.
• Provide refresher training on how to spot and report suspicious emails and links.