When the first Tomahawk missiles were still in flight toward Iranian targets, a different kind of weapon had already struck. United States Cyber Command initiated offensive cyber operations against Iran's military command and control infrastructure hours before the first kinetic strike, creating confusion and degrading Iran's ability to coordinate its defenses during the most critical hours of Operation Epic Fury.
The Cyber Domain in Modern Warfare
Cyber operations have matured from a supporting capability to a primary instrument of warfare. In Epic Fury, USCYBERCOM operated as a full combatant command alongside CENTCOM, with its own target list, battle rhythm, and damage assessment process. The integration of cyber effects with kinetic strikes represented the most sophisticated combined operation in the history of cyber warfare.
The legal authorities for offensive cyber operations against Iran had been established through years of presidential directives and National Security Council deliberations. CYBERCOM had maintained "persistent engagement" with Iranian networks since at least 2018, developing access points and implants that could be activated when needed.
Pre-Strike Preparation
Years before Epic Fury, CYBERCOM's Iran mission team had mapped Iranian military networks, identified critical nodes, and developed tools tailored to specific Iranian systems. This preparatory work — known as "operational preparation of the environment" — meant that when the execute order came, cyber operators could activate pre-positioned capabilities rather than starting from scratch.
Key targets included:
- Khatam al-Anbiya Air Defense network: The integrated command and control system linking Iranian SAM batteries, radars, and sector command centers
- IRGC Aerospace Force communications: Secure networks used to coordinate ballistic missile launches
- Iranian military logistics systems: Supply chain and maintenance databases that manage munitions distribution
- Telecommunications infrastructure: Fiber optic nodes and switching centers used by military and government communications
Effects During the Opening Hours
The specific capabilities and effects of CYBERCOM's operations remain highly classified, but observable indicators and Pentagon statements suggest several categories of impact:
Air defense disruption: Iranian air defense operators reportedly experienced intermittent communications failures during the critical first hours of the strike campaign. Sector command centers had difficulty coordinating with individual SAM batteries, degrading the integrated nature of the defense network. While this did not disable individual SAM systems — which can operate autonomously — it prevented the coordinated response that makes an integrated air defense system more than the sum of its parts.
Missile launch delays: Some Iranian ballistic missile retaliatory launches appeared delayed by hours compared to what planners expected. Whether this was due to cyber effects on launch coordination systems, physical destruction of communication links, or Iranian operational decisions remained unclear, but the delay provided additional time for coalition missile defense systems to prepare.
Information operations: CYBERCOM reportedly conducted information operations targeting Iranian military morale, including messages to IRGC commanders suggesting that their communications were compromised and that continued resistance was futile. The psychological impact of knowing that an adversary has penetrated your secure networks can be as disruptive as the actual technical effects.
The Stuxnet Legacy
The US cyber campaign against Iran did not begin with Epic Fury. The Stuxnet operation, discovered in 2010, represented the first known use of a cyber weapon to cause physical destruction — spinning Iranian centrifuges to self-destructive speeds while reporting normal operations to operators. That operation, attributed to a joint US-Israeli effort, destroyed approximately 1,000 centrifuges and set Iran's nuclear program back by an estimated 1-2 years.
Stuxnet's discovery, however, gave Iran motivation to develop its own offensive cyber capabilities. By 2025, Iran had become one of the most active state cyber actors, with groups like APT33 and APT34 conducting espionage and disruptive operations against US and allied targets. Epic Fury's cyber dimension was thus not one-sided — Iranian cyber forces attempted retaliatory operations against US military networks, coalition partner systems, and Gulf state critical infrastructure.
Integration Challenges
Synchronizing cyber and kinetic operations proved technically and organizationally challenging. Cyber effects are inherently unpredictable — a network disruption might last minutes or hours, and operators cannot always control the timing precisely. CENTCOM planners had to build flexibility into strike timelines to account for the uncertainty of cyber effects.
Deconfliction was another challenge. Intelligence agencies wanted to maintain access to Iranian networks for collection purposes, while CYBERCOM wanted to use those same access points for offensive operations that would burn them. The tension between intelligence collection and offensive cyber operations required senior-level adjudication throughout the campaign.
Implications
Epic Fury established cyber operations as an integral component of major combat operations, not merely a supporting or enabling capability. The campaign demonstrated that cyber effects can meaningfully degrade an adversary's ability to coordinate military forces during the critical opening hours of a conflict. However, it also showed that cyber weapons are not silver bullets — they complement but do not replace kinetic strikes. Iranian military systems continued to function, albeit degraded, despite sustained cyber attack, underscoring the resilience of military networks designed to operate in degraded communications environments.