U.S. Readies Offensive Cyber Strike on Iranian Proxy Network, Officials Say

The Breach

The U.S. military is preparing an offensive cyber operation against an Iranian-backed proxy network within 72 hours, according to two officials familiar with the matter. The operation follows a breach in January of a U.S. defense contractor that supports U.S. Central Command logistics, the officials said. The contractor, based in Northern Virginia, discovered the intrusion on January 17 and notified U.S. Cyber Command the same day, one official said.

The contractor, which provides logistics and facilities support to U.S. Central Command under a $420 million contract awarded in 2023, noticed unusual outbound traffic from a file server at 2:47 a.m. local time on January 17, the senior official said. Incident responders isolated the server within four hours and determined the intrusion had begun around January 8, the official said.

Two officials said the intrusion bore signatures associated with Khatim al-Anbiya, the cyber warfare unit of Iran's Islamic Revolutionary Guard Corps. The attackers accessed unclassified email archives, travel itineraries, and personnel rosters for contractor teams working in Kuwait, Qatar, and Jordan, the officials said. No classified information is believed to have been exfiltrated, though one official said the assessment remained preliminary.

The compromised data included rosters for approximately 340 contractor personnel, travel manifests for 62 flights into Al Udeid Air Base in Qatar and Ali Al Salem Air Base in Kuwait between January 15 and February 15, and email distribution lists for base security teams, the officials said. The Defense Department notified affected personnel on February 5 and offered credit monitoring and identity protection services.

A senior official, speaking on condition of anonymity, said the breach was significant because it exposed the movement patterns of U.S. personnel and the schedule of contracted flights into Al Udeid and Ali Al Salem. The official said the Defense Department's Cyber Crime Center began a forensic review on January 20 and produced a classified report on February 10.

The Planned Response

The planned cyber operation, approved in principle by the president on February 24, will target command-and-control infrastructure used by the proxy group to coordinate rocket and drone attacks against U.S. facilities in Syria and Iraq, the officials said. The operation is expected to begin between March 2 and March 3 and will involve U.S. Cyber Command and U.S. Central Command assets, according to one official.

One official said the operation would rely on a combination of network intrusions, malware deployments, and electronic warfare to sever communications between proxy commanders in Tehran and field operatives in Syria and Iraq. The goal is to create confusion in the command chain and delay planned attacks during a period of heightened alert, the official said.

Two officials said the operation would focus on degrading the proxy network's ability to launch attacks for a period of two to three weeks, rather than destroying infrastructure permanently. The strikes will target servers in three cities in eastern Syria and two locations in western Iraq, the officials said. One official said the operation had been assigned the code name 'SILENT SENTINEL' and would be executed under authorities granted in a 2024 presidential finding on Iran.

A former Senate Intelligence Committee staffer said offensive cyber operations of this scale typically require a finding, concurrence from the attorney general, and notification to the Gang of Eight in Congress. The staffer said such notifications usually occur within 48 hours of execution, suggesting Capitol Hill leadership would be briefed no later than March 4.

The senior official said the operation would avoid targets inside Iran proper to limit escalation, though the administration reserved the right to strike Iranian military infrastructure if proxy attacks continued. The official said the British signals intelligence agency GCHQ and Israeli military intelligence had been consulted, though neither country would participate directly.

The senior official said U.S. Cyber Command's Joint Cyber Warfighting Architecture would provide the operation's backbone, with support from the National Security Agency's signals intelligence collection and the National Geospatial-Intelligence Agency's imagery analysis. The official said target packages were finalized February 25 and uploaded to the Joint Targeting System at 6:00 p.m. Eastern Time.

Diplomatic and Strategic Stakes

The pending operation comes amid a renewed wave of rocket and drone attacks against U.S. bases in Iraq and Syria, including a February 22 strike on Tower 22 in Jordan that wounded three U.S. service members, according to two defense contractors present at the briefing. The contractors said U.S. forces in Iraq and Syria had been at Force Protection Condition Bravo since February 20, with additional counter-drone systems deployed to Al Asad Air Base in Iraq and Mission Support Site Conoco in Syria.

Two officials said the commander of U.S. Central Command had recommended the cyber response during a February 23 video conference with the chairman of the Joint Chiefs of Staff and the defense secretary. The recommendation followed a separate February 21 CENTCOM assessment that concluded kinetic airstrikes risked broader escalation, the officials said.

Two officials familiar with the matter said the State Department had sent a classified cable to U.S. embassies in Baghdad, Amman, and Doha on February 26 instructing diplomats to prepare for possible retaliatory strikes and to coordinate messaging with host governments. The cable, signed by a senior State Department official, warned that Iran could respond with cyber attacks against U.S. financial institutions or critical infrastructure, the officials said.

The State Department cable instructed embassy public affairs officers to emphasize that the U.S. response would be proportionate and aimed at disrupting attacks on U.S. personnel, not at regime change in Tehran, the officials said. Diplomats were told to coordinate with British, French, and German counterparts in capitals across the Middle East and Europe.

A former Senate Intelligence Committee staffer said the operation carried risks of unintended escalation, particularly if the strikes disrupted civilian internet service or hit targets shared by other militant groups. The staffer said the committee had asked the administration for a post-strike damage assessment within 72 hours of execution.

What to watch in the next 48 to 72 hours: whether the president issues final execution authorization, whether U.S. bases in the region raise their force protection condition, and whether Iran or its proxies issue public statements warning of reprisal. Officials said the operation could be delayed if diplomatic channels produce a credible commitment from Tehran to rein in the proxy groups.