Why Iran Hasn't Hacked a Nuclear Reactor

Cyber-Physical Attacks, Wartime Strategy, and Why Iran Isn't Waging Digital War

As the American-Israeli war against Iran enters its fifth week, we have witnessed the most technologically advanced war in human history. The Iranian government has shattered under the ugly end of the US and Israeli military and its ability to seamlessly coordinate strikes on any target, anywhere. The joint American-Israeli war machine is larger and better resourced, causing Iran to rely on non-traditional methods of warfare to compete. As experts in asymmetric warfare, Iran should be desperate to employ any advantage they have, so why haven’t we seen a full-scale cyber war?

Why does Iran do Cyber?

Iran is caught in a rivalry with the well-resourced Saudi Arabia and the cadre of western-aligned Arab Gulf States. A tightening Gulf Cooperation Council (GCC) leaves Iran with a more unified set of regional rivals armed by the United States, Israel, and Europe. Iran rightly fears an American and European-equipped Saudi Arabia, UAE, Kuwait, Bahrain, Oman, and Qatar that is comfortable collaborating with Israeli intelligence. Combined with sanctions, Iran finds itself in a crowded neighborhood with their only friend being an over-extended, impotent Russia that has let their allied regimes of Syria and Venezuela be toppled with little resistance, while Cuba is drowning.

Map of Strait of Hormuz

Iran’s rivalry with the well-connected Saudi Arabia necessitates that it use asymmetric warfare to compete in the Gulf, which informs their funding of terrorist groups in Yemen and the Levant. The Iranian military is all about getting the most out of their dollars, so its obsession with drones, cybersecurity, and nuclear weapons should come as no surprise.

This piece offers explanations for why we have not seen cyber-physical attacks originating from Iran and challenges Iran’s reputation within the cybersecurity community as a state prone to impactful cyber-physical attacks.

Defining Cyber-Physical Attacks

“Cyber-physical attacks” describes any remote cyber attack that is designed to destructively impact a target akin to a raid or a strike, like destroying physical assets or disabling a key facility. We must also include destroying valuable data or disabling communications systems. From the beginning, these attacks are designed to have a physical, tangible effect on assets as their primary objective.

The early 2010s were defined by a string of high-profile cyberattacks across the Gulf that were considered destructive to real-world assets or valuable data. First was the Israeli “Stuxnet”[1] attack against the Iranian nuclear program which caused physical damage to vital uranium refining centrifuges. In retaliation, Iranian-designed “Shamoon”[2] virus devastated critical computer systems operated by state-owned Saudi Aramco and later the state-owned Qatari RasGas. “Shamoon” destroyed valuable data, cost affected states millions, and slowed their oil exports. Since then, we have seen few instances of these advanced cyberweapons being deployed by either side of the ledger.

Since this campaign began, the only noteworthy cyberattack from Iran has been against Stryker[3], an American medical device company. Temporarily bringing down a medical device company is probably not Iran's top wartime priority, thus it seems likely that this cyber operation was already in progress when the war began.

Explanation 1 - Iran is not interested in attacking the US homeland

As of April 4th, 2026, Iran has still closed the Strait of Hormuz[2], strangling the world’s economy as the oil-hungry nations of Asia and Oceania are running down their reserves. Despite American and Israeli air dominance in the region, there are precious few US Navy surface vessels in the Persian Gulf. Iran remains in control of the world’s most valuable chokepoint, and will not give it up easily. The shattered Iranian leadership knows their only hope is for internal American pressure to stop this war once Americans feel real economic pain. The Iranians know that if anything resembling a terrorist attack happens on American soil, the US military will have a blank check to flatten Tehran, and Iran will lose its ability to negotiate.

Explanation 2 - We overestimate Iran’s violence in cyberspace

As of today, we have received no reliable reporting of serious Iranian cyber attacks against military targets, despite Iran’s reputation as a troublemaker in cyberspace. In “The Politics of Cybersecurity in the Middle East”[3], author James Shires theorizes that market incentives have encouraged both Gulf governments and private western cybersecurity companies to play up Iran’s cyber threat in the region. In his estimation, western cybersecurity providers overstate both Iran’s cyber-capabilities and their willingness to execute cyber-physical attacks. This is done to win lucrative contracts from Gulf States that are more interested in the high-tech aesthetics of cybersecurity than any actual economic or security benefit derived from a robust cybersecurity program. Gulf States lean into their rivalries with Iran to justify the expense of cybersecurity.

Explanation 3 - Cyber-Physical Attacks are Difficult

For Iran to execute a successful remote cyberattack against a piece of critical infrastructure, they would need dozens of pieces of intelligence. The attackers would need to find a way to infiltrate the network by exploiting a vulnerable piece of software or stealing a credential. They would then need to pivot to the industrial computers running the site and overcome decades of engineering to meaningfully impact the operation of the site using the on-site Industrial Control System (ICS).

The attackers have to hit multiple small moving targets to achieve impact. This is boutique, highly-skilled work that does not transfer from one installation to another. Devoting state resources to longshot cyber-physical attacks is a luxury that Iran likely cannot afford right now.

Explanation 4 - More Productive Cyberattacks Exist

There are more options than just cyber-physical attacks. Spending months to disable a single military installation in the Gulf does not meaningfully degrade American or Israeli ability to wage war on Iran. We should not be surprised that Iranian leadership is opting to allocate their offensive cyber capacity to other efforts like intelligence gathering.

Cyber-enabled intelligence gathering has the potential to provide incredibly valuable and actionable intelligence to a military effort . In the case of Iran, they are probably more interested in knowing where the next round of American and Israeli strikes are going to be concentrated, or knowing when American surface vessels will attempt to get through the Strait, and all of that information can be found somewhere on American or Israeli networks. Cyber-enabled intelligence operations are also much quieter than disruptive ransomware or wiper attacks. Iranian intelligence services are very competent and have likely prepositioned “cyber listening posts” on key American and Israeli systems.

What does this mean?

This war has tested the alarmist notion that a full-scale war between nations with advanced offensive cyber security capability will bring widespread cyber–physical attacks on critical infrastructure. High-level Iranian leadership have a reputation for having the cooler head in conflict, even if their rhetoric sounds exceedingly violent to a Western audience. Iran has likely decided that applying economic pain is more effective than any attack on the US homeland. It is possible that most of the Iranian leadership assumes that a cyber attack on the US homeland would be an unnecessary step on the escalation ladder. Therefore, a major cyber attack in this conflict is not likely.

The Red Flag of Revenge

About the Author

Jake Mullins is a Cybersecurity student minoring in Arabic.

Jake is the author of the Breaking Things blog, which explores the intersection of Cybersecurity and International Relations with a focus on the Middle East. He has covered Middle Eastern and American technology policy, AI, quantum computing, cyber-enabled military strategy, and active hacking campaigns. Jake is currently employed as a Security Engineer in the financial sector.

This article originated from work done for this article.