AI-Assisted Critical Infrastructure Targeting and RedAlert Mobile Espionage Campaign Linked to the Iran–Israel–US Conflict

The ongoing geopolitical escalation between the United States, Israel, and Iran following coordinated strikes conducted on 28 February 2026 has entered a new phase where kinetic warfare, cyber operations, and AI-enabled targeting are increasingly intertwined. Within hours of the escalation, more than 60 Iranian-aligned hacktivist groups activated coordinated cyber operations, primarily communicating through Telegram-based coordination channels referred to as an Electronic Operations Room. 

Geopolitical Context and Conflict Background 

The current cyber threat environment must be understood within the broader geopolitical escalation involving Iran, Israel, and the United States. 

Although the direct military conflict escalated on 28 February 2026, cyber hostilities between these actors have been developing for more than a decade through state-sponsored operations targeting regional and global infrastructure.  The recent escalation has resulted in: 

• Activation of multiple Iranian-aligned cyber groups
• Increased cyber retaliation campaigns targeting Western infrastructure
• Expansion of hacktivist participation motivated by ideological or geopolitical alignment
• Greater use of automated AI tools to accelerate reconnaissance and attack preparation

The removal of centralized leadership structures following the death of Ayatollah Ali Khamenei has also created a decentralized cyber ecosystem where proxy actors and hacktivist groups operate independently. 

These groups often lack deep technical expertise but compensate by using AI tools, open-source intelligence platforms, and publicly indexed internet infrastructure data. 

The Cyber Frontline: Three Emerging Threat Patterns 

Recent intelligence indicates three concerning developments: 

1. AI-assisted targeting of critical infrastructure linked to military operations and cyber retaliation. 
2. A sophisticated mobile espionage campaign exploiting Israel’s “Red Alert” emergency alert ecosystem. 
3. A shift toward hybrid digital warfare, where civilian systems, mobile devices, and critical infrastructure become strategic intelligence and disruption targets. 

1. AI-Assisted ICS Reconnaissance Workflow 

Recent reports indicate that AI systems are increasingly being used to accelerate military target identification and operational planning. AI platforms are enabling low-skilled actors to identify vulnerable Industrial Control Systems (ICS) and Operational Technology (OT) assets exposed on the internet with minimal expertise. Threat actors are increasingly adopting a reconnaissance methodology that combines AI assistance with publicly indexed infrastructure search engines. The process typically involves several stages viz., Asset Discovery, Passive Intelligence Collection, Vulnerability Assessment, Credential Exploitation and Process Manipulation.  

Security researchers have also observed AI-assisted backdoors and cyber intrusion campaigns targeting energy and maritime sectors in the Middle East, reinforcing concerns that AI-enabled cyber operations are becoming operationalized in regional conflicts.  

At the geopolitical level, analysts warn that the ongoing conflict has already triggered retaliatory cyber activity targeting Gulf and Western infrastructure, including energy and industrial systems. The compromise of the Municipal Water Authority of Aliquippa in Pennsylvania provides a practical example of how exposed ICS devices can be exploited. In this incident, attackers gained access to a Unitronics PLC device exposed to the internet that was configured with a default password. Although the incident caused limited operational impact, it demonstrated how easily exposed industrial devices can be targeted. The same methodology can be automated using simple scripts capable of testing multiple devices simultaneously. 

2. Mobile Espionage Campaign: RedAlert Android Malware 

Parallel to the infrastructure threat landscape, threat actors are also conducting espionage operations targeting civilian populations through malicious mobile applications. One of the most striking developments emerging from the conflict is the “RedAlert” mobile espionage campaign, which weaponizes a trusted civilian emergency application. The RedAlert spyware campaign distributes a trojanized version of the Israeli Home Front Command emergency alert application. 

The malware is delivered through SMS phishing (smishing) campaigns directing victims to download an APK file outside the official Google Play Store. Once installed, the malicious application displays legitimate alert notifications while executing hidden surveillance capabilities. 

The attack exploits a moment of crisis when citizens urgently seek real-time information, demonstrating how human trust in emergency infrastructure can be weaponized. 

Researchers warn that such attacks may also enable interception of SMS-based authentication mechanisms, potentially allowing adversaries to bypass two-factor authentication systems tied to financial or government accounts.  

3. Hybrid Warfare: Targeting Civilian Digital Ecosystems 

The RedAlert campaign highlights a broader evolution in cyber conflict: civilian digital infrastructure is increasingly becoming a battlefield. These operations combine several elements: 

• Information warfare: Manipulating emergency communication channels can undermine public trust and spread confusion during crises. 

• Intelligence collection: Compromised devices can provide real-time location data and communications intelligence. 

• Psychological operations: Attackers exploit fear and urgency to increase infection rates. 

• Infrastructure reconnaissance: Mobile devices provide a pathway into broader digital ecosystems, including corporate networks and critical services. 

Security analysts note that such campaigns represent a fusion of cyber espionage and behavioral manipulation, where attackers exploit emotional responses rather than purely technical vulnerabilities.  

Impact Assessment 

The campaigns described in this advisory represent multiple strategic risks. 

1. First, AI-assisted reconnaissance significantly increases the number of actors capable of targeting industrial infrastructure. 
2. Second, exposed ICS devices remain widely accessible on the internet, creating a large attack surface. 
3. Third, wartime-themed social engineering campaigns such as RedAlert exploit civilian panic to distribute spyware. 
4. Finally, the integration of AI platforms into both defensive and offensive cyber operations highlights the increasing role of AI within geopolitical conflicts. 

Recommended Defensive Measures 

Security teams should treat the current threat landscape as a precursor to future AI-enabled cyber conflict. Organizations operating critical infrastructure should immediately implement the following security controls. 

• Industrial management interfaces should never be directly accessible from the public internet. Access must be restricted through secure VPN gateways. 

• All default credentials on industrial devices must be replaced with strong authentication mechanisms before deployment. 

• Network segmentation should ensure that ICS networks remain isolated from enterprise and internet-facing systems. 

• Organizations should block direct internet access to industrial protocol ports commonly associated with ICS devices. 

• Security teams should continuously monitor network traffic for unauthorized access attempts targeting industrial control systems. 

• Mobile device management policies should prohibit installation of applications from unknown sources. 

• Users should be educated to download emergency applications only from official application stores. 

• Network defenders should implement domain and IP blocking for infrastructure associated with the RedAlert malware campaign. 

Conclusion 

The cyber threat environment associated with the Iran–Israel–US conflict demonstrates a critical transformation in modern cyber warfare. The threat environment has significantly changed due to the integration of Artificial Intelligence (AI) into cyber reconnaissance and operational planning. 

AI has lowered the technical barriers required to conduct reconnaissance against industrial infrastructure, enabling a wider range of actors to participate in cyber operations. At the same time, social engineering campaigns targeting civilians illustrate how cyber operations are increasingly integrated into broader information warfare strategies. This convergence of AI-assisted reconnaissance, exposed industrial infrastructure, and wartime social engineering represents a high-impact threat to critical infrastructure, civilian communications, and national security. 

Organizations must assume that exposed infrastructure will be discovered quickly and targeted opportunistically. Reducing internet exposure, enforcing authentication controls, and strengthening network monitoring remain the most effective defenses against these threats. 

To download the latest information security reports from SISA Sappers, click here. For recent insights into threat landscape, read our Weekly Threat Watch.  

References: 

• Palo Alto Unit 42, Mar 2026 | 60+ Iranian hacktivist group activation 
• AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure | CloudSEK 
• RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command | CloudSEK 
• CISA AA23-335A | Exploitation of Unitronics PLCs Used in Water and Wastewater Systems 
• CISA AA22-055A | MuddyWater joint advisory | FBI, NSA, NCSC-UK, CNMF 
• CISA AA24-038A | Volt Typhoon / VOLTZITE in US critical infrastructure 
• CISA AA22-103A | PIPEDREAM / INCONTROLLER alert 
• Defending Against Iranian Cyber Threats in the Wake of Operation Epic Fury I AttackIQ 
• US-Israeli campaign triggers Iranian counteroffensive targeting Gulf energy, critical infrastructure | Industrial Cyber