The Strikes on Iran

Mar 1

This report is based on open-source reporting as events evolve rapidly across regions. We continue to monitor developments.

A note on sources: In a crisis of this scale, propaganda and disinformation circulate widely. We have relied on established international news organisations, specialist analytical outlets, and verified institutional sources, and encourage readers to do the same. Treat unverified claims with extreme caution until confirmed by multiple credible sources.

Key Findings

No clear endgame. The objectives of the US-Israeli operation are inconsistent, and no exit strategy has been articulated. Khamenei's death creates a power vacuum with unpredictable consequences.
Domestic politics are a factor. Both Netanyahu and Trump face criminal proceedings, declining polls, and upcoming elections. These conditions elevate appetite for dramatic escalatory action.
China's energy supply is being squeezed. Venezuela and Iran, together roughly 18% of China's seaborne crude imports, have both been disrupted within two months. The Strait of Hormuz is effectively closed, with traffic down about 75%, and oil prices up 12%.
Cyber is now Iran's primary retaliatory weapon. Conventional options are degraded. Iranian APT groups and state-directed hacktivists are already activated. European critical infrastructure is in the target set.
Iran's "terrorism for hire" network is a live threat. Organised crime groups across Europe, including Foxtrot, Rumba, Hell's Angels, and Mocro-Mafia-linked networks, have been operationally directed by Iranian intelligence. With the regime on "death ground," previous restraint may no longer apply.
The information environment is poisoned. Every party is pushing narratives. Unverified claims are circulating widely. Rely on multi-source, verified reporting.
This is a cross-domain crisis. Military, cyber, maritime, financial, influence, and terrorism dimensions are all active. Multi-domain intelligence is required to see the full picture.

Introduction

The US-Israeli military operation against Iran that began on Saturday, 28 February, represents the most significant escalation in the Middle East since the 2003 invasion of Iraq. Iran's Supreme Leader has been confirmed killed, Tehran has declared 40 days of mourning, and retaliatory strikes are hitting targets across the region, including Gulf states hosting US military assets and critical civilian infrastructure. Iranian strikes have hit airports in Dubai and Abu Dhabi, targeted US bases across at least six countries, and the IRGC has declared all US and Israeli assets in the region legitimate targets.

This is not a contained military exchange. It is a cascading, multi-domain crisis with uncertain objectives, an unclear endgame, and consequences extending far beyond the SWANA Region.

The absence of clear objectives is a significant threat.

The stated aims of the operation have shifted between speakers and statements. President Trump has called for regime change and urged Iranians to rise up and overthrow their government. Defence officials have described the operation as targeting Iran's nuclear, missile, and naval capabilities. Netanyahu has framed Iran as an existential adversary. There is no publicly articulated plan for what follows, no clear exit strategy, no framework for political transition, no outlined conditions for cessation.

The killing of Khamenei increases this uncertainty. Iran's succession process is opaque, and the power structures among the presidency, IRGC, Guardian Council, and Assembly of Experts are under significant stress. The IRGC has vowed continued and escalating retaliation. Whether a successor can consolidate control, or will be more or less confrontational, remains unknown. Decapitation strikes alone do not produce political outcomes, and the resulting power vacuum may increase instability.

For analysts, policymakers, and organisations assessing risk, this ambiguity acts as a threat multiplier. Unclear strategic objectives significantly widen the range of possible escalation pathways.

The domestic political context cannot be ignored.

Any thorough threat assessment must consider the domestic political pressures facing the leaders who initiated the operation.

Netanyahu faces elections no later than October 2026, with polls showing his coalition falling well short of a majority. He is simultaneously standing trial for bribery, fraud, and breach of trust. He is the first sitting Israeli prime minister to take the stand as a criminal defendant. Additionally, he faces an ICC arrest warrant for war crimes in Gaza. His coalition has been advancing legislation to repeal the criminal charges he faces, and Trump has personally pressured Israel's president to pardon him. Analysts have long noted that Netanyahu may see a return to war as an opportunity to shore up his domestic standing ahead of elections.

Trump faces his own constellation of political pressures, including severe allegations of sexual abuse of a minor rooted in the Epstein files. The Washington Post reported that the decision to attack came after sustained lobbying from both the Saudi crown prince and the Israeli government. US Senator Andy Kim and Senate Minority Leader Schumer have called for Congress to reconvene to vote on a war powers resolution, questioning the legal basis for the operation. Trump's administration was publicly critical of not receiving the 2025 Nobel Peace Prize. The Norwegian Nobel Committee itself is currently under scrutiny over the Epstein files, with the former committee chair charged with aggravated corruption. While it would be speculative to draw a direct causal line from the Nobel Prize to military action, the broader pattern of ego-driven decision-making by leaders facing personal legal jeopardy and domestic opposition is a relevant analytical factor.

The China energy dimension: Venezuela, Iran, and the Strait of Hormuz

Viewed alongside the US intervention in Venezuela earlier this year, the strikes on Iran take on an additional strategic dimension. Iran and Venezuela are two central sources of discounted crude oil flowing to China. Iranian oil accounted for approximately 13.4% of China's seaborne imports in 2025, and Venezuelan oil for roughly 4.5%, much of it relabelled through intermediary countries to evade sanctions. China's crude imports hit a record 11.6 million barrels per day in 2025.

The disruption to the Strait of Hormuz compounds this. Roughly 20% of global seaborne oil passes through the strait, and it is the primary export route for Gulf producers. The IRGC has broadcast warnings to shipping, and Iranian media have described the strait as effectively closed. Analysts report that traffic in the region dropped approximately 75% within hours. Oil prices jumped 12% within hours, and analysts warn that a sustained closure could push prices above $100 per barrel.

Whether this constitutes a deliberate strategy to squeeze Chinese energy supply is an open question. Some analysts argue that China's relationship with sanctioned oil is more opportunistic arbitrage than structural dependence. China sources crude from a highly diversified set of suppliers and has been stockpiling strategic reserves. Others note that the combined loss of Venezuelan and Iranian supplies would disproportionately affect the independent "teapot" refiners, which form a significant segment of China's refining capacity. What is not speculative is that the US has now, within two months, disrupted two of China's central sources of discounted crude and is applying pressure to the maritime chokepoint through which much of the rest flows. Whether by design or by consequence, this has significant implications for global energy security and great-power competition.

Cyber retaliation: not a hypothetical

Iran's conventional military options have been severely degraded, but its cyber capabilities remain largely intact. Some analyses indicate that the strikes have made cyber operations the regime's primary tool for asymmetric retaliation. Iranian-linked cyber units were activated and retooling before the kinetic operation began.

IRGC-affiliated APT groups APT33 (Elfin Team/Refined Kitten), APT35(Charming Kitten), APT34 (Helix Kitten/OilRig), MuddyWater, and a growing network of state-directed hacktivist proxies represent a sophisticated, battle-tested cyber threat. The pattern from previous escalations is well-documented: after Israel's operations against Iran last June, Palo Alto Networks' Unit 42 observed Iranian-backed groups expanding DDoS campaigns, hack-and-leak operations, and targeted intrusions, including leveraging generative AI for social engineering.

European organisations should be especially alert. Nozomi Networks research found a 133% surge in Iranian cyberattacks targeting the US, with APT33 infrastructure traced to operations across Germany, France, Italy, and other European nations.

NIS2-regulated entities sit squarely in the target set. US government agencies have issued specific advisories urging critical infrastructure operators to identify and disconnect vulnerable OT and ICS devices.

Asymmetric warfare beyond cyberspace: cells, proxies, and "terrorism for hire."

The threat of Iranian retaliation extends beyond state-based military exchanges and cyber operations. Over decades, Iran has built a global infrastructure for asymmetric warfare that blurs the lines between state intelligence, proxy militias, organised crime, and terrorism.

This infrastructure operates across Europe, including in the Nordic region. The US Treasury sanctioned Sweden's Foxtrot Network in March 2025 for its operational ties to Iran's Ministry of Intelligence. Foxtrot's leader was recruited by the MOIS after fleeing to Iran, and in exchange for safe haven, agreed to direct attacks on Israeli and Jewish targets across Europe. These attacks include bombings and shootings at Israeli embassies in Stockholm, Copenhagen, and Brussels. A rival Swedish gang, Rumba, carried out a separate attack on the Israeli embassy in Stockholm under Iranian direction, recruiting a 14-year-old to conduct the shooting.

This model, which might be termed "terrorism for hire," is a defining feature of Iran's external operations. As the UK Parliament's Intelligence and Security Committee revealed, Iran's security services have attempted at least 15 murders or kidnappings on UK soil between January 2022 and August 2023 alone. In Germany, the IRGC hired a Hells Angels boss to plan attacks on synagogues. In the Netherlands, Mocro-Mafia leader Ridouan Taghi was sentenced to life imprisonment in 2024 for a campaign of drug-related murders. Dutch authorities separately suspected him of receiving protection from Iran's intelligence services after his network helped assassinate Iranian dissidents on European soil.

The Atlantic Council has assessed that Iran may still activate remaining networks for assassinations, terror attacks, kidnappings, or sabotage globally. A former NATO supreme allied commander warned that Iran's leadership may now consider itself on "death ground," facing an existential threat that removes the restraint that previously kept its most extreme retaliatory tools in reserve.

The particular danger lies in the hybridisation of these tactics. A single retaliatory campaign may combine cyber intrusions against critical infrastructure, physical attacks by organised crime proxies or terrorist cells, influence operations amplifying fear and division, and financial flows through illicit networks. This represents the latest evolution of asymmetric warfare and poses a cross-domain threat that single-domain intelligence systems cannot adequately detect or map.

The financial crime dimension

Conflict of this scale generates significant demand for illicit finance. Sanctions evasion, trade-based money laundering, and covert financial flows, already present in the Iranian economy, will intensify. The networks facilitating these flows overlap with organised crime, cybercrime infrastructure, and terrorist financing networks described above.

Financial institutions subject to AMLA, the EU AML Single Rulebook, and DORA face a rapidly evolving compliance landscape. Static watchlist screening is already insufficient. Understanding how sanctioned networks adapt through proxy entities, layered ownership, cross-border intermediaries, and concurrent criminal activity requires network-level intelligence, not just transaction-level intelligence.

Influence operations and the information environment

Every party to this conflict is actively shaping the information environment. Iran's state media, US government communications, Israeli military spokespeople, Gulf state outlets, and Russian and Chinese information operations are all producing narratives designed to serve strategic objectives. Simultaneously, the emotional intensity of the crisis, civilian casualties, including reports of a strike on a girls' school killing children, will be exploited across allegiances and the ideological spectrum.

For social media platforms, content moderation challenges are immediate and significant. Coordinated inauthentic behaviour, propaganda amplification, and the exploitation of civilian suffering for influence will intensify. Regulatory obligations under the DSA and TCO remain in force and become more urgent during crises. Municipalities and governments must address the public safety risks of radicalisation accelerated by crisis narratives.

Norway's position

Norway's Foreign Minister has publicly questioned the legality of the strikes under international law. As a NATO member and EEA participant, Norway sits at a sensitive intersection. Norway is allied to the US through NATO, governed by European legal frameworks, and home to critical infrastructure that falls within Iranian cyber and asymmetric targeting patterns. The totalforsvar doctrine is now being tested in real time. Norwegian organisations subject to the Security Act and NIS2 should treat the current threat level as materially elevated.

Norway is also navigating its own reputational pressures. The Epstein files' revelations about former Nobel Committee chair Thorbjørn Jagland and other Norwegian figures, combined with the controversy over the 2025 Nobel Peace Prize, have placed Norwegian institutions under unusual international scrutiny at a moment when geopolitical positioning matters enormously.

What this means for your organisation

This crisis is unfolding across multiple domains simultaneously: kinetic military operations, cyber warfare, maritime disruption, financial system stress, energy market volatility, influence operations, organised crime, and terrorism risk. The motivations include strategic objectives, domestic political calculations, great-power competition, and personal political survival, often intertwined and difficult to separate.

Organisations best positioned to navigate this environment are those with intelligence that maps connections across domains, linking state actors to criminal proxies, cyber operations to financial flows, and influence campaigns to physical threats. Siloed intelligence feeds that capture only one aspect are insufficient for a crisis of this complexity.

This is what cross-domain network intelligence was built for.

Revontulet delivers cross-domain threat intelligence covering terrorism, organised crime, cybercrime, financial crime, and disinformation. If you require intelligence or threat briefings tailored to your organisation's exposure to the current crisis, please contact us.