The Harassment Infrastructure
When visitors to Yeshiva World News tried to access the Orthodox Jewish news site Wednesday morning, they found images of Iranian ayatollahs and Farsi text declaring "Now we are under their control. The Zionists are handcuffed." The defacement lasted until 2 p.m. ET, when the site returned with a brief restoration message. The same day, hackers hit Yeshivat Har Etzion's website with threatening messages embedded in course thumbnails and lecture pages. Both sites were back online within hours.
This wasn't a surprise. A February 28 threat assessment from the Department of Homeland Security's Office of Intelligence and Analysis had warned that Iran-aligned "hacktivists" would conduct exactly these kinds of low-level cyber attacks, website defacements and distributed denial-of-service operations targeting Jewish institutions and other U.S. entities.
The prediction came true on schedule. But the Wednesday attacks on two Jewish websites represent just the visible edge of something larger: Iran has built a distributed cyber-harassment system that operates across continents and sectors, projecting power while staying carefully below the threshold that would trigger serious retaliation.
How the System Works
Iran's approach combines volume with strategic restraint. Rather than launching sophisticated breaches that might provoke military responses, Iranian-linked groups flood targets with lower-level intrusions that are cheap to execute and difficult to definitively attribute. The sites get defaced, the messages spread fear, and technical teams restore functionality within hours. Then the cycle repeats.
The target list reveals the strategy's scope. Since the war began on February 28, pro-Iranian hackers have infiltrated cameras in Middle Eastern countries to improve Iran's missile targeting capabilities, according to U.S. intelligence assessments. They've hit data centers across the region, industrial facilities in Israel, a school in Saudi Arabia, and an airport in Kuwait. Polish authorities are currently investigating a cyberattack on a nuclear research facility with potential Iranian ties.
In the United States, the pattern extends beyond Jewish institutions. Iranian-linked hacking groups infiltrated President Donald Trump's campaign email system, targeted U.S. water plants, and attempted to breach networks used by the military and defense contractors. Each intrusion serves dual purposes: the defacements deliver psychological impact and propaganda messaging, while the technical access generates intelligence value.
The camera hacks demonstrate how these categories blur. What looks like low-level harassment, taking control of security cameras, becomes weapons-grade intelligence when those camera feeds map potential missile targets. Iran has invested heavily in offensive cyber capabilities while cultivating relationships with hacking groups that can operate with plausible deniability, creating a network that functions like distributed infrastructure rather than centralized command.
The Threshold Calculation
Why does this system persist? Because it exploits a gap in how nations calibrate responses to cyber operations.
A defaced website doesn't trigger the same response as a physical attack on infrastructure. Stolen emails don't provoke the same consequences as sabotaged weapons systems. Iranian operators have mapped the boundary between annoying and intolerable, then built an entire harassment architecture that lives just on the acceptable side of that line. The DHS can issue threat assessments. Targeted organizations can harden their defenses. But the attacks continue because the cost of launching them remains lower than the cost of stopping them, and the consequences for Iran remain manageable.
The Yeshivat Har Etzion attack illustrates the formula. Hackers replaced normal website content with messages reading "You start the war, but we will end it!" across course thumbnails, lecture pages, and the search bar. The technical team resolved the breach within several hours and restored full functionality. No permanent damage occurred. No one died. The incident will generate a security report, perhaps some upgraded defenses, and then fade from attention.
But for the readers and community members who rely on these sites, the experience isn't technical, it's visceral. Diaspora Jewish communities already navigating rising antisemitism and Middle East tensions wake up to find their trusted information sources transformed into propaganda platforms. The message isn't subtle: your digital spaces aren't safe, your community infrastructure is vulnerable, and this can happen again whenever we choose.
The Normalization Problem
The Jerusalem Post checked social media and Telegram channels associated with Iranian hackers after Wednesday's attacks but found no immediate claims of responsibility. That absence might seem odd, why conduct an operation without taking credit? But it fits the pattern. When attacks become routine, individual claims matter less than the cumulative effect.
Iran doesn't need to announce each defacement because the system itself sends the message. Jewish institutions know they're targets. Polish nuclear facilities know they're vulnerable. U.S. water plants know their networks have been probed. The harassment infrastructure succeeds not through any single spectacular breach, but through the steady accumulation of violations that gradually feel normal.
Both sites attacked Wednesday were restored quickly, demonstrating technical resilience. Yeshiva World News returned by mid-afternoon. Yeshivat Har Etzion's team resolved their breach within several hours. But speed of restoration doesn't prevent the next intrusion. The DHS warned about these exact attacks on February 28. The attacks happened anyway. The warnings will continue. So will the attacks.
What happens when constant digital intrusion becomes background noise? When federal threat assessments predict attacks that then occur exactly as forecasted, but the prediction itself doesn't prevent the outcome? The system Iran has built doesn't require technological sophistication or massive resources. It requires patience, distributed capability, and accurate calibration of what adversaries will tolerate.
The question isn't whether Iranian-linked groups will continue these operations. The February 28 DHS assessment already answered that. The question is whether the current response framework, issue warnings, restore sites, repeat, represents a strategy or just the acceptance of a new permanent condition.