Middle East Conflict: Cyber Operations Surge

Published: March 14, 2026 | Category: Threat Intelligence | Geopolitical Cyber | Reading Time: ~10 min

Overview

The military strikes of February 28, 2026 — Operation Epic Fury (US) and Operation Lion’s Roar (Israel) — did not stay kinetic for long. Within hours of the first bombs landing in Iran, a parallel cyber conflict ignited across the Middle East and beyond. What has since unfolded is one of the most concentrated bursts of geopolitically-motivated cyber activity since the early days of the Russia-Ukraine conflict.

This post breaks down the verified incidents, key threat actors, sectors targeted, and the defensive posture organizations must adopt right now.

The Trigger: Operation Epic Fury

On February 28, 2026, coordinated US-Israeli strikes targeted Iranian military infrastructure, missile systems, and senior IRGC leadership. Supreme Leader Khamenei and several senior IRGC commanders were killed. Iran responded with retaliatory missile and drone strikes against US embassies and military installations across the region.

Before the bombs landed, a coordinated electronic warfare and DDoS campaign had already pushed Iran’s internet connectivity down to approximately 4% of normal capacity. IRNA went offline. Tasnim News — an IRGC-affiliated outlet — was compromised and displayed anti-Khamenei messaging. The cyber domain was activated as a force multiplier before the kinetic campaign had even begun.

Scale of Activity

The numbers tell the story clearly:

• 150+ hacktivist incidents were claimed between February 28 and March 1 alone — spanning DDoS, defacements, and data breach claims
• Israel was the most impacted region for the week of February 27–March 6, followed by Kuwait and Jordan; Bahrain, Qatar, and the UAE also ranked in the top ten
• Top impacted industries: National government, aerospace & defense, and technology
• UAE alone was intercepting between 90,000 and 200,000 cyberattacks per day as of February 18 — over 70% attributed to state-sponsored actors — and that was before the strikes

Key Sectors Hit

Financial Sector

Between February 27 and March 2, coordinated disruption attempts were logged against ten financial institutions across Saudi Arabia, Jordan, and Israel. UAE residents reported temporary outages on online and phone banking. Seven aviation and logistics entities, multiple government ministries, and telecom providers were also hit within this window.

Critical Infrastructure Claims

Perhaps the most alarming — though partially unverified — claims involve operational technology (OT) and industrial control systems (ICS):

• APT Iran claimed a month-long intrusion into Jordan’s grain storage systems, alleging manipulation of storage temperatures and underreporting of wheat weights
• Z-Pentest Alliance published screenshots of an Israeli water pump HMI, claiming real-time access to valve and alarm controls
• APT Iran also alleged infiltration of Jordan’s power plant control systems, claiming a 75% reduction in electricity output

These claims require verification, but the nature of screenshots and technical detail shared publicly is consistent with reconnaissance-level access at minimum.

Cloud Infrastructure — A Historic First

On March 1, 2026, Iranian drone strikes physically impacted at least one AWS data center in the UAE Region (ME-CENTRAL-1), causing a fire and localized power loss. Secondary service impacts followed in the Bahrain Region (ME-SOUTH-1).

This is widely considered the first confirmed instance of a major US cloud provider’s infrastructure being physically damaged in a military engagement. The downstream civilian impact was immediate — millions in Dubai and Abu Dhabi were unable to access digital payments, food delivery, and banking. The physical-digital boundary for critical infrastructure no longer holds.

Threat Actor Profiles

Pro-Iranian Hacktivist Groups

DieNet Network led large-scale DDoS campaigns against government portals, telecoms, airports, and financial institutions across Bahrain, Qatar, UAE, Kuwait, Saudi Arabia, and the US — framed explicitly as retaliation for Operation Epic Fury.

Handala Hack claimed compromise of multiple oil and gas organizations across Israel, Jordan, and Saudi Arabia, along with a breach of an Israel-based research institute.

Keymous claimed exfiltration of 300,000+ records from Israel’s Ministry of Education internal portal.

313 Team was active across defacement and data leak operations from day one of the escalation.

State-Sponsored APT Activity

MuddyWater (IRGC-linked) had pre-positioned backdoors inside Israeli-adjacent defense and financial targets before the conflict escalated — a textbook pre-conflict access operation where intrusion groundwork is completed well ahead of the kinetic phase.

TA402 (Hamas-linked) targeted a Middle Eastern government entity with credential phishing using a compromised Iraqi Ministry of Foreign Affairs email account. Subject lines referenced a potential US ground operation in Iran — demonstrating how conflict narrative is weaponized as lure content.

Proofpoint also observed campaigns from suspected Chinese, Belarusian, and Pakistani state-aligned actors, all leveraging conflict-themed lures against Middle East government organizations. This conflict is being exploited by all players, not just the primary combatants.

Pro-Russian Alignment

On March 3, pro-Russian hacktivist clusters formally joined the pro-Iran coalition, splitting operational focus between European and Middle Eastern targets — mirroring the Killnet solidarity playbook seen during the 2022 Russia-Ukraine escalation.

Ransomware as a Geopolitical Weapon

INC Ransomware listed an Israeli entity on its leak site, claiming approximately 1 TB of exfiltrated data including blueprints and contracts — and explicitly framing the attack as politically motivated rather than financially motivated. The erosion of the financial/geopolitical boundary in ransomware is a trend that will intensify.

AI-Enhanced Attack Vectors

In March 2026, CloudSEK analysts identified a fake Israeli “Red Alert” missile warning app distributed via SMS. The malware-laced APK — designed to exploit civilians seeking air raid alerts — steals SMS messages, contacts, and precise GPS coordinates. The app’s visual fidelity and distribution message realism reflect AI-assisted development at scale.

This is a category of threat that will accelerate: conflict as the pretext, AI as the production engine, and mass civilian panic as the attack surface.

If the first week of the Middle East cyber conflict (Feb 28–March 6) was characterized by high-volume, low-precision hacktivist activity, week two marks a clear shift: targeted wiper deployment against a global enterprise, surging OT/ICS claims, new geopolitical alliances expanding the attack surface, and Israeli cyber operations that are rewriting the rules of intelligence-led kinetic warfare. The conflict has formally left the region.

March 7–9: New Supreme Leader, Wider Targets, OT Claims Surge

The March 7–9 window was defined by a new political reality in Tehran — a successor to Khamenei being established — and a corresponding escalation in OT targeting claims from multiple actor clusters.

Between March 1 and March 10, Flashpoint analysis indicates the conflict evolved from broad regional exchanges into systematic targeting of energy, data, and command-and-control infrastructure with global downstream impact. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and continued disruption stemming from the AWS data center impact in the UAE.

The Israel–Lebanon front also intensified following Hezbollah missile launches and a broad Israeli response across Lebanon. Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri in Cyprus — signaling the conflict’s geographic spread into European military infrastructure.

March 10: FSociety Issues 42-Hour Deadline, NoName Hits Water and Telecom

On March 10, FSociety issued a 42-hour deadline threat against undisclosed targets, while NoName057(16) — the pro-Russian hacktivist group that formally joined the pro-Iran coalition on March 2 — escalated its operational tempo, claiming successful disruptions of water management and telecom infrastructure.

NoName057(16) had earlier claimed to have broken into an Israeli water management system and other industrial control systems. Researchers have been unable to independently verify these specific claims, but the targeting pattern is consistent with the group’s documented playbook from prior European campaigns.

March 11: Hider_Nex Sweeps Kuwait, New Alliances Form

March 11 saw a new actor — Hider_Nex — conduct a broad sweep of Kuwaiti targets, while new threat actor alliances were formally announced across pro-Iran Telegram channels, expanding the coalition’s operational capacity.

By this point, CrowdStrike confirmed that Iran-aligned hackers and self-described hacktivist groups had materially increased activity against entities in the Middle East, the US, and parts of Asia. Hydro Kitten — a group operating on behalf of the IRGC — specifically signaled plans to target the financial sector.

March 12: Handala Deploys Wiper Against Stryker — The Week’s Defining Incident

This is the headline incident of week two and the most significant enterprise-level impact since the AWS data center strike.

Stryker Corporation — a Michigan-based medical technology group whose equipment supports care for more than 150 million patients worldwide — disclosed a global network disruption affecting its Microsoft environment. Responsibility was claimed by Handala, the pro-Iran hacktivist collective linked to Iran’s Ministry of Intelligence and Security (MOIS). The group claimed access to more than 200,000 systems and extraction of up to 50 terabytes of data, framing the operation as retaliation for a deadly strike on a school in Minab, Iran. Handala issued a direct warning: “This is only the beginning of a new chapter in the cyber war.”

Stryker confirmed it found no evidence of ransomware or destructive malware, and the incident appears contained to internal systems. However, the disruption temporarily locked employees across the United States and Europe out of devices and logins

SOCRadar’s timeline designates March 12 as the day Handala deployed wiper-style capabilities against Stryker — a significant tactical evolution for a group that began the conflict cycle running DDoS and defacement operations.

Also on March 12: Keymous conducted flood-style DDoS operations across six Arab countries simultaneously, while Romania was drawn into the conflict’s cyber perimeter for the first time.

March 13: Cyber Islamic Resistance Breaches Israeli Security Firm

On March 13, Cyber Islamic Resistance claimed a breach of an Israeli security firm — a particularly sensitive target given the nature of the data such firms hold. Simultaneously, 313 Team (Islamic Cyber Resistance in Iraq) escalated operations against UAE targets, while NoName057(16) maintained its focus on Cyprus, continuing to stretch the conflict’s geographic footprint into European infrastructure.

Israeli Offensive Cyber Operations: AI-Assisted Kinetic Targeting

While much of week two’s coverage centers on Iranian retaliatory cyber activity, the Israeli side of the ledger is equally significant — and arguably more technically advanced.

Israel hacked a popular Iranian prayer app to send push notifications to potentially millions of phones, urging the country’s military personnel to defect from the regime. Israeli military forces also had access to nearly all traffic cameras across Tehran. In partnership with the CIA, Israel used those cameras to target the airstrike that killed Ayatollah Ali Khamenei.

An Israeli cybersecurity reporter for Haaretz described what Israel deployed as “very cutting-edge data processing or big data fusion techniques that from a layman’s perspective you would call AI.” The intelligence fusion pipeline that produced the targeting data for Khamenei’s elimination is a watershed moment for AI’s role in kinetic operations.

The IDF also confirmed that Israeli strikes during the week specifically targeted the IRGC’s cyber and electronic headquarters and its Intelligence Directorate — a deliberate attempt to degrade Iran’s state-sponsored cyber command-and-control infrastructure from the kinetic domain.

Global Spillover: The Conflict Has Left the Region

Across Australia and New Zealand, officials are reading the same signals through a regional lens. Security advisories note a rise in activity from pro-Iran groups targeting Israeli infrastructure and warn that spillover into ANZ organizations is increasingly likely. The exposure does not come from politics but from connectivity — cloud providers, payment systems, and global supply chains link organizations directly into digital networks already under pressure in the US and Europe.

Europe faces the economic dimension of the same storm. Supervisors at the European Central Bank note that direct eurozone bank exposure to Iran and Israel remains small, but cyber operations targeting payment systems, logistics networks, or energy infrastructure could ripple through inflation, trade flows, and financial markets. Iranian state media and IRGC-linked rhetoric have already begun naming Western banks, technology firms, and data centre infrastructure as potential targets.

Emerging Concern: Iran’s Internet Kill Switch

The Iranian government’s effort to build a permanent internet kill switch — reportedly in its final stages with Huawei’s involvement according to a January 14, 2026, investigation by Iran International — signals what digital rights researchers and cybersecurity analysts warn may become a semi-permanent feature of the regional landscape, not a temporary wartime measure. This has profound implications for any organization relying on cross-border data flows involving Iran, and it should prompt a broader conversation about how information governance frameworks account for state-imposed connectivity restrictions.

Cyber Insurance: A Wake-Up Call

From a cyber insurance standpoint, organizations and insurers should anticipate far greater scrutiny of exclusion clauses, which commonly exclude losses arising from “war” or “hostile or warlike action” by a government or sovereign actor. With the heightened risk of state-linked cyberattacks, organizations should look closely at their policies to determine whether they have sufficient cyber cover — and where there is doubt, treat the gap as a live exposure.

Analyst Note

Week two confirms what week one suggested: this is not a hacktivist cycle that will burn itself out. The Stryker incident is the clearest proof point — a wiper-capable, MOIS-linked group hitting a globally critical medical technology company and framing it as direct retaliation for a specific kinetic strike. That is state-coordinated operational logic, not opportunistic hacktivism.

Three developments from week two demand board-level attention:

• Wiper deployment against global enterprise (Stryker) signals a shift from disruption to destruction as the Iranian retaliatory playbook
• AI-assisted kinetic targeting (Tehran camera network → Khamenei strike) marks the first publicly confirmed case of AI-fused intelligence directly enabling a high-value assassination
• IRGC cyber HQ destroyed kinetically — Israel has demonstrated it will use bombs, not just bytes, to degrade adversary cyber capability

The cyber campaign will outlast the kinetic phase. Organizations outside the region have no geographic buffer.

Defensive Guidance

Organizations with supply chain exposure, cloud dependencies, or operations linked to any of the implicated nations face measurable indirect risk. Key action items:

1. Review Middle East supply chain exposure — identify third-party vendors, SaaS providers, and infrastructure with ME-region presence
2. Increase monitoring cadence — elevate alerting thresholds for anomalous authentication, lateral movement, and data staging
3. Enforce MFA universally — phishing via compromised government email accounts is active; credential theft is the primary initial access vector
4. Test your IR plan — specifically for third-party infrastructure failure scenarios, as demonstrated by the AWS ME outage
5. Treat OT/ICS claims seriously — even unverified claims indicate adversary reconnaissance; verify network segmentation and remote access controls
6. Watch for AI-generated lures — conflict-themed phishing is surging; train SOC teams to flag and escalate region-specific social engineering

Analyst Note

The majority of observed activity falls into high-volume, low-confirmation disruption: DDoS, defacement, exaggerated breach claims, and AI-driven misinformation. However, three developments elevate the risk profile beyond a standard hacktivist cycle:

• Pre-positioned APT access (MuddyWater) confirms state actors completed intrusion groundwork before the kinetic phase began
• Physical destruction of cloud infrastructure crosses a threshold no prior conflict-adjacent cyber event has reached
• ICS/OT targeting claims, even if partially performative, indicate adversary interest and capability in operational disruption

TheCyberThrone will continue tracking this situation as it develops.