On February 28, 2026, the United States and Israel launched a joint military campaign against Iran, targeting military command, nuclear infrastructure, and senior leadership. Iran's Supreme Leader Khamenei was killed within hours. In the weeks since, strikes and counter-strikes have spread across nine countries. Multiple GCC states have sustained missile and drone attacks. The Strait of Hormuz has been restricted, driving oil prices past $100 a barrel. And running in parallel with every kinetic strike has been a cyber campaign that security researchers are describing as the most complex hybrid warfare threat environment in modern history. This is no longer a conflict you can watch from the sidelines. The digital blast radius is wider than the physical one.
Three AWS data centers in the UAE were hit by drone strikes, knocking out cloud infrastructure across the Middle East. Over 150 hacktivist incidents were recorded in the first 72 hours. Iran's internet connectivity collapsed to between one and four percent of normal levels as its communications infrastructure was targeted simultaneously with the opening military strikes. A US medical technology company had its global Microsoft environment disrupted mid-conflict. If your organization operates in the Gulf, processes data tied to entities in the affected region, or runs workloads on shared cloud platforms in the Middle East, the threat perimeter already includes you.
⚠ Practitioner Note
This article is written in real time. The threat environment described here is active and evolving. The assessments that follow are grounded in 14 years of advising organizations across the US, Europe, and the GCC through periods of elevated geopolitical risk.
Context
How We Got Here: The Cyber Dimension of an Armed Conflict
What distinguishes this conflict from previous regional escalations is the degree to which cyber operations and kinetic strikes are being executed simultaneously rather than sequentially. Reporting from multiple independent sources confirms that cyber operations were launched in parallel with the opening military strikes on February 28, designed to disrupt communications infrastructure at the moment physical strikes were landing. This was not improvised. It reflects a doctrine that multiple nation-states have been developing for years: use cyber operations to blind, isolate, and disorient an opponent in the same window that kinetic strikes are executed.
That doctrine now has a public, documented proof point. Its implications extend far beyond this conflict. Every government with advanced capabilities observed what worked here and is updating its own playbook accordingly.
On Claimed Versus Verified Attacks
All parties in this conflict have an interest in shaping how their cyber operations are perceived. Exaggerating impact is common practice on all sides. Hacktivist groups in particular frequently claim attacks that cannot be independently verified. Google Threat Intelligence has noted this specifically about Iranian-aligned groups, but it applies equally to pro-Israeli and pro-US hacktivist activity. The practitioner standard is to treat unverified claims skeptically while preparing for the realistic subset of attacks that are genuine.
150+
Hacktivist incidents in first 72 hours (CloudSEK)
1–4%
Iran internet connectivity after infrastructure cyberattack
3
AWS data centers in UAE struck by drone, causing regional outages
Cyber Operations
What Has Actually Happened: Offensive Cyber on Both Sides
The cyber dimension of this conflict is not one-sided and security professionals should understand the full picture.
On the opening day of kinetic strikes, coordinated US/Israeli offensive cyber operations targeted Iran's national infrastructure simultaneously with the military campaign. Iran's internet connectivity collapsed to near-zero. Government websites went dark, state news agency IRNA was taken offline, and IRGC-linked media outlet Tasnim was reportedly hacked and used to display anti-government messaging. Iranian traffic camera infrastructure was accessed and used to generate intelligence for targeting decisions. Security sources described the combined operation as the largest cyberattack in history. These were not opportunistic intrusions. They were precision cyber operations executed in lockstep with military strikes, representing the most publicly documented example to date of cyber and kinetic warfare running as a unified campaign.
In response, Iran-aligned groups launched a sustained and widening counter-campaign targeting commercial and civilian infrastructure across multiple countries. A cyberattack attributed to Iran-aligned actors disrupted global operations at Stryker, a major US medical technology company, causing what the company described as a network-wide disruption to its Microsoft environment. Handala Hack claimed compromise of an Israeli energy exploration company and Jordan's fuel systems. Pro-Iranian and pro-Russian hacktivist groups jointly targeted Israeli defense contractor Elbit Systems, Israeli water management infrastructure, and Kuwaiti government websites. Over 150 distinct incidents were recorded in the first three days across government, financial, aviation, and critical infrastructure sectors.
Both sides are also running active intelligence operations using the same commercial platforms your organization uses every day. APT42, Iran's most sophisticated espionage group, ran the RedKitten campaign as recently as January 2026, targeting human rights NGOs with malware delivered through macro-laced documents and using GitHub, Google Drive, and Telegram for command-and-control. Western intelligence agencies have in turn been documented conducting long-running access operations against Iranian government and military networks, the infrastructure for which predates this conflict by years. The intelligence preparation of the battlefield runs in both directions.
Threat Actors
Iran-Linked Groups Actively Targeting Organizations
The Iranian cyber threat ecosystem comprises distinct tiers. Understanding which tier is relevant to your organization changes how you prioritize your response.
01
APT42 — IRGC Intelligence Organization
Iran's most sophisticated long-dwell espionage actor. Targets NGOs, media organizations, academic institutions, government entities, and political campaigns across the US, Europe, and the Middle East. The RedKitten campaign in January 2026 used macro-laced documents disguised as protest records, with malware operating through GitHub, Google Drive, and Telegram for command-and-control. If your organization works in policy, advocacy, media, or academic research with any connection to the region, treat APT42 as a present threat.
Espionage · Spear Phishing · Long-dwell intrusion
02
Handala Hack — MOIS-Linked Hacktivist Persona
The most active Iranian hacktivist persona in the current conflict. Linked to Iran's Ministry of Intelligence and Security. Handala combines data exfiltration with psychological operations, compromising targets and publishing stolen data to maximize reputational impact. Active claims in this conflict cycle include an Israeli energy exploration company, Jordan's fuel systems, and Israeli healthcare infrastructure. GCC energy and healthcare organizations are in their documented target set.
Hack-and-leak · Data exfiltration · Psychological operations
03
Electronic Operations Room
Formed on February 28, 2026, the same day military strikes began. Functions as a coordination layer for multiple Iranian cyber proxy groups, indicating that what may appear to be scattered hacktivist activity is being directed. Its simultaneous formation with the kinetic campaign signals an intent to sustain coordinated cyber operations for the duration of the conflict.
Command coordination · Multi-group orchestration
04
APT Iran + NoName057(16) — Aligned Proxies
APT Iran is a hacktivist collective linked to hack-and-leak operations against regional infrastructure. Pro-Russian group NoName057(16) joined Iranian actors on March 2, co-targeting Israeli defense contractors including Elbit Systems, water management systems, and municipal organizations. The operational coordination between Russian and Iranian hacktivist groups during an active kinetic conflict is a development that Western and GCC security agencies are monitoring closely.
DDoS · ICS/OT targeting · Cross-group coordination
AI in Warfare
The AI Targeting Precedent and What It Means for Your Infrastructure
This conflict has produced the most extensively documented public evidence to date of AI being used in real-world kinetic military operations. According to reporting from Haaretz and NPR, advanced data fusion techniques were used to process feeds from civilian surveillance infrastructure — specifically Tehran's traffic camera network — to enable precise targeting. The ethical and legal dimensions of that belong to a different conversation. The operational implication for security professionals is concrete: civilian infrastructure connected to IP networks is now a documented component of military intelligence pipelines. Traffic cameras, building sensors, and smart city systems are not hypothetical intelligence sources. They have been used as such in this conflict.
AI is also documented in the offensive cyber operations of this conflict. Generative AI tools have accelerated hacktivist propaganda production, enabled more personalized phishing at scale, and automated website defacement campaigns. The volume of incidents recorded in the first 72 hours would not have been operationally feasible without automation. The AI risk runs in multiple directions simultaneously.
"Israel used, or very likely used, very cutting-edge kind of data processing or big data fusion techniques that from a kind of layman or citizen perspective you would call AI."
— Omer Benjakob, cybersecurity correspondent, Haaretz, NPR interview March 2026
GCC Exposure
The Gulf: Physical and Digital Attack Surfaces Have Merged
Organizations operating in the Gulf are in a threat environment categorically different from 30 days ago. Multiple GCC states have sustained missile and drone attacks. Airports closed. Three AWS data centers in the UAE were hit by drone strikes, causing fire, structural damage, and cloud infrastructure outages across the region. The physical and digital attack surfaces are no longer separate risk domains here. A drone strike on a UAE data center is simultaneously a kinetic attack and a service disruption for every organization whose workloads were running in that facility.
The AWS incident deserves to be understood in full. These were not edge servers in a secondary location. AWS UAE hosts production workloads for banks, government entities, healthcare systems, and enterprises across the GCC. When those data centers went offline, organizations lost access to live systems with no warning and no graceful failover. For many, business continuity plans that had never been tested against physical infrastructure destruction failed in real time. The incident is the clearest proof yet that cloud availability in a conflict-adjacent region cannot be treated as a given, and that disaster recovery architecture needs to account for scenarios that go well beyond software failures or cyberattacks alone.
GCC organizations also face regulatory exposure that other regions do not. The UAE PDPL, Saudi PDPA, and Qatar PDPL each carry breach notification obligations triggered by data exposure regardless of whether the cause was a cyberattack, a physical infrastructure failure, or both simultaneously. The AWS UAE incident was not a hypothetical stress test. It happened, and the organizations whose business continuity planning did not account for regional cloud unavailability discovered that gap the hard way.
⚠ GCC Cloud Architecture — Check This Now
Verify whether your disaster recovery configuration spans to a cloud region outside the GCC. If your primary and backup infrastructure both sit in UAE or Saudi regions, the AWS UAE incident is a proof of concept for how that architecture fails under current conflict conditions.
US Organizations
The CISA Gap: A Reduced Safety Net at the Wrong Moment
CISA is operating at reduced capacity. Its acting director was reassigned to a new division within DHS and the agency is running under a partial shutdown. Before the current conflict began, the House Appropriations Committee had already flagged that CISA's personnel were stretched thin and that a shutdown would directly impair its ability to protect critical infrastructure. US organizations in healthcare, energy, financial services, and water utilities that rely on CISA for threat intelligence sharing and real-time advisories during elevated threat periods need to account for the fact that the normal federal backstop is not fully operational. Private sector threat intelligence feeds and commercial SOC providers carry more of that weight right now than they typically would.
$100+
Brent crude per barrel following Strait of Hormuz restrictions. Energy sector organizations face compounded operational and cyber risk simultaneously.
Regulatory Implications
Does This Conflict Trigger Your Notification Obligations?
Most organizations have not asked this question yet. A cyberattack does not become non-reportable because it was carried out by a state actor during an armed conflict. Notification obligations are triggered by what happened to your data and systems, not by who caused it. Under HIPAA, a security incident affecting protected health information requires breach notification regardless of source. Under the SEC Cyber Rule, a material incident requires Form 8-K disclosure within four business days of determining materiality. Under GDPR and GCC data protection laws, a breach affecting personal data requires supervisory authority notification within 72 hours.
Most incident response plans were not written with active armed conflict scenarios in mind. Attribution is uncertain. The scope of a cascading wiper attack through a vendor ecosystem may take days to establish. Legal counsel needs to be in the room for materiality determinations. If your IR plan has no protocol for geopolitical events, that is the gap to close before something happens rather than after.
What To Do Now
30-Day Response Priorities
NOW
Immediate — 24 to 48 hours
Threat Intelligence and Attack Surface Review
Subscribe to Unit 42, Google Threat Intelligence, and CloudSEK feeds covering the active campaign. Pull every internet-facing asset, VPN gateway, exposed API, and cloud management console in your environment. Iran-linked actors have consistently focused on exposed edge infrastructure. Brief your SOC on the geopolitical context now so they are correlating threat intelligence against the right actor profiles.
D3
Days 3 to 7
Patch Internet-Facing Systems and Enforce MFA
Iran-linked APTs have consistently targeted known vulnerabilities in VPN appliances, email gateways, and web-facing infrastructure. Prioritize CVEs from the last 90 days on internet-facing systems. Enforce MFA on all remote access and privileged accounts including service accounts. APT42 spear phishing campaigns are credential-harvesting operations where one compromised executive account is sufficient.
D7
Days 7 to 14
Vendor and Cloud Dependency Review
Map vendors with physical or digital infrastructure in the GCC. For each, confirm DR configuration spans outside the affected region, review contractual notification rights for outages caused by physical infrastructure attack, and assess whether SLA language covers force majeure in a conflict context. This is a TPRM issue as much as a security issue, and most vendor risk programs were not built with this scenario in scope.
D14
Days 14 to 21
Incident Response Plan Update
Review your IR plan for three specific gaps: a protocol for state-actor attribution uncertainty, a regulatory notification decision tree for conflict-zone incidents, and escalation paths that include legal counsel for materiality determinations. Run a tabletop with the scenario of a wiper attack propagating through your Microsoft environment. Stryker is working through exactly that scenario in real time.
D30
Days 21 to 30
Board Briefing
Brief your board on the elevated threat environment. Frame it as an assessment of changed external conditions and the specific steps taken in response, not as a budget request. If an incident occurs and the board had not been informed of the elevated risk context, that becomes a governance failure in addition to a security failure.
✦ ✦ ✦
Closing Assessment
What This Conflict Has Already Established
Twelve days in, the debate about whether this conflict has cyber implications for your organization is over. AI-enabled targeting was used in a lethal kinetic strike, documented by security reporters with direct sourcing. Cloud infrastructure serving the GCC's banking, government, and healthcare sectors went offline after drone strikes on a data center. A US medical technology company had its global Microsoft environment disrupted mid-conflict. Over 150 cyber incidents were recorded in three days. And the agency responsible for protecting US critical infrastructure is running at reduced capacity during the peak of the threat window.
What this conflict has proven, conclusively, is that the boundary between a military target and a commercial one has collapsed. Geography is no longer sufficient insulation. Cloud region, vendor location, and network adjacency now determine exposure as much as physical proximity does. The organizations that weather this well will be the ones that treated these risks as operational problems requiring operational responses. The ones that treated it as a news story will find out the difference soon enough.
ME
Mohamed Eltahir
AIGP · CISSP · CISA · Founder, AI Risk CISO
Mohamed Eltahir is a certified AI Governance and Cybersecurity Risk Executive with 14+ years of experience advising clients across the United States, Europe, and the Middle East. He has built enterprise TPRM programs for private equity firms managing hundreds of portfolio companies, compliance architectures for Big 4 advisory practices, and AI governance frameworks for regulated organizations navigating the EU AI Act, NIST AI RMF, and GCC data protection requirements. He holds the AIGP — placing him among fewer than 2% of security professionals globally qualified to lead AI governance programs. He is the founder of AI Risk CISO.
Book a Free Consultation →