Executive Summary
Since the launch of Operation Epic Fury in late February 2026, the cyber dimension of the Middle East conflict has evolved from highly visible disruption into a more complex and sustained threat landscape. Early activity was characterized by DDoS attacks, defacements, and public breach claims. Over time, reporting shows a clear shift toward more targeted and persistent operations, including reconnaissance, credential compromise, exploitation of exposed services, and attempts to establish longer-term access within organizations.
Across the reporting cycle, cyber activity has increasingly blended disruption, espionage, influence operations, and opportunistic intrusion. While high-volume attacks continue to generate visibility, the more significant risk may lie in quieter, ongoing efforts to gain footholds in enterprise environments and critical systems. This progression suggests a move beyond short-term impact toward sustained pressure, intelligence gathering, and the potential for more coordinated or disruptive activity as the conflict continues to unfold.
Due to the ongoing conflict in the region, CyberProof Threat Research Teams continue toΒ monitorΒ the situation.Β
CTI Update 5: March 13, 2026
Current activity reflects a continued mix of high-visibility disruption and more targeted intrusion, with hacktivist coordination and influence operations accelerating significantly. Iranian-aligned groups are actively using social media and messaging platforms to coordinate campaigns, publish threat messaging, claim responsibility, and mobilize participants, creating a constant stream of both verified and unverified activity.
At the same time, groups such as Handala are amplifying pressure through data leaks, doxing, and claims of wiper-style attacks, combining technical activity with psychological and reputational impact. In parallel, multiple Iranian-associated threat clusters (including TA402, TA473, TA453 and others) are linked to phishing, credential harvesting, and broader influence operations, reinforcing the connection between disruption, intrusion, and messaging.
Alongside this, hacktivist-led DDoS campaigns are expanding in both scale and geography, targeting government and infrastructure entities across the Gulf and Europe. Activity includes coordinated attacks against UAE government platforms and the extension of disruption into European targets, as well as sustained campaigns against public-sector and infrastructure entities supported by publicly shared proof-of-impact. DDoS and defacement activity continues at scale, while access-oriented intrusion activity persists in parallel, including exploitation of exposed services, credential harvesting, and post-compromise behaviour such as lateral movement and data access.Β Β
Visit the Cyber Threat Intelligence on Middle East Escalations Resource Hub for new developments.
