Executive Summary
Since the launch of Operation Epic Fury in late February 2026, the cyber dimension of the Middle East conflict has evolved from highly visible disruption into a more complex and sustained threat landscape. Early activity was characterized by DDoS attacks, defacements, and public breach claims. Over time, reporting shows a clear shift toward more targeted and persistent operations, including reconnaissance, credential compromise, exploitation of exposed services, and attempts to establish longer-term access within organizations.
Across the reporting cycle, cyber activity has increasingly blended disruption, espionage, influence operations, and opportunistic intrusion. While high-volume attacks continue to generate visibility, the more significant risk may lie in quieter, ongoing efforts to gain footholds in enterprise environments and critical systems. This progression suggests a move beyond short-term impact toward sustained pressure, intelligence gathering, and the potential for more coordinated or disruptive activity as the conflict continues to unfold.
Due to the ongoing conflict in the region, CyberProof Threat Research Teams continue to monitor the situation.
CTI Report Summary: March 3, 2026
Cyber activity following Operation Epic Fury has begun with a combination of high-visibility disruption and underlying state-linked access operations. DDoS attacks, limited website defacements, and coordinated influence messaging are actively targeting government and public-facing infrastructure to create immediate operational and psychological impact.
In parallel, Iranian state-linked actors are pursuing credential compromise, reconnaissance, and persistence within enterprise environments, indicating that visible disruption is unfolding alongside quieter efforts to establish long-term access.
The broader risk environment is shaped by instability in regional infrastructure, with disruptions to shared cloud services, such as the UAE availability zone outage, demonstrating how kinetic events can directly impact digital operations.
Key Actors
- IRGC – directs offensive cyber operations and influence activity
- MOIS – conducts espionage and intelligence collection campaigns
- APT42 (Charming Kitten) – carries out social engineering, credential harvesting, and targeted intrusion
- MuddyWater (Seedworm) – executes spear-phishing, staged payload delivery, and persistent access operations
- Pro-Iranian hacktivist and proxy groups – conduct DDoS attacks, defacements, and public breach claims
Key Methods
- DDoS attacks and defacements targeting public-facing infrastructure
- Spear-phishing and credential theft as primary intrusion vectors
- Account compromise and influence operations via messaging and social platforms
- Persistence and low-visibility command-and-control to maintain long-term access
- Exposure to shared cloud and regional infrastructure dependencies
Visit the Cyber Threat Intelligence on Middle East Escalations Resource Hub for new developments.
