Iran-Linked Hybrid Threats to Middle East Digital and Maritime Infrastructure
Escalation in the Iran-US-Israel conflict is disrupting regional digital and communications infrastructure through both direct threats and indirect operational impacts. Iran-linked activity has reportedly expanded from military retaliation rhetoric to threats against major U.S. technology companies' facilities in the Middle East, including sites associated with Microsoft, Amazon, Google, Oracle, IBM, and Nvidia, while earlier attacks were said to have caused outages at AWS datacenters in the UAE and Bahrain. In parallel, maritime traffic near the Strait of Hormuz has experienced anomalies consistent with GNSS spoofing and other electronic warfare techniques, with vessels reporting false positions and receiving radio warnings that could be used to shape shipping behavior without a formal blockade.
The same regional instability is also affecting subsea connectivity projects. Meta's 2Africa cable build has been delayed after Alcatel Submarine Networks declared force majeure and said it could no longer safely operate in the Persian Gulf, leaving the Pearls segment incomplete despite most cable having already been laid. Together, the reporting indicates a broader pattern in which conflict around Iran is creating cyber-physical risk across cloud infrastructure, maritime navigation, and undersea communications, increasing the likelihood of service disruption, delayed repairs, higher operating costs, and reduced confidence in critical regional infrastructure.
How this story unfolded
24 events from the earliest known activity through the most recent confirmed update.
Iran reportedly strikes AWS datacenters in UAE and Bahrain
Iran had previously conducted aerial attacks against AWS datacenters in the UAE and Bahrain, reportedly causing significant cloud service disruptions across the Middle East. The exact date is not specified in the references.
IRGC reportedly identifies U.S. tech facilities as retaliation targets
Iran's Islamic Revolutionary Guard Corps reportedly identified facilities linked to Google, Amazon, Oracle, IBM, and Nvidia in the Middle East as potential physical attack targets. The threats were framed as retaliation following joint U.S.-Israel missile strikes on Iran and alleged attacks on Iranian banking infrastructure.
Recent strikes reportedly degrade parts of Iran's cyber infrastructure
Recent strikes on Iran reportedly degraded parts of its cyber infrastructure and command hierarchy, according to the PolySwarm analysis. The report frames this as a precursor to a possible shift toward electronic warfare activity.
Iranian electronic warfare disrupts navigation near Strait of Hormuz
Widespread maritime navigation anomalies consistent with GNSS spoofing and related electronic warfare were observed in the Persian Gulf, Gulf of Oman, and Strait of Hormuz. Ships reportedly showed GPS drift, false inland positions, and duplicate AIS locations, with Iranian involvement assessed as the most plausible explanation.
Alcatel Submarine Networks declares force majeure on Africa2 Gulf segment
Alcatel Submarine Networks declared force majeure on Meta's Africa2 undersea cable project because it could no longer safely operate in the Persian Gulf. The unfinished Pearls section, meant to connect Gulf states, Pakistan, and India to Africa and Europe, was delayed as a result.
Meta says core Africa2 cable is complete but Pearls section remains unfinished
Meta said the core of the Africa2 undersea cable is complete, but the Pearls segment in the Persian Gulf remains unfinished, with much of the cable laid but not yet connected to landing stations. The company also highlighted broader geopolitical risks to digital infrastructure in the region.
Hormuz traffic shifts to controlled transit as Gulf of Oman becomes holding zone
A month into the conflict, commercial shipping through the Strait of Hormuz had shifted from near-collapse to a tightly controlled, permission-based transit system shaped by political alignment, cargo type, and vessel ownership. Large vessel backlogs formed in the Gulf of Oman amid persistent GPS/AIS interference, dark vessel activity, and deceptive shipping practices, driving broader rerouting of maritime trade and energy flows.
Iran formalizes crypto-enabled Strait of Hormuz transit toll system
Iran began accepting cryptocurrency in mid-March 2026 for Strait of Hormuz transit tolls administered by the IRGC, alongside yuan payments via Kunlun Bank and CIPS. The arrangement was formally codified under the Strait of Hormuz Management Plan approved on March 30–31, 2026, with supporting infrastructure including a digital currency conversion window on Qeshm Island.
Dubai denies IRGC claim of Oracle data center attack
UAE authorities said an IRGC claim that Oracle's data center in Dubai had been attacked was false, describing the report as fake news. The denial came amid broader regional escalation and concern over strikes on economic and industrial targets.
Strait of Hormuz traffic shifts to dual-corridor transit system
Maritime traffic through the Strait of Hormuz evolved into a dual-corridor system, with one route controlled by the IRGC near Larak Island and a newer southern corridor running along the Omani coastline. Between April 2 and April 5, the southern route expanded from limited use to coordinated multi-vessel transits, while access remained selective and politically managed.
IRGC reportedly strikes container ship Qingdao Star near Kish Island
On 2026-04-07, the Marshall Islands-flagged container ship Qingdao Star was reportedly struck south of Kish Island. The IRGC claimed it had targeted an alleged Israeli-linked vessel, highlighting continued risk to commercial shipping despite the newly announced two-week ceasefire.
U.S. forces begin mine clearance operations in Arabian Gulf
By 2026-04-12, U.S. forces had begun mine clearance operations in the Arabian Gulf as Strait of Hormuz traffic remained restricted during the ceasefire. The activity, coupled with signals of possible enforcement or interdiction after failed negotiations, raised the risk of direct state confrontation.
Reported U.S. blockade targets traffic to and from Iranian ports
On 2026-04-13, maritime intelligence reporting described a reported U.S. Central Command blockade on all traffic entering and exiting Iranian ports while mine clearance operations continued. The measure coincided with constrained but ongoing Strait of Hormuz crossings, U-turns near the enforcement deadline, and a buildup of hundreds of cargo and tanker vessels in the Gulf.
OFAC sanctions target Iranian oil shipping and shadow fleet network
By 2026-04-16, U.S. pressure expanded beyond maritime interdiction with new OFAC sanctions aimed at an Iranian oil shipping network and associated shadow fleet infrastructure. The move complemented the reported blockade of Iranian ports and increased pressure on Iran-linked maritime logistics.
Reported attack on SANMAR HERALD triggers renewed Hormuz reversals
On 2026-04-18, maritime security conditions around the Strait of Hormuz sharply worsened as Iranian closure signaling was accompanied by vessel attacks, including reported direct gunfire against the India-flagged VLCC SANMAR HERALD. Windward said 35 outbound vessels reversed course over 36 hours, indicating kinetic risk was materially shaping commercial shipping decisions.
Reported U.S. interdiction expands to Gulf of Oman near Chabahar
On 2026-04-19, maritime intelligence reporting said U.S. enforcement expanded beyond the Strait of Hormuz into the Gulf of Oman, including the first confirmed interdiction outside the immediate transit zone. The action reportedly involved the OFAC-sanctioned, Iran-linked container vessel TOUSKA near Chabahar, signaling a broader interception footprint.
IRGC reportedly attacks three outbound container vessels and seizes one
On 2026-04-22, IRGC forces reportedly attacked three outbound container vessels near the Strait of Hormuz and seized at least one of them. Windward described the incident as a major escalation in Iranian maritime interdiction, bringing the reported total number of vessels struck or fired upon since February 28 to 34.
Iranian crude exports drop sharply as Kharg loadings slow
By 2026-04-23, Iranian oil exports were reportedly under increased pressure, with weekly crude departures from Kharg Island falling well below normal wartime levels. Maritime intelligence also noted a growing cluster of AIS-dark tankers near Chabahar, indicating eastward repositioning and accumulation outside the Gulf under U.S. enforcement pressure.
U.S. launches Project Freedom to guide neutral shipping in Hormuz
On 2026-05-04, the United States began Project Freedom, an operation to guide 'neutral and innocent' commercial vessels through the Strait of Hormuz while continuing interdiction of Iran-linked shipping. The move marked a new phase in maritime security enforcement as dark fleet activity and sanctions-evasion behavior persisted around Iranian ports and transit corridors.
Mass GPS jamming and dark vessel buildup hit Fujairah-Hormuz corridor
On 2026-05-05, maritime visibility around Fujairah, the Strait of Hormuz, and the Gulf of Oman sharply deteriorated after Project Freedom, with roughly 470 vessels reportedly affected by GPS jamming near Fujairah within 24 hours. SAR imagery the same day identified 167 commercial-size vessels near Hormuz, including 146 operating dark and largely stationary, indicating a major escalation in navigational disruption and concealment activity.
Iran-linked tankers shift toward Lombok and Sunda routes
By 2026-05-07, maritime intelligence indicated Iran-linked tankers were increasingly using Indonesia’s Lombok and Sunda Straits instead of more visible Gulf routes. The shift was described as an effort to reduce detection and sanctions scrutiny as U.S. enforcement and monitoring pressure intensified around Hormuz and Iranian ports.
Qatar LNG cargo resumes Hormuz transit with AL KHARAITIYAT
By 2026-05-11, AL KHARAITIYAT reportedly became the first Qatar LNG cargo to transit the Strait of Hormuz since the February closure, signaling a limited restart of Qatari LNG movements. The passage was described as occurring under a Pakistan-mediated U.S.-Iran ceasefire framework.
IRGC-linked media proposes taxing and controlling Hormuz undersea cables
On 2026-05-11, IRGC-affiliated outlets Tasnim and Fars reportedly outlined measures to license foreign submarine cable operators, impose fees, require compliance with Iranian law, and place cable maintenance under Iranian firms' control in the Strait of Hormuz. Fars also raised the prospect of disrupting the cables, signaling a new pressure point against regional digital infrastructure.
Iran reportedly seizes sanctioned tanker JIN LI
By 2026-05-14, Windward reported that Iran had seized the sanctioned tanker JIN LI amid continued ceasefire-era maritime enforcement in and around the Strait of Hormuz. The incident was presented alongside continued U.S. disabling of additional Iran-linked tankers, underscoring ongoing reciprocal interdiction despite the ceasefire.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
25 references tracked. Mallory keeps watching after this page renders.
Five Weeks Into Ceasefire, Hormuz Stays Constrained
windward.ai
Open sourceDark Shipping and IRGC Activity Intensify Around Hormuz
windward.ai
Open sourceIRGC-linked media outlines plan to tax and control undersea internet cables in the Hormuz Strait - Iran's mouthpiece calls for a cut of $10 trillion of transactions that pulse through the cables daily | Tom's Hardware
tomshardware.com
Open sourceWarTalk: Iran War with Jack Shanahan - by Jordan Schneider
chinatalk.media
Open sourceOne Month Into the Ceasefire, Dark Shipping Dominates Hormuz
windward.ai
Open sourceHormuz Visibility Collapses as Maritime Tensions Escalate
windward.ai
Open sourceProject Freedom Begins as Dark Fleet Activity Persists
windward.ai
Open sourceHormuz Ceasefire Week Two Maritime Intelligence Update
windward.ai
Open sourceApril 23, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceApril 20, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceApril 19, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceBeneath the Strait: Iran Could Threaten Gulf Data Centers, Undersea Cables • Stimson Center
stimson.org
Open sourceApril 16, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceApril 13, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceApril 12, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceApril 8, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceIranian Crypto Tolls in Strait of Hormuz | TRM Blog
trmlabs.com
Open sourceApril 6, 2026: Iran War Maritime Intelligence Daily
windward.ai
Open sourceIran War Disrupts Maritime Trade: Week Five Analysis
windward.ai
Open sourceDay 35 of war: Dubai calls IRGC claim of Oracle data center attack fake | Khaleej Times
khaleejtimes.com
Open sourceA Month Into the Iran War: Maritime Trade Rewrites Itself
windward.ai
Open sourceBeyond oil: Internet bandwidth, global commerce at risk with Hormuz strait closure | Khaleej Times
khaleejtimes.com
Open sourceIran conflict delays Meta’s 2Africa undersea cable project - cable layer declares force majeure, says it can no longer safely operate in the Persian Gulf | Tom's Hardware
tomshardware.com
Open sourceElectronic Warfare Disruptions Near the Strait of Hormuz
blog.polyswarm.io
Open sourceMajor US tech firms reportedly set to be targeted with retaliatory Iranian strikes | brief | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Middle East Conflict Drives Cyber and Infrastructure Risk Warnings
Escalating conflict involving **Iran** has renewed attention on the cyber dimension of regional warfare, with warnings that attacks can extend beyond conventional military targets to government networks, critical infrastructure, transportation, and financial systems. One analysis highlights Iran’s long-standing investment in asymmetric cyber operations through state actors, proxies, and aligned hacktivists, citing activity during the 2025 conflict that included reconnaissance, phishing, defacements, data theft, data dumps, and malware delivery against perceived adversaries. A separate briefing describes alleged kinetic strikes on data centers supporting an AWS region in the Middle East, causing outages that affected consumer applications, payment services, banks, and enterprise SaaS providers in the UAE and Bahrain, while exposing how data sovereignty requirements can block rapid workload migration during a crisis. By contrast, commentary on a U.S. executive order targeting cyber-enabled fraud and transnational criminal organizations addresses organized cybercrime policy rather than the Iran-related conflict and should be treated as a different topic.
Apr 16, 2026
Cyber and electronic-warfare activity escalates amid US–Israeli strikes on Iran
Regional conflict following **U.S.–Israeli strikes on Iran** has been accompanied by heightened cyber and electronic-warfare activity affecting both military operations and civilian infrastructure. U.S. officials publicly acknowledged that **U.S. Cyber Command**, alongside space capabilities, conducted “non-kinetic” operations to **disrupt Iranian communications and sensor networks** in support of *Operation Epic Fury*, describing effects intended to degrade Iran’s ability to coordinate and respond; reporting also noted follow-on hack-and-leak style activity against Iranian-facing online properties (e.g., news sites and an app) and warned of potential retaliatory cyber activity by Iranian-aligned actors. In parallel, maritime intelligence reporting described a sharp increase in **GPS/AIS disruption (jamming/spoofing)** impacting shipping around the Strait of Hormuz, with vessels appearing in false locations and maritime authorities warning of elevated risk to navigation and safety. Iran’s domestic crypto ecosystem also showed signs of stress consistent with conflict conditions and connectivity constraints: observers reported **internet outages**, exchanges moving into risk-containment modes (e.g., batching/suspending withdrawals), and temporary restrictions on the **USDT–toman** trading pair under central bank direction—collectively reducing liquidity and market activity rather than clearly indicating capital flight. Separate reporting on Pakistan’s TV broadcast hijacks and a DDoS incident affecting Russian government sites appear unrelated to the Iran conflict-driven activity described above.
Apr 29, 2026
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026