Iran-Linked Hybrid Threats to Middle East Digital and Maritime Infrastructure
Escalation in the Iran-US-Israel conflict is disrupting regional digital and communications infrastructure through both direct threats and indirect operational impacts. Iran-linked activity has reportedly expanded from military retaliation rhetoric to threats against major U.S. technology companies' facilities in the Middle East, including sites associated with Microsoft, Amazon, Google, Oracle, IBM, and Nvidia, while earlier attacks were said to have caused outages at AWS datacenters in the UAE and Bahrain. In parallel, maritime traffic near the Strait of Hormuz has experienced anomalies consistent with GNSS spoofing and other electronic warfare techniques, with vessels reporting false positions and receiving radio warnings that could be used to shape shipping behavior without a formal blockade.
The same regional instability is also affecting subsea connectivity projects. Meta's 2Africa cable build has been delayed after Alcatel Submarine Networks declared force majeure and said it could no longer safely operate in the Persian Gulf, leaving the Pearls segment incomplete despite most cable having already been laid. Together, the reporting indicates a broader pattern in which conflict around Iran is creating cyber-physical risk across cloud infrastructure, maritime navigation, and undersea communications, increasing the likelihood of service disruption, delayed repairs, higher operating costs, and reduced confidence in critical regional infrastructure.
Timeline
Apr 23, 2026
Iranian crude exports drop sharply as Kharg loadings slow
By 2026-04-23, Iranian oil exports were reportedly under increased pressure, with weekly crude departures from Kharg Island falling well below normal wartime levels. Maritime intelligence also noted a growing cluster of AIS-dark tankers near Chabahar, indicating eastward repositioning and accumulation outside the Gulf under U.S. enforcement pressure.
Apr 22, 2026
IRGC reportedly attacks three outbound container vessels and seizes one
On 2026-04-22, IRGC forces reportedly attacked three outbound container vessels near the Strait of Hormuz and seized at least one of them. Windward described the incident as a major escalation in Iranian maritime interdiction, bringing the reported total number of vessels struck or fired upon since February 28 to 34.
Apr 19, 2026
Reported U.S. interdiction expands to Gulf of Oman near Chabahar
On 2026-04-19, maritime intelligence reporting said U.S. enforcement expanded beyond the Strait of Hormuz into the Gulf of Oman, including the first confirmed interdiction outside the immediate transit zone. The action reportedly involved the OFAC-sanctioned, Iran-linked container vessel TOUSKA near Chabahar, signaling a broader interception footprint.
Apr 18, 2026
Reported attack on SANMAR HERALD triggers renewed Hormuz reversals
On 2026-04-18, maritime security conditions around the Strait of Hormuz sharply worsened as Iranian closure signaling was accompanied by vessel attacks, including reported direct gunfire against the India-flagged VLCC SANMAR HERALD. Windward said 35 outbound vessels reversed course over 36 hours, indicating kinetic risk was materially shaping commercial shipping decisions.
Apr 16, 2026
OFAC sanctions target Iranian oil shipping and shadow fleet network
By 2026-04-16, U.S. pressure expanded beyond maritime interdiction with new OFAC sanctions aimed at an Iranian oil shipping network and associated shadow fleet infrastructure. The move complemented the reported blockade of Iranian ports and increased pressure on Iran-linked maritime logistics.
Apr 13, 2026
Reported U.S. blockade targets traffic to and from Iranian ports
On 2026-04-13, maritime intelligence reporting described a reported U.S. Central Command blockade on all traffic entering and exiting Iranian ports while mine clearance operations continued. The measure coincided with constrained but ongoing Strait of Hormuz crossings, U-turns near the enforcement deadline, and a buildup of hundreds of cargo and tanker vessels in the Gulf.
Apr 12, 2026
U.S. forces begin mine clearance operations in Arabian Gulf
By 2026-04-12, U.S. forces had begun mine clearance operations in the Arabian Gulf as Strait of Hormuz traffic remained restricted during the ceasefire. The activity, coupled with signals of possible enforcement or interdiction after failed negotiations, raised the risk of direct state confrontation.
Apr 7, 2026
IRGC reportedly strikes container ship Qingdao Star near Kish Island
On 2026-04-07, the Marshall Islands-flagged container ship Qingdao Star was reportedly struck south of Kish Island. The IRGC claimed it had targeted an alleged Israeli-linked vessel, highlighting continued risk to commercial shipping despite the newly announced two-week ceasefire.
Apr 5, 2026
Strait of Hormuz traffic shifts to dual-corridor transit system
Maritime traffic through the Strait of Hormuz evolved into a dual-corridor system, with one route controlled by the IRGC near Larak Island and a newer southern corridor running along the Omani coastline. Between April 2 and April 5, the southern route expanded from limited use to coordinated multi-vessel transits, while access remained selective and politically managed.
Apr 3, 2026
Dubai denies IRGC claim of Oracle data center attack
UAE authorities said an IRGC claim that Oracle's data center in Dubai had been attacked was false, describing the report as fake news. The denial came amid broader regional escalation and concern over strikes on economic and industrial targets.
Mar 31, 2026
Iran formalizes crypto-enabled Strait of Hormuz transit toll system
Iran began accepting cryptocurrency in mid-March 2026 for Strait of Hormuz transit tolls administered by the IRGC, alongside yuan payments via Kunlun Bank and CIPS. The arrangement was formally codified under the Strait of Hormuz Management Plan approved on March 30–31, 2026, with supporting infrastructure including a digital currency conversion window on Qeshm Island.
Mar 31, 2026
Hormuz traffic shifts to controlled transit as Gulf of Oman becomes holding zone
A month into the conflict, commercial shipping through the Strait of Hormuz had shifted from near-collapse to a tightly controlled, permission-based transit system shaped by political alignment, cargo type, and vessel ownership. Large vessel backlogs formed in the Gulf of Oman amid persistent GPS/AIS interference, dark vessel activity, and deceptive shipping practices, driving broader rerouting of maritime trade and energy flows.
Mar 13, 2026
Meta says core Africa2 cable is complete but Pearls section remains unfinished
Meta said the core of the Africa2 undersea cable is complete, but the Pearls segment in the Persian Gulf remains unfinished, with much of the cable laid but not yet connected to landing stations. The company also highlighted broader geopolitical risks to digital infrastructure in the region.
Mar 13, 2026
Alcatel Submarine Networks declares force majeure on Africa2 Gulf segment
Alcatel Submarine Networks declared force majeure on Meta's Africa2 undersea cable project because it could no longer safely operate in the Persian Gulf. The unfinished Pearls section, meant to connect Gulf states, Pakistan, and India to Africa and Europe, was delayed as a result.
Mar 13, 2026
Iranian electronic warfare disrupts navigation near Strait of Hormuz
Widespread maritime navigation anomalies consistent with GNSS spoofing and related electronic warfare were observed in the Persian Gulf, Gulf of Oman, and Strait of Hormuz. Ships reportedly showed GPS drift, false inland positions, and duplicate AIS locations, with Iranian involvement assessed as the most plausible explanation.
Mar 13, 2026
Recent strikes reportedly degrade parts of Iran's cyber infrastructure
Recent strikes on Iran reportedly degraded parts of its cyber infrastructure and command hierarchy, according to the PolySwarm analysis. The report frames this as a precursor to a possible shift toward electronic warfare activity.
Mar 12, 2026
IRGC reportedly identifies U.S. tech facilities as retaliation targets
Iran's Islamic Revolutionary Guard Corps reportedly identified facilities linked to Google, Amazon, Oracle, IBM, and Nvidia in the Middle East as potential physical attack targets. The threats were framed as retaliation following joint U.S.-Israel missile strikes on Iran and alleged attacks on Iranian banking infrastructure.
Mar 12, 2026
Iran reportedly strikes AWS datacenters in UAE and Bahrain
Iran had previously conducted aerial attacks against AWS datacenters in the UAE and Bahrain, reportedly causing significant cloud service disruptions across the Middle East. The exact date is not specified in the references.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
5 more from sources like windward and trm labs blog
Related Stories
Middle East Conflict Drives Cyber and Infrastructure Risk Warnings
Escalating conflict involving **Iran** has renewed attention on the cyber dimension of regional warfare, with warnings that attacks can extend beyond conventional military targets to government networks, critical infrastructure, transportation, and financial systems. One analysis highlights Iran’s long-standing investment in asymmetric cyber operations through state actors, proxies, and aligned hacktivists, citing activity during the 2025 conflict that included reconnaissance, phishing, defacements, data theft, data dumps, and malware delivery against perceived adversaries. A separate briefing describes alleged kinetic strikes on data centers supporting an AWS region in the Middle East, causing outages that affected consumer applications, payment services, banks, and enterprise SaaS providers in the UAE and Bahrain, while exposing how data sovereignty requirements can block rapid workload migration during a crisis. By contrast, commentary on a U.S. executive order targeting cyber-enabled fraud and transnational criminal organizations addresses organized cybercrime policy rather than the Iran-related conflict and should be treated as a different topic.
2 weeks ago
Cyber and electronic-warfare activity escalates amid US–Israeli strikes on Iran
Regional conflict following **U.S.–Israeli strikes on Iran** has been accompanied by heightened cyber and electronic-warfare activity affecting both military operations and civilian infrastructure. U.S. officials publicly acknowledged that **U.S. Cyber Command**, alongside space capabilities, conducted “non-kinetic” operations to **disrupt Iranian communications and sensor networks** in support of *Operation Epic Fury*, describing effects intended to degrade Iran’s ability to coordinate and respond; reporting also noted follow-on hack-and-leak style activity against Iranian-facing online properties (e.g., news sites and an app) and warned of potential retaliatory cyber activity by Iranian-aligned actors. In parallel, maritime intelligence reporting described a sharp increase in **GPS/AIS disruption (jamming/spoofing)** impacting shipping around the Strait of Hormuz, with vessels appearing in false locations and maritime authorities warning of elevated risk to navigation and safety. Iran’s domestic crypto ecosystem also showed signs of stress consistent with conflict conditions and connectivity constraints: observers reported **internet outages**, exchanges moving into risk-containment modes (e.g., batching/suspending withdrawals), and temporary restrictions on the **USDT–toman** trading pair under central bank direction—collectively reducing liquidity and market activity rather than clearly indicating capital flight. Separate reporting on Pakistan’s TV broadcast hijacks and a DDoS incident affecting Russian government sites appear unrelated to the Iran conflict-driven activity described above.
3 days ago
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
1 months ago