Cybersecurity analysts and international officials are warning of a widening front in the Middle East crisis, where kinetic warfare, economic disruption and co-ordinated online campaigns meet.
Since Saturday, a series of joint US-Israeli military strikes against Iran has triggered repeated Iranian ballistic missile and drone attacks across the Gulf, forcing temporary airspace closures and heightening military alerts from Kuwait to the UAE.
The fallout has extended beyond military targets. Amazon’s cloud division reported a fire at a UAE data centre after “objects struck the facility”, raising concerns over the exposure of commercial digital infrastructure as hostilities intensify.
Amid this backdrop, a hacktivist faction known as the 313 Team has publicly declared it is targeting Israel, Jordan, the US, Saudi Arabia, the UAE and Kuwait in cyberspace in response to the death of Iranian supreme leader Ayatollah Ali Khamenei, posting threats on Telegram-linked channels.
CloudSEK, a risk-monitoring firm, reported that between February 27 and March 2, co-ordinated cyber disruption attempts were logged against 10 financial institutions. This includes major banks in Saudi Arabia, Jordan and Israel as well as seven aviation and logistics entities, government ministries, defence-related targets and telecoms providers.
In the UAE, some online and phone banking services were unavailable on Monday due to region-wide disruption of IT services, with the cause publicly remaining unknown.
For the reported cyber attempts, many of the claims centre on distributed denial-of-service (DDoS) attacks, website power cut and public service disruptions. Analysts said none have yet been independently verified as deep system breaches or sustained compromises of core infrastructure.
“What we are observing is a co-ordinated, narrative-driven disruption campaign rather than confirmed systemic compromise,” Shashank Shekhar, managing editor at CloudSEK, told The National.
“The clustering of financial institutions and aviation assets suggests an intent to maximise visibility and reputational pressure at a time of heightened geopolitical sensitivity. At this stage, the impact appears disruption-focused, targeting availability and public perception rather than core banking or operational technology systems.”
Mr Shekhar said hacktivist collectives have publicly claimed the offensive operations including groups such as DieNet, Team 313, Liwa Thar Allah, Fad Team, Cyb3rDrag0nzz, and Fynix, but that CloudSEK could not independently verify that any of the claimed cyberattacks are originating from the Iranian government or state forces.
Vibin Shaju, EMA VP at California-headquartered cybersecurity company Trellix, said the region is significantly better prepared for threats than in previous years, citing major investments across the GCC over the past three to five years in cybersecurity frameworks, regulatory compliance and defensive capabilities.
“There has been a huge amount of preparation,” he said, noting that critical infrastructure in the UAE and Saudi Arabia is typically operated with contingency planning and limited dependency on external cloud environments at its core.
“Most core critical systems are managed locally and designed to continue operating even during disruption,” Mr Shaju said, adding that while external-facing services may slow or temporarily fail, internal operational resilience has improved markedly across the region.
Financial industry sources said several banks, including Standard Chartered and major Japanese lenders, have advised staff to postpone travel to the region, slowing deal negotiations and prompting short-term work restrictions.
Broader economic signals reflect the strain. Major aviation hubs temporarily surrendered airspace, leaving thousands of passengers stranded, while energy shipments through the Strait of Hormuz slowed and travel and investment flows into the Gulf were curtailed.
Mr Shekhar said the convergence of kinetic conflict and cyber disruption reflects a broader trend in modern warfare. “Hacktivist groups often leverage geopolitical flashpoints to amplify messaging impact. High-visibility sectors such as banking and air transport are symbolic targets that generate immediate public attention, even when underlying infrastructure remains intact,” he said.
Cybersecurity experts caution that hacktivist groups may be leveraging the broader conflict to amplify reputational pressure, selecting high-visibility sectors such as air transport and banking to maximise impact.
Mr Shaju said the reported disruption to AWS infrastructure highlighted the region’s growing reliance on cloud providers, warning that while hyperscale platforms offer redundancy, concentration risk remains. “When applications rely heavily on a single cloud environment, slowness or service interruption can quickly ripple across banking apps, airline booking systems and consumer-facing services,” he said.
He described the AWS incident as primarily affecting application programming interfaces and service availability rather than core systems, but said it demonstrated how dependency on shared infrastructure can create a “single point of impact” during conflict. “Even if internal systems remain secure, access to the external world depends on internet and edge infrastructure,” he said.
The prevalence of hactivists and the prominence of cybersecurity concerns gives ample validity to recent surveys.
Worries about the safety of cyber infrastructure stemming from nefarious actors ranked in the top 10 of the World Economic Forum's 2026 Global Risks report.
The Iran conflict seems to spilling over into the digital world, solidifying what cybersecurity experts have long warned of, particularly regarding Iran and its use of hackers and hacktivist groups.
“The volume of Iranian state-linked cyber activity remains consistently high,” read Microsoft's 2025 digital defence report.
“Iran’s intelligence services continue to focus heavily on regional adversaries, conducting long-term espionage against critical infrastructure,” the report added, noting that Tehran's cyber actors most frequently targeted Israel, the US and the UAE to exploit potential vulnerabilities.
Just weeks before the US and Israeli strikes on Iran, cybersecurity firm Acronis warned that its experts had discovered a new malware campaign targeting supporters of protests throughout the country.
In August, FBI assistant director Brett Leatherman said a cyber attack from Iran affecting US technology systems, data and infrastructure would be likely to be considered an act of war.
With Operation Epic Fury under way in Iran, that might mean Tehran now has little to lose by intensifying cyberattacks.
Mr Shaju said short-term cyber disruptions are often designed for visibility and headlines. However, he cautioned that longer-term, more covert intrusions pose the greater strategic risk.
“What makes the news is the short-term disruption,” he said. “What organisations should worry about is the persistent, targeted attack that stays silent for months. That is where the real long-term impact lies.”
