Cyber attacks linked to Iran have evolved from short-lived disruptive campaigns into broader and more complex threats across the Gulf.
At the beginning of the war, Iran-aligned hacking groups claimed responsibility for cyber attacks targeting government portals and high-profile websites as public disruption campaigns.
New intelligence shows the cyber battlefield has shifted significantly, moving towards a more complex ecosystem of intrusion claims, financial cybercrime and infrastructure-related threats.
In tandem with the findings, UAE cybersecurity chief Mohamed Al Kuwaiti said last week that attacks on its digital infrastructure tripled from 200,000 to 600,000 since the start of the war.
He said these included ransomware and data breaches to targeted data leaks and wiper malware and website defacement – a type of malicious software that deems a website unusable by overwriting, deleting or corrupting data.
Automation and AI, he added, are aiding the speed and scope of their attacks.
What happened?
The escalation follows US-Israeli strikes on Iran that triggered retaliatory military and cyber activity across the Gulf, extending the conflict into the digital domain.
Amazon's cloud division reported damage to its UAE and Bahrain data centres in March in multiple attacks. The warfare is taking place equally in the digital world with cyber crime detection companies identifying targets in Israel, Jordan, the US, Saudi Arabia and the UAE.
In the early phase of the conflict, cyber attack attempts were dominated by clearly identifiable “resistance-branded” hacktivism groups co-ordinating via Telegram and openly claiming website disruptions across the region, said Emirates-based cybersecurity firm Cypherleak, in a briefing shared with The National.
However, through tracking Telegram posts for claimed attacks, recent intelligence shows attribution has become less clear, with a fragmented mix of hacktivists, cybercriminal networks and breach-reporting channels contributing to a noisier and more complex threat environment.
Mohamed Belarbi, the founder and chief executive of Cypherleak, said attacks rose sharply during the start of the war, by “around 175 per cent. This is natural as hacktivism activities mirror physical conflicts like the war".
"The more important trend is the rise of blended cyber risk: probing, breach claims, financial exploitation, and infrastructure-linked cyber exposure," he said, which pose much higher risk.
Who was attacked?
Targets at the start of the war were identified as largely public-facing, high-visibility services such as government portals, digital authorities and state media outlets.
Since then, targeting has broadened beyond symbolic websites to include financial institutions, aviation systems and law enforcement-linked platforms, often through unverified breach and intrusion claims.
In Qatar, groups claimed attacks on energy-sector websites and state-broadcasting infrastructure at the start of the war.
But Qatar has since seen a decline in direct hacktivism activity, with cyber-related content shifting towards general infrastructure and threat discussions rather than confirmed attacks.
The UAE shows the clearest evolution from hacktivism group disruptions to broader types of breaches, intrusion and ransomware-related attacks. This indicates a more campaign-style hacktivism towards a more crowded cyberthreat environment, the report said.
Saudi Arabia on the other hand, had fewer disruption claims at the start of the war, but featured more serious allegations of data breaches.
The kingdom has since seen the sharpest increase in cyber activity volume, from 55 cyber-relevant posts to about 872 by April 6, with a growing focus on intrusion attempts, vulnerability testing and ransomware-related threats.
Who's behind it?
The messaging accompanying the cyber activity frames Gulf states as targets, given their alignment with the US and western partners.
The Cypherleak briefing shared with The National identified several Iran-aligned groups active in the campaign, including 313 Team -which labels itself as part of the “Cyber Islamic Resistance in Iraq”, DieNet, Fatimion Cyber Team, Fad Team and ALTOUFAN TEAM, which frequently amplify one another’s claims across messaging channels.
“But they are not part of the state itself,” Mr Belarbi said. “They are independent actors seeking visibility and credibility by claiming attacks and publicising them online.”
While these groups were highly visible in the early phase, their prominence has diminished as the cyber environment has become more fragmented and less centred on a single ideological network.
The Cypherleak brief reported that the initial activity was consistent with denial-of-service (DDoS) attacks, attempts to overwhelm public websites with traffic rather than deeper intrusions into government systems.
Many of the posts also used language suggesting time-limited attacks lasting about an hour, a tactic typical of hacktivism campaigns designed to generate online publicity.
“From the claims we are seeing across Telegram channels, about 90 per cent of the activity is DDoS attacks and roughly 10 per cent involves intrusion claims,” Mr Belarbi said in early March.
However, data collected in April suggests that DDoS activity now represents only a small portion of cyber-related content, with greater emphasis on breach claims, persistent access narratives and financial exploitation, which are more difficult to verify.
Gulf resilience
Gulf cybersecurity has improved significantly, evolving from serving as a reactive IT function into a more robust shield defending national sovereignty and economic stability. Regional spending has already reached approximately $20 billion–$23 billion annually and is projected to grow to as much as $46 billion by 2030, according to a forecast by Mordor Intelligence.
This transformation has accelerated in recent years, with governments – particularly the UAE – embedding cyber resilience into national security strategies, critical infrastructure protection and digital economy planning.
Vibin Shaju, EMA vice president at California cyber security company Trellix, said the region is significantly better prepared for threats than in previous years, citing major investment across the Gulf over the past three to five years in cybersecurity frameworks, regulatory compliance and defensive capabilities.
The UAE has emerged as one of the most mature cyber resilience markets in the region, supported by strong regulatory frameworks, national cyber strategies and increasing adoption of advanced technologies such as AI-driven threat detection and zero-trust architecture, according to a 2025 Grand View Research report.
“Most core critical systems are managed locally and designed to continue operating even during disruption,” Mr Shaju said.
