Heightened Cyber Threats Following US–Israel–Iran Military Actions [Flash Report]
Table of contents
This blog summarises our latest flash report covering the surge in cyber threat activity observed in the days following the US–Israel strikes on Iran. For the full incident tracking, actor analysis, and defensive guidance, get in touch with our team.
What happened on February 28, 2026?
On February 28, 2026, the United States and Israel launched coordinated military strikes against strategic targets in Iran, targeting military and nuclear-related infrastructure and reportedly resulting in the death of Supreme Leader Ali Khamenei. Iran responded by launching waves of ballistic missiles and drones toward Israel and US military positions across the region, with strikes reported in the UAE, Bahrain, Kuwait, Qatar, and Jordan. Multiple countries closed their airspace, including Dubai International Airport, the world’s busiest international hub. The Strait of Hormuz, through which approximately 20% of the world’s oil passes, faced fresh disruption as major shipping groups suspended transit.
The geopolitical shockwaves were immediate. In parallel, a second front opened: cyberspace.
The cyber dimension: what we observed
Periods of direct military escalation in the Middle East consistently trigger surges in state-aligned and hacktivist cyber activity. This conflict was no exception, and the speed of response was notable. Within hours of the strikes, CybelAngel’s REACT team began tracking a significant uptick in claimed cyber operations across multiple threat actor channels, spanning several countries in the region.
Between February 28 and March 2, threat actors claimed activity affecting the UAE, Israel, the USA, Saudi Arabia, Bahrain, Kuwait, and Jordan. The activity broke into three categories. DDoS (Distributed Denial of Service) attacks were the most prevalent, targeting government services, civil defense entities, airports, telecoms, and financial institutions. Website defacement campaigns concentrated on UAE-based commercial domains, with dozens of businesses across retail, hospitality, real estate, and services having their sites replaced with politically motivated messaging. Alleged data leaks emerged primarily against Israeli targets, with actors claiming access to citizen databases, military personnel records, and defense-linked datasets — several timed to maximize visibility during the period of heightened geopolitical attention, a pattern consistent with reputation-driven operations rather than purely operational ones.
The UAE was the most heavily targeted geography, consistent with its role as a host of US military infrastructure and a country directly struck by Iranian missiles.
Who are the most affected sectors?
Four sectors stand out across the observed activity. Government and public safety entities bore the brunt of pressure-style campaigns, with civil defense authorities, municipalities, and government portals repeatedly named. Critical infrastructure, including airports and telecoms, featured prominently in threat actor claims. Financial services saw targeting across the region, with banking apps and stock exchanges named as DDoS targets. Commercial and SMB sectors in the UAE experienced a high volume of defacement activity, with retail sites, restaurants, and small businesses caught in the crossfire.
What this means for your organization
The current pattern is dominated by disruption rather than sophisticated intrusion. This is consistent with what security researchers typically observe during crisis periods: a surge in lower-barrier, high-visibility operations where messaging and symbolic impact outweigh technical sophistication. That said, this environment creates cover for more targeted operations. Amid the noise of high-volume DDoS and defacement activity, access brokers have been observed attempting to monetize alleged network footholds. Organizations should not assume that because most claims are low-sophistication, all activity is.
CybelAngel assesses that activity affecting the countries referenced in our full report will continue, with additional geographies potentially drawn in as the conflict evolves.
Access the full Flash Report
The full report includes time-stamped incident tracking across seven countries, actor profiles, sector-by-sector breakdowns, and specific defensive guidance for organizations operating in affected geographies. CybelAngel’s REACT team tracks geopolitically motivated cyber activity continuously, so you get the signal without the noise.
If you are a CybelAngel client, your REACT team is actively monitoring this situation. If you are not yet a client, talk to an analyst to request the full Flash Report.
About the author
