Evolving cyber threat landscape amid Middle East tensions

Geopolitical tensions invariably influence cyberspace, leading to an evolution in the threat landscape. The current escalation in the Middle East, which began on February 28, 2026, is anticipated to follow this pattern across the UAE. Historically, threat actors have exploited such periods to amplify influence operations, conduct opportunistic intrusion attempts, and circulate disinformation narratives. 

Key highlights

• The rise in physical hostilities including missile and drone attacks has coincided with a surge in cyber operations, predominantly originating from Iranian‑aligned actors.
• Financial services, Aviation, Energy, Telecom, and Government-linked entities remain high-probability targets due to their regional visibility and systemic importance.
• While only low‑to‑medium impact cyber incidents have been reported in the UAE and in neighbouring Gulf states including Kuwait, Saudi Arabia, and Bahrain, ongoing reconnaissance activity indicates a potential risk of broader spillover into critical infrastructure sectors.
• No major breaches have been confirmed to date.

CPX Threat Intelligence Centre actively monitoring the evolving geopolitical situation and its wider cyber implications across the region, noting an increase in hacktivist activities and targeted disruptions across allied Gulf states. 

Threat assessment

CPX Threat Intelligence Centre (CPX-TIC) assesses that the current regional geopolitical environment has resulted in an elevated cyber threat posture for the UAE, consistent with historical patterns observed during periods of heightened tension involving Iran and its regional proxies. 

Historically, Iranian state‑aligned cyber units have escalated cyber activity in parallel with kinetic or political developments, leveraging a mix of state APT operations and proxy actors. Below are some key plausible activities that can be seen during this ongoing conflict.

Observations and anticipated activities

• Increased likelihood of hacktivist‑led DDoS campaigns targeting government, and private-sector’s public‑facing services.
• Elevated state‑aligned APT activity, focused on reconnaissance, credential harvesting, and cyber-espionage.
• Continued use of website defacement as a low‑complexity psychological and influence tactic.
• Rise in malware and ransomware campaigns, potentially operating under state tolerance or indirect coordination.
• Use of proxy actors and front groups to maintain plausible deniability and obscure attribution.

Recent developments in cyber space

In last 24 hours, CPX-TIC has observed a spike in cyber operations by pro-Iranian hacktivist personas and collectives, noting multiple claimed DDoS attacks on entities in UAE, Israel, Saudi Arabia, Kuwait, and Bahrain, followed by alleged SCADA & PLC compromises of Israel-based entities.

Below is the timeline of the cyber escalation from 28-February to 02-March 2026:

• February 28, 2026: Initial escalation with influence operations
• March 1, 2026: Reported DDoS attempts; cybercriminals began taking advantage of the situation
• March 2, 2026: DDoS and reconnaissance spikes, along with cloud infrastructure outages

Emerging cybercriminal activities amid regional uncertainty

Apart from the cyber escalation, there have been reported cyber-criminal activities in the UAE. Cybercriminals specifically scammers have been actively exploiting the heightened regional uncertainty. Netizens in the UAE are receiving calls from scammer claims to be from the Ministry of Interior (MOI), asking them to confirm receipt of the national alert and requesting that they share their Emirates ID (EID) number for verification purposes.

Official warning from MOI UAE

On March 1, 2026, the Ministry of Interior, UAE (MOI UAE) issued a warning to netizens against fraudulent calls that may originate from the number (70614213) or any other numbers, confirming that these fall under the practices of electronic fraud and impersonation.

AWS outages in the UAE: Impact from regional conflict

CPX Threat Intelligence Centre also observed that Amazon Web Services (AWS) experienced outages affecting data centers in the United Arab Emirates, primarily impacting at least one Availability Zone (mec1-az2) in the me-central-1 (UAE) region. This resulted in loss of power, connectivity issues, and widespread service degradation across critical cloud offerings, such as EC2, RDS, EBS, Lambda, EKS, and networking APIs.

The disruptions were caused by physical debris from a successful UAE interception of incoming projectiles amid the escalating Iran-U.S. and Israel conflict, which inadvertently damaged infrastructure supporting the AWS facilities.

AWS response and ongoing risks

AWS confirmed that restoration efforts were underway, with no confirmed data loss. However, AWS also warned customers that full restoration would take hours, underscoring the risks that physical attacks pose to cloud infrastructure in conflict zones.

Recommendations

The CPX-TIC recommends the following measures:

Defence against DDoS

• Activate emergency WAF and CDN protections on public‑facing portals, including rate limiting, bot and JavaScript challenges, and login shielding, and ensure upstream traffic scrubbing is ready.
• Implement caching and static failover pages for critical journeys such as login, search, and payments to preserve usability during pressure events.
• Validate Anycast DNS, short TTLs, and resilient authoritative DNS, and deploy multi‑region synthetic probes to distinguish real service degradation from claim noise.
• Prepare concise runbooks to enable rapid mode switching such as reduced functionality or gray‑page responses and align communication triggers to observable telemetry.

Defence against ransomware

• Maintain immutable, offline backups with routine restore tests, and protect backup consoles behind multifactor authentication and separate administrative credentials.
• Enforce multifactor authentication and conditional access on VPN, RDP, and administrative portals, disable legacy protocols, and restrict access by source IP or ASN where feasible.
• Deploy endpoint detection and response across servers and workstations, keep internet‑facing services and high‑risk third‑party components patched, segment networks and apply least privilege, and monitor for anomalous lateral movement and mass file modification.

Defence against web defacement

• Keep CMS platforms and plugins fully updated, restrict administrative panels by IP and multifactor authentication, and remove unused plugins and themes.
• Implement file integrity monitoring and read‑only permissions for web roots where possible and maintain versioned backups for rapid restoration.
• Use a secure CI/CD process with signed artifacts, scan builds for secrets and malware, and restrict direct edits in production.
• Enforce a strict Content Security Policy and sub resource integrity where applicable, and log and alert on unexpected file writes and administrative login anomalies.

Defence with IOCs and TTPs

• Proactively monitor and block the shared Indicators of Compromise (IOCs) across security controls.
  Conduct targeted threat hunting for the associated Tactics, Techniques, and Procedures (TTPs).
• Given the elevated regional threat environment, early detection of reconnaissance, access‑building, and disruption‑focused activity is critical to reducing risk and preventing potential impact.

Defence against cybercriminals

• Organizations and netizens are advised to exercise heightened vigilance when handling unsolicited communications or financial requests related to the ongoing developments. Always remember no government official/entities do not request personal or financial information via telephone calls or unknown links.

Defence against cloud infrastructure

• Monitor AWS Service health updates: Continuously follow the official AWS Health Status dashboard for real‑time updates on outage resolution, service restoration progress, and any region‑specific advisories. This ensures timely awareness of recovery milestones and potential downstream impacts on dependent services.

Defence against hacktivist claims on access to ICS/SCADA devices

• Validate ICS/SCADA asset inventory: Conduct an immediate review of your organization's ICS/SCADA asset inventory to identify any Unitronics Vision‑series or ELMI remote-control devices deployed within your environment. Ensure these devices are accurately logged, monitored, and risk‑scored.
• Apply latest security patches: Verify that all identified ICS/SCADA devices particularly Unitronics PLCs and ELMI‑manufactured control systems, are updated to the most recent firmware and security patches. Patch gaps in these devices can expose critical operational environments to compromise.
• Strengthen monitoring and hardening: Ensure continuous monitoring for anomalous activity targeting PLCs, remote management interfaces, and industrial protocols. Where possible, enforce network segmentation, disable unused services, and tighten access control to reduce attack surface