MUMBAI — High-profile attacks on oil tankers in the Strait of Hormuz have epitomized Iran’s hit-and-run response to superior American and Israeli firepower, but analysts warn that Tehran’s asymmetric strategy isn’t limited to guns, bombs or the physical geography of the battlefield.
Tehran is firing back with unconventional tactics that range from cash for proxies and mass hack attacks to the weaponization of traffic cameras.
Iranian-linked hacking groups such as Handala are routing attacks on Iran’s adversaries and neighbors through servers in third countries to disguise their origin, said Ayush Singh, a vulnerability intelligence researcher speaking from New Delhi. The tactic is not new, but the scale of the current conflict has brought it into sharp relief.
Check Point Research, an Israeli cybersecurity firm, confirmed that Handala had been routing operations through Starlink IP ranges since January 2026 — weeks before the first missile was fired at Tehran.
That routing architecture explains why Iran’s near-total internet blackout — imposed following American and Israeli strikes on its communications infrastructure — has not stopped the campaign. Groups like Handala operate through pre-positioned servers outside Iranian borders.
“Iranian citizens are cut from the internet,” Mr. Singh told The Washington Times. “These adversarial groups are not.”
“This has been their way of conducting operations for years,” Mr. Singh said. “Infrastructure run by hosting providers in Germany and France, including companies like Contabo and OVH, has frequently been used by advanced persistent threat groups to stage attacks, often through servers physically located in places like Singapore.”
Virpratap Vikram Singh, writing this week for the International Institute for Strategic Studies, a London-based defense and security think tank, concluded while Iran appears to be as overmatched in cyberspace as it is on the battlefield, the Islamic Republic has shown no sign of capitulation. With the command structure overseeing Iranian cyber operations either dead or offline, he wrote, proxy groups are anticipated to engage in more unpredictable and decentralized activities.
“Given the maturity of their cybersecurity, countries in the Gulf region are likely to be particularly vulnerable,” Mr. Singh wrote.
Mr. Singh of ARP Syndicate framed Iran’s cyber campaign in terms of economic warfare as much as military strategy. Iran is not trying to win the conflict digitally. It is trying to impose costs.
“When you are countering cheap weapons with expensive weapons, you are the one losing the war economically,” he said. “They are failing much more. But when they are succeeding, they are succeeding with very cheap weapons.”
That calculation is now showing up in hard numbers. Gulf oil producers have lost an estimated $15 billion in energy revenues since Iran disrupted Strait of Hormuz shipments, the Financial Times reported. Iran’s propeller-driven Shahed drones — some powered by motorcycle engines, built partly from styrofoam — are forcing adversaries to expend sophisticated air defense systems at a rate the attackers could never match dollar for dollar.
“As part of the kinetic attack, we see cyber attacks as well,” said Jonathan Zanger, chief technology officer of Check Point Software Technologies, in a cybersecurity briefing. “Over 60% of the attacks coming right now out of Iran are targeting Israel across critical infrastructure, government, education and health care.”
Mr. Zanger said Check Point secures critical infrastructure across both the United Arab Emirates and the United States, and that Iran’s campaign has driven a continuous spike in attacks where digital operations run alongside kinetic ones. Of the thousands of attacks Check Point tracks weekly, 99.7% are blocked — a figure that sounds reassuring until the volume is understood. At that magnitude, the difference between 99.7% and 99% is the difference between prevention and a major incident.
Iran’s targeting is not limited to Israel. Mr. Zanger said nation-state actors exploit every active conflict as a cyber battlefield.
“We saw it with Iran and Israel,” he said. “We saw it with Pakistan and India.”
Check Point data shows India experienced 30% more cyberattacks than the global average rate. When conflict between India and Pakistan flared in December, the company recorded a surge in attacks by Pakistani threat actors targeting India’s Ministry of Defense, Army, Navy and political infrastructure.
The U.S.-led war on Iran has exposed a convergence of threat streams that puts India in a particularly exposed position. Pakistan conducted its own offensive cyber campaign against Indian military satellites, government websites and critical infrastructure during the two countries’ conflict in May 2025, with Indian authorities recording more than 1.5 million attempted intrusions.
Iran’s proxy networks now operate primarily from outside the country — researchers have documented Iranian-affiliated groups running operations from Pakistan and across Southeast Asia. During the India-Pakistan fighting, an Iranian-linked group publicly declared support for Islamabad. For India, the two threat streams are now converging in the same conflict window.
The war’s reach is also severing the digital cables that were supposed to bind the region together. Alcatel Submarine Networks, the French state-owned company contracted to lay the 2Africa Pearls cable connecting the UAE, Qatar, Saudi Arabia, Bahrain, Kuwait and India, has issued force majeure notices and declared it can no longer safely operate in the Persian Gulf. The cable was scheduled to go live this year. It would have directly linked India to the Gulf corridor. That project is now suspended.
Iran has also hit Gulf infrastructure from the air and sea. Dubai International Airport shut down again Monday after an Iranian drone attack caused a fuel tank fire — the third strike on the airport since the conflict began.
The key UAE port of Fujairah, the country’s only export route outside the Strait of Hormuz, was struck by a drone, halting oil loadings.
Tankers carrying fuel oil were reported ablaze near Basra in Iraqi territorial waters, part of a campaign targeting energy infrastructure and maritime routes across the region.
The UAE’s civil aviation authority said more than 1.4 million passengers passed through its airports between March 1 and 12. Without the war, that figure would have been roughly three times higher.
Iran’s state-affiliated Tasnim news agency published a list of 29 locations in Bahrain, Israel, Qatar and the UAE housing offices, data centers and research facilities belonging to Amazon, Google, IBM, Microsoft, Nvidia, Oracle and Palantir.
The Islamic Revolutionary Guard Corps presented them as the enemy’s technology infrastructure. Many of those companies operate regional AI data center infrastructure in the UAE. Mr. Zanger noted that AI data centers represent a fundamentally different security challenge from traditional infrastructure — different architecture, different compute scale and attack surfaces that did not exist five years ago.
Before the attacks, the UAE’s AI data center market was projected to more than double in value, from $3.29 billion this year to an estimated $7.7 billion by 2031, driven in part by investment from OpenAI and Microsoft.
Economists say Qatar and Kuwait could see their gross domestic product shrink by about 14% if the Strait of Hormuz remains shut for two months, while Saudi Arabia and the UAE would likely suffer declines of 3 to 5%, Bloomberg reported.
The Guardian reported that analysts now say Iran’s destructive hacks, combined with missile and drone attacks on the physical cyber-linked infrastructure underpinning the modern economies of countries such as Saudi Arabia and UAE could set the region back years.
When commercial data centers carry military workloads, they become military targets. Iran has made clear it understands that.
The power of camera hacking as a battlefield tool is no longer theoretical. Israel conducted a long-term hack of Tehran’s traffic cameras to precisely time the strike that kicked off the war and took out the top layer of Iranian leadership. The same tactic appeared in the June 2025 war, when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile — having reportedly taken control of a street camera facing the building just prior to the hit.
Israel’s own cybersecurity directorate confirmed the vulnerability runs both ways.
Since the war began, it has identified dozens of breaches of Israeli security cameras blamed on Iran and has moved to alert hundreds of camera owners across the country.
As recently as June 2025, Iranian intelligence operatives compromised servers carrying live CCTV streams from Jerusalem, surveilling the city for targets days before missile strikes. Gil Messing, head of cyber intelligence at Check Point, told AFP the hackers carrying out these operations “are part of Iran’s army” and “are largely supported by the state, notably by the Revolutionary Guards and the Ministry of Intelligence.”
Iran has now extended that doctrine to civilian water supply.
An Iranian drone struck a desalination facility in Bahrain. Researchers at King Abdullah University of Science and Technology warned that desalination infrastructure — which supplies most of the Gulf’s drinking water — is increasingly exposed during regional conflict.
The Middle East and North Africa account for more than 53% of global desalination capacity, according to the World Bank. The question of how governments protect water infrastructure during wartime has no answer yet.
Check Point’s threat intelligence unit says Iran has been running the same surveillance playbook across the Gulf since Feb. 28.
“Starting Feb. 28 we saw a huge spike in targeting of major IP camera brands in Israel, five Gulf countries and Cyprus,” said Sergey Shykevich, Check Point’s threat intelligence group manager, in the same briefing. “When we mapped the activity, the countries targeted in the cyber operations matched the countries being hit by missiles in those same days.”
Iran targeted surveillance cameras in Israel during the previous round of fighting last June. The difference now is scale. The targeting has expanded to the UAE, Saudi Arabia, Qatar, Bahrain, Kuwait and Cyprus.
“This is part of Iranian operational warfare doctrine,” Mr. Shykevich said. “They target cameras in areas where missile strikes are taking place.”
Qatar’s arrest of 10 Iranian nationals this month — seven accused of espionage against critical infrastructure, three suspected of being IRGC operatives trained to pilot drones — showed how the digital intelligence campaign connects to physical infiltration. Analysts told Al Jazeera the suspects were almost certainly gathering intelligence on installations. One noted: “You don’t send people to other countries physically to collect general information.”
Mr. Singh of ARP Syndicate offered a specific explanation for how Iran acquired the camera exploitation capability so quickly at scale. Nearly all surveillance cameras deployed globally are manufactured in China, he noted, and a single exploit purchased from a Chinese security researcher can give Iran the reconnaissance capability it needs across an entire target country.
“If you are giving the right exploits to Iran, they can easily have that level of recon capability by just buying one exploit from China,” Mr. Singh said. “That is the kind of partnership that China and Iran has.”
Cameras give attackers eyes on infrastructure sites, ports and transportation corridors in real time. Electronic warfare has added a third dimension. GPS signals and automatic ship identification systems have been disrupted across more than 1,100 vessels in Gulf waters spanning Iranian, UAE, Qatari and Omani territory.
The camera vulnerability is largely self-inflicted. Most systems sit exposed because organizations skip available security updates.
“There is no good awareness that you should update a camera the way you would update your computer,” Mr. Shykevich said. “That is what the Iranians were able to exploit.”
“Rapid digitalization in the Middle East has widened cyber vulnerabilities, exposing critical government and economic sectors to heightened risks,” said Bassant Hassib, a political science professor at the European Universities in Egypt in Cairo. State-linked cyber operations now run routinely alongside conventional military activity, she said.
Handala, which researchers say is affiliated with Iran’s Ministry of Intelligence, carried out the disruptive operations against Stryker. Stryker confirmed it was experiencing a global network disruption to its Microsoft environment as a result of a cyber attack. Check Point called it the first known instance of Iranian cyber actors hitting a major American enterprise not for espionage but to cause disruption. Stryker sits inside the global healthcare supply chain, and analysts say the damage ripples beyond the company itself.
Mr. Singh said the Stryker attack was not improvised. Large-scale intrusions require months of preparation before attackers begin executing what security professionals call the cyber kill chain.
“Extreme-impact attacks against companies like Stryker take at least two to three months on average before execution begins,” Mr. Singh said. “The planning likely began in late December or early January.”
The International Institute for Strategic Studies think tank warned that Iran’s ability to conduct cyber operations beyond its borders has become essential to the regime’s survival. An end to the digital campaign is unlikely regardless of how the kinetic war resolves.
Check Point, the Israeli firm tracking the campaign in real time, runs its largest engineering operation outside Israel in Bangalore, where 150 researchers work alongside Israeli colleagues on the same products now defending Gulf infrastructure.
Iran’s financial footprint inside the UAE adds another dimension to the threat. Erel Margalit, who brought 450 entrepreneurs from Israel, Europe, the United States and the UAE together in Dubai months before the war to discuss regional collaboration, said Jerusalem Venture Partners has been working with UAE banks to identify Iranian financial flows using artificial intelligence. Individually the transactions raise no flags, he said. Mapped by artificial intelligence, the patterns reveal funding for hostile regional activity.
“Iranian money has been responsible for many of the regional bad actions,” Mr. Margalit said. “It looks like benign transactions, but when you put AI on it and look at the patterns, it’s funding bad things happening in the region.”
UAE authorities have begun investigating and uncovering those flows, he said. “Today, with so much Iranian money in UAE banks, it’s something people need to pay attention to.”
When the physical and digital infrastructure of the emerging regional corridor comes under direct attack, Mr. Margalit said, the response is not retreat. It is acceleration.
Mr. Zanger said the broader threat goes well beyond the current conflict. Iran and other sophisticated actors are building what he called AI attack factories — automated systems that improve at speed and scale, targeting organizations that have not kept pace with basic cybersecurity posture.
“This mega cybersecurity incident based on AI has not happened yet,” Mr. Zanger said. “But my concern is that it is going to happen. And it has nothing to do with whether you adopt or use AI. Whether you use it or not, you are at risk.”
Please read our comment policy before commenting.