Threat Research

Situation Report: Middle East Escalation (February 27–1st March, 2026) | CloudSEK

CloudSek
Situation Report: Middle East Escalation (February 27–1st March, 2026) | CloudSEK

A coordinated Israeli–U.S. kinetic and cyber campaign (Operation Roaring Lion / Epic Fury) on 28 February 2026 caused near‑total digital disruption across Iran while provoking missile and cyber retaliation that increased regional and global spillover risks. The escalation triggered widespread AI‑enabled phishing, VPN/backdoor exploitation, web shells, DDoS, and wiper activity attributed to IRGC/MOIS APTs, deputized hacktivists, and other actors, raising risks for energy, finance, supply chains, and critical infrastructure. #OperationRoaringLion #IRGC

Keypoints

  • On 28 February 2026 Israel and the United States launched coordinated strikes (Operation Roaring Lion / Epic Fury) against Iranian leadership, military, and nuclear sites, accompanied by a large-scale Israeli cyber campaign that reduced Iranian internet connectivity to roughly 4%.
  • Iran responded with ballistic missile and drone strikes across the region and retained an active cyber ecosystem (IRGC/MOIS‑aligned APTs and hacktivist proxies) capable of espionage, disruption, and influence operations.
  • The UAE and GCC states reported waves of sophisticated, AI‑enhanced attacks (phishing, malware, ransomware) in the days before the strikes, many of which were detected and mitigated by national defenses.
  • Hacktivist groups claimed over 150 incidents (DDoS, defacement, leak claims) between 28 February and 1 March 2026, showing coordinated narratives and overlapping target sets across government, finance, aviation, telecom and critical infrastructure.
  • Key TTPs observed include spear‑phishing, VPN/backdoor exploitation, persistent web shells, PowerShell abuse, credential theft/dumping, token/AiTM attacks, DDoS, wipers, and exploitation of public‑facing systems or zero‑days.
  • Second‑order spillover risks threaten India, EU states, Japan, South Korea, Turkey and global IT/cloud providers via supply‑chain compromise, increased freight/insurance disruptions, and attacks on contractors and service providers.
  • Immediate recommendations include enterprise credential rotation and MFA, patching and web/CVE scanning, enhanced SIEM/IOC integration, segmented IT–OT controls, offline immutable backups, and coordinated sectoral playbooks for DDoS and incident escalation.

MITRE Techniques

  • [T1566 ] Phishing – Use of spear‑phishing to gain initial access: ‘Use of spear-phishing, VPN and edge-device exploitation, web shells, custom malware (including wipers)’.
  • [T1003 ] Credential Dumping – Offline credential harvesting and reuse following compromise: ‘credential dumping’.
  • [T1498 ] Network Denial of Service – DDoS campaigns used by hacktivists and state‑aligned actors to disrupt availability: ‘Heavy reliance on DDoS as the primary tactic’.
  • [T1505.003 ] Web Shell – Persistent access via web shells on compromised servers: ‘persistent web shells’.
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Abuse of PowerShell for execution and lateral movement: ‘PowerShell abuse’.
  • [T1133 ] External Remote Services – Exploitation and backdooring of VPN and remote‑access appliances to gain access: ‘VPN backdoor exploitation’.
  • [T1195 ] Supply Chain Compromise – Attempts to pivot through third‑party providers and digital supply chains: ‘supply-chain compromise’.
  • [T1190 ] Exploit Public-Facing Application – Use of zero‑day and public‑facing application exploits to intrude into critical systems: ‘zero-day vulnerabilities’.
  • [T1485 ] Data Destruction – Deployment of wiper malware to destroy data and disrupt operations: ‘wipers’.
  • [T1557 ] Adversary-in-the-Middle – AiTM and token‑theft attacks to intercept credentials and session tokens: ‘AiTM and token-theft attacks’.
  • [T1071 ] Application Layer Protocol – Use of Cobalt Strike and similar C2 tooling for command and control: ‘Cobalt Strike’.

Indicators of Compromise

  • [Threat Actor Names ] named adversaries and groups cited as active actors – APT33, APT35, OilRig/MuddyWater, IRGC/MOIS, Predatory Sparrow, DieNet Network, SylhetGang (and many more hacktivist brands).
  • [Domains / Media Targets ] media and government sites targeted or disrupted – IRNA, Tasnim (government/media outages and defacements reported).
  • [Tools / Malware ] tooling and malware families used or observed – Cobalt Strike, wipers (destructive malware), web shells; and mention of custom malware and ICS‑focused tooling.
  • [Application / Platform ] compromised or abused apps and platforms – a widely used Iranian prayer‑times app was hacked and used to push political/military notifications; data‑leak claims such as a ’21 GB’ theft claim against a Saudi private entity.

Read more: https://www.cloudsek.com/blog/middle-east-escalation-israel-iran-us-cyber-war-2026