Iran-Linked Hybrid Threats to Middle East Digital and Maritime Infrastructure
Escalation in the Iran-US-Israel conflict is disrupting regional digital and communications infrastructure through both direct threats and indirect operational impacts. Iran-linked activity has reportedly expanded from military retaliation rhetoric to threats against major U.S. technology companies' facilities in the Middle East, including sites associated with Microsoft, Amazon, Google, Oracle, IBM, and Nvidia, while earlier attacks were said to have caused outages at AWS datacenters in the UAE and Bahrain. In parallel, maritime traffic near the Strait of Hormuz has experienced anomalies consistent with GNSS spoofing and other electronic warfare techniques, with vessels reporting false positions and receiving radio warnings that could be used to shape shipping behavior without a formal blockade.
The same regional instability is also affecting subsea connectivity projects. Meta's 2Africa cable build has been delayed after Alcatel Submarine Networks declared force majeure and said it could no longer safely operate in the Persian Gulf, leaving the Pearls segment incomplete despite most cable having already been laid. Together, the reporting indicates a broader pattern in which conflict around Iran is creating cyber-physical risk across cloud infrastructure, maritime navigation, and undersea communications, increasing the likelihood of service disruption, delayed repairs, higher operating costs, and reduced confidence in critical regional infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
30 events from the most recent confirmed update back to the earliest known activity.
U.S. tech firms and Gulf states pursue overland fiber bypass routes
By 2026-05-19, U.S. technology companies and Gulf states were reported to be pursuing overland fiber routes to reduce dependence on undersea cable paths through the Strait of Hormuz. The effort was described as a response to Iranian pressure on cable repair and deployment, though the alternative projects face geopolitical and coordination obstacles.
Iran confirms forthcoming PGSA Hormuz transit permit regime
On 2026-05-16, Iran confirmed it would soon disclose full details of a new Strait of Hormuz transit regime run by the newly established Persian Gulf Strait Authority. The mechanism requires vessels to submit ownership, insurance, crew, cargo, and routing information for permits, while Israel-linked vessels are banned and U.S.-linked or other 'hostile country' vessels face severe restrictions.
Iran reportedly seizes sanctioned tanker JIN LI
By 2026-05-14, Windward reported that Iran had seized the sanctioned tanker JIN LI amid continued ceasefire-era maritime enforcement in and around the Strait of Hormuz. The incident was presented alongside continued U.S. disabling of additional Iran-linked tankers, underscoring ongoing reciprocal interdiction despite the ceasefire.
IRGC-linked media proposes taxing and controlling Hormuz undersea cables
On 2026-05-11, IRGC-affiliated outlets Tasnim and Fars reportedly outlined measures to license foreign submarine cable operators, impose fees, require compliance with Iranian law, and place cable maintenance under Iranian firms' control in the Strait of Hormuz. Fars also raised the prospect of disrupting the cables, signaling a new pressure point against regional digital infrastructure.
Qatar LNG cargo resumes Hormuz transit with AL KHARAITIYAT
By 2026-05-11, AL KHARAITIYAT reportedly became the first Qatar LNG cargo to transit the Strait of Hormuz since the February closure, signaling a limited restart of Qatari LNG movements. The passage was described as occurring under a Pakistan-mediated U.S.-Iran ceasefire framework.
Iran-linked tankers shift toward Lombok and Sunda routes
By 2026-05-07, maritime intelligence indicated Iran-linked tankers were increasingly using Indonesia’s Lombok and Sunda Straits instead of more visible Gulf routes. The shift was described as an effort to reduce detection and sanctions scrutiny as U.S. enforcement and monitoring pressure intensified around Hormuz and Iranian ports.
Mass GPS jamming and dark vessel buildup hit Fujairah-Hormuz corridor
On 2026-05-05, maritime visibility around Fujairah, the Strait of Hormuz, and the Gulf of Oman sharply deteriorated after Project Freedom, with roughly 470 vessels reportedly affected by GPS jamming near Fujairah within 24 hours. SAR imagery the same day identified 167 commercial-size vessels near Hormuz, including 146 operating dark and largely stationary, indicating a major escalation in navigational disruption and concealment activity.
U.S. launches Project Freedom to guide neutral shipping in Hormuz
On 2026-05-04, the United States began Project Freedom, an operation to guide 'neutral and innocent' commercial vessels through the Strait of Hormuz while continuing interdiction of Iran-linked shipping. The move marked a new phase in maritime security enforcement as dark fleet activity and sanctions-evasion behavior persisted around Iranian ports and transit corridors.
Iranian crude exports drop sharply as Kharg loadings slow
By 2026-04-23, Iranian oil exports were reportedly under increased pressure, with weekly crude departures from Kharg Island falling well below normal wartime levels. Maritime intelligence also noted a growing cluster of AIS-dark tankers near Chabahar, indicating eastward repositioning and accumulation outside the Gulf under U.S. enforcement pressure.
IRGC reportedly attacks three outbound container vessels and seizes one
On 2026-04-22, IRGC forces reportedly attacked three outbound container vessels near the Strait of Hormuz and seized at least one of them. Windward described the incident as a major escalation in Iranian maritime interdiction, bringing the reported total number of vessels struck or fired upon since February 28 to 34.
Reported U.S. interdiction expands to Gulf of Oman near Chabahar
On 2026-04-19, maritime intelligence reporting said U.S. enforcement expanded beyond the Strait of Hormuz into the Gulf of Oman, including the first confirmed interdiction outside the immediate transit zone. The action reportedly involved the OFAC-sanctioned, Iran-linked container vessel TOUSKA near Chabahar, signaling a broader interception footprint.
Reported attack on SANMAR HERALD triggers renewed Hormuz reversals
On 2026-04-18, maritime security conditions around the Strait of Hormuz sharply worsened as Iranian closure signaling was accompanied by vessel attacks, including reported direct gunfire against the India-flagged VLCC SANMAR HERALD. Windward said 35 outbound vessels reversed course over 36 hours, indicating kinetic risk was materially shaping commercial shipping decisions.
OFAC sanctions target Iranian oil shipping and shadow fleet network
By 2026-04-16, U.S. pressure expanded beyond maritime interdiction with new OFAC sanctions aimed at an Iranian oil shipping network and associated shadow fleet infrastructure. The move complemented the reported blockade of Iranian ports and increased pressure on Iran-linked maritime logistics.
Reported U.S. blockade targets traffic to and from Iranian ports
On 2026-04-13, maritime intelligence reporting described a reported U.S. Central Command blockade on all traffic entering and exiting Iranian ports while mine clearance operations continued. The measure coincided with constrained but ongoing Strait of Hormuz crossings, U-turns near the enforcement deadline, and a buildup of hundreds of cargo and tanker vessels in the Gulf.
U.S. forces begin mine clearance operations in Arabian Gulf
By 2026-04-12, U.S. forces had begun mine clearance operations in the Arabian Gulf as Strait of Hormuz traffic remained restricted during the ceasefire. The activity, coupled with signals of possible enforcement or interdiction after failed negotiations, raised the risk of direct state confrontation.
IRGC reportedly strikes container ship Qingdao Star near Kish Island
On 2026-04-07, the Marshall Islands-flagged container ship Qingdao Star was reportedly struck south of Kish Island. The IRGC claimed it had targeted an alleged Israeli-linked vessel, highlighting continued risk to commercial shipping despite the newly announced two-week ceasefire.
Strait of Hormuz traffic shifts to dual-corridor transit system
Maritime traffic through the Strait of Hormuz evolved into a dual-corridor system, with one route controlled by the IRGC near Larak Island and a newer southern corridor running along the Omani coastline. Between April 2 and April 5, the southern route expanded from limited use to coordinated multi-vessel transits, while access remained selective and politically managed.
Missile and drone strikes hit Kuwaiti desalination and oil facilities
On 2026-04-03, Kuwait reported missile and drone strikes on a power and desalination plant and targeting of the Al-Ahmadi oil refinery. Kuwaiti authorities blamed Iran, while the IRGC denied responsibility and accused Israel.
Dubai denies IRGC claim of Oracle data center attack
UAE authorities said an IRGC claim that Oracle's data center in Dubai had been attacked was false, describing the report as fake news. The denial came amid broader regional escalation and concern over strikes on economic and industrial targets.
Iran formalizes crypto-enabled Strait of Hormuz transit toll system
Iran began accepting cryptocurrency in mid-March 2026 for Strait of Hormuz transit tolls administered by the IRGC, alongside yuan payments via Kunlun Bank and CIPS. The arrangement was formally codified under the Strait of Hormuz Management Plan approved on March 30–31, 2026, with supporting infrastructure including a digital currency conversion window on Qeshm Island.
Hormuz traffic shifts to controlled transit as Gulf of Oman becomes holding zone
A month into the conflict, commercial shipping through the Strait of Hormuz had shifted from near-collapse to a tightly controlled, permission-based transit system shaped by political alignment, cargo type, and vessel ownership. Large vessel backlogs formed in the Gulf of Oman amid persistent GPS/AIS interference, dark vessel activity, and deceptive shipping practices, driving broader rerouting of maritime trade and energy flows.
AWS waives March ME-CENTRAL-1 charges after reported strike disruption
By 2026-03-26, AWS said it would waive all March 2026 usage-related charges for the ME-CENTRAL-1 region following severe disruption tied to reported Iranian drone strikes. The company also planned to remove March regional usage from Cost and Usage Reports and Cost Explorer, creating a notable post-incident billing and auditability impact.
Iran warns Gulf energy sites to evacuate after South Pars strike
On 2026-03-19, Reuters reported that Iran warned Gulf states to evacuate gas and energy installations after attacks on Iran’s South Pars and Asaluyeh energy sites. The warning expanded perceived conflict risk from damage inside Iran to possible disruption across the wider Gulf energy system.
Meta says core Africa2 cable is complete but Pearls section remains unfinished
Meta said the core of the Africa2 undersea cable is complete, but the Pearls segment in the Persian Gulf remains unfinished, with much of the cable laid but not yet connected to landing stations. The company also highlighted broader geopolitical risks to digital infrastructure in the region.
Alcatel Submarine Networks declares force majeure on Africa2 Gulf segment
Alcatel Submarine Networks declared force majeure on Meta's Africa2 undersea cable project because it could no longer safely operate in the Persian Gulf. The unfinished Pearls section, meant to connect Gulf states, Pakistan, and India to Africa and Europe, was delayed as a result.
Iranian electronic warfare disrupts navigation near Strait of Hormuz
Widespread maritime navigation anomalies consistent with GNSS spoofing and related electronic warfare were observed in the Persian Gulf, Gulf of Oman, and Strait of Hormuz. Ships reportedly showed GPS drift, false inland positions, and duplicate AIS locations, with Iranian involvement assessed as the most plausible explanation.
Recent strikes reportedly degrade parts of Iran's cyber infrastructure
Recent strikes on Iran reportedly degraded parts of its cyber infrastructure and command hierarchy, according to the PolySwarm analysis. The report frames this as a precursor to a possible shift toward electronic warfare activity.
IRGC reportedly identifies U.S. tech facilities as retaliation targets
Iran's Islamic Revolutionary Guard Corps reportedly identified facilities linked to Google, Amazon, Oracle, IBM, and Nvidia in the Middle East as potential physical attack targets. The threats were framed as retaliation following joint U.S.-Israel missile strikes on Iran and alleged attacks on Iranian banking infrastructure.
Iran reportedly strikes AWS datacenters in UAE and Bahrain
Iran had previously conducted aerial attacks against AWS datacenters in the UAE and Bahrain, reportedly causing significant cloud service disruptions across the Middle East. The exact date is not specified in the references.
Mass GPS jamming reportedly disrupts 1,100 ships in the Middle East Gulf
By 2026-03-01, maritime intelligence reporting said GPS jamming had disrupted roughly 1,100 ships in the Middle East Gulf. The incident marked an early large-scale navigation interference event preceding the later Strait of Hormuz spoofing and jamming disruptions already documented in the timeline.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
35 references tracked. Mallory keeps watching after this page renders.
Iran demands Big Tech pay fees for undersea Internet cables in Strait of Hormuz - Ars Technica
arstechnica.com
Open sourceIran's Hormuz Transit Toll Mechanism & What It Means at Sea
windward.ai
Open sourceFive Weeks Into Ceasefire, Hormuz Stays Constrained
windward.ai
Open sourceDark Shipping and IRGC Activity Intensify Around Hormuz
windward.ai
Open sourceMajor US tech firms reportedly set to be targeted with retaliatory Iranian strikes | brief | SC Media
scworld.com
Open sourceGPS spoofing is scrambling ships in the Strait of Hormuz | Scientific American
scientificamerican.com
Open sourceGPS jamming and its use in the Iran war, explained | CNN
cnn.com
Open sourceGPS Jamming Disrupts 1,100 Ships in the Middle East Gulf
windward.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Middle East Conflict Drives Cyber and Infrastructure Risk Warnings
Escalating conflict involving **Iran** has renewed attention on the cyber dimension of regional warfare, with warnings that attacks can extend beyond conventional military targets to government networks, critical infrastructure, transportation, and financial systems. One analysis highlights Iran’s long-standing investment in asymmetric cyber operations through state actors, proxies, and aligned hacktivists, citing activity during the 2025 conflict that included reconnaissance, phishing, defacements, data theft, data dumps, and malware delivery against perceived adversaries. A separate briefing describes alleged kinetic strikes on data centers supporting an AWS region in the Middle East, causing outages that affected consumer applications, payment services, banks, and enterprise SaaS providers in the UAE and Bahrain, while exposing how data sovereignty requirements can block rapid workload migration during a crisis. By contrast, commentary on a U.S. executive order targeting cyber-enabled fraud and transnational criminal organizations addresses organized cybercrime policy rather than the Iran-related conflict and should be treated as a different topic.
Apr 16, 2026
Cyber and electronic-warfare activity escalates amid US–Israeli strikes on Iran
Regional conflict following **U.S.–Israeli strikes on Iran** has been accompanied by heightened cyber and electronic-warfare activity affecting both military operations and civilian infrastructure. U.S. officials publicly acknowledged that **U.S. Cyber Command**, alongside space capabilities, conducted “non-kinetic” operations to **disrupt Iranian communications and sensor networks** in support of *Operation Epic Fury*, describing effects intended to degrade Iran’s ability to coordinate and respond; reporting also noted follow-on hack-and-leak style activity against Iranian-facing online properties (e.g., news sites and an app) and warned of potential retaliatory cyber activity by Iranian-aligned actors. In parallel, maritime intelligence reporting described a sharp increase in **GPS/AIS disruption (jamming/spoofing)** impacting shipping around the Strait of Hormuz, with vessels appearing in false locations and maritime authorities warning of elevated risk to navigation and safety. Iran’s domestic crypto ecosystem also showed signs of stress consistent with conflict conditions and connectivity constraints: observers reported **internet outages**, exchanges moving into risk-containment modes (e.g., batching/suspending withdrawals), and temporary restrictions on the **USDT–toman** trading pair under central bank direction—collectively reducing liquidity and market activity rather than clearly indicating capital flight. Separate reporting on Pakistan’s TV broadcast hijacks and a DDoS incident affecting Russian government sites appear unrelated to the Iran conflict-driven activity described above.
Apr 29, 2026
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026