You didn't pick a side. It doesn't matter.

On February 28, 2026, the US and Israel launched coordinated strikes on Iranian nuclear sites. Within 24 hours, Iran had responded — not just with missiles, but with drones aimed at data centers in the UAE and Bahrain. Two AWS facilities in the UAE were directly struck. A third in Bahrain was damaged. Abu Dhabi Commercial Bank, Emirates NBD, First Abu Dhabi Bank, the payments platforms Hubpay and Alaan, and the ride-hailing giant Careem all went down.

None of those businesses chose to be part of a conflict between Washington and Tehran. They just happened to run on infrastructure that did. That's the new reality for any business operating in the Gulf.

As someone running a web security agency in the region, I've watched this situation develop with a particular kind of dread — not because it's surprising, but because most businesses I talk to still think of cybersecurity as someone else's problem. That assumption has become genuinely dangerous.

What's actually happening right now

Iran has long been considered a capable nation-state actor in cyberspace. Since the strikes began, over 60 active pro-Iranian hacktivist groups mobilized within hours, according to Palo Alto Networks' Unit 42. Google's chief of cyber threat intelligence, John Hultquist, was direct about who's in scope: "We expect Iran to target the US, Israel, and Gulf Cooperation Council countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure."

Targets of opportunity. That phrase matters. It means Iran and its proxies are not just hunting for military networks. They are looking for whatever is open, whatever is unpatched, whatever is easiest to hit to make a point. The weaker your cybersecurity, the more attractive you become.

The UK's National Cyber Security Centre put out an advisory warning that organisations with operations or supply chains in the Middle East face "almost certainly a heightened risk of indirect cyber threat." The FBI and CISA issued similar warnings in the US. The Canadian Centre for Cyber Security published a full threat bulletin. These agencies don't do that lightly.

You don't have to be a target to be hit

This is the part that gets missed in most conversations about geopolitical cyberattacks: you don't need to be on anyone's list to end up in the blast radius.

The AWS drone strikes are the clearest example. Iran's IRGC targeted the data centers because of their perceived role in supporting US military operations. Every business running on AWS in the UAE and Bahrain became collateral — not because of anything they did, but because of what their cloud provider was doing on a completely separate layer of the same infrastructure.

This is the supply chain problem made physical. You outsource your IT to US-based platforms. Those platforms become strategic targets. Your operations go dark. AWS itself told affected customers to "back up their data or consider migrating workloads to other regions." Cold comfort if your payments platform is down and your customers can't transact.

The same logic applies to cyberattacks. Back in 2022, the Iran-aligned group Agrius deployed a destructive wiper called Fantasy through a supply-chain attack that abused a single Israeli software developer — hitting targets across multiple countries that had no direct connection to the conflict at all. In the current escalation, cybersecurity researchers at Check Point have documented Iranian threat actors with "a noticeable focus on supply-chain footholds — IT and service providers — to reach downstream victims."

If you use a US-based SaaS platform, a US-hosted CRM, cloud storage on AWS or Azure, or any vendor with Middle East infrastructure — you are part of a supply chain that is actively being mapped and probed right now.

What Iran's playbook actually looks like

Understanding the threat helps you prepare for it. Iran-linked actors don't typically run one kind of attack. Their approach is layered and coordinated:

  • DDoS attacks — flooding a network or website with traffic until it collapses. Disruptive, fast to launch, and used to cause panic and erode trust with customers.
  • Website defacements — replacing your site's content with political messaging. Embarrassing, reputationally damaging, and a signal that your systems were penetrated.
  • Hack-and-leak operations — exfiltrating data and threatening to publish it. Compliance nightmare, customer trust collapse, potential regulatory consequences.
  • Wiper malware — designed not to steal data but to destroy it. No ransom demand, no negotiation. Just destruction. The pro-Iranian group Hamdala used a data-wiping attack on US medical device company Stryker in March 2026, shutting down their systems globally
  • Ransomware — encrypting your systems and demanding payment. The BaqiyatLock group has been offering free affiliate access to anyone willing to target organisations connected to the conflict.

Critically, these aren't always sophisticated attacks. A former FBI and CIA officer now at SentinelOne put it plainly: "The attacks are not that sophisticated. But if a business has failed to keep up with its cybersecurity, it could pay a steep price." Iran doesn't need to outmaneuver your security team. It just needs to find the door you forgot to lock.

There's also an insurance problem nobody is talking about

Moody's and Fitch have both issued warnings about cyber risk in the context of the current conflict — but one detail buried in those reports deserves more attention.

Standard commercial insurance policies frequently exclude acts of war. If your business is hit in an attack that can be attributed to Iranian state actors or their proxies — which regulators and intelligence agencies are already doing — your insurer may argue the incident falls under a war exclusion clause and decline the claim entirely. The cost lands on your balance sheet, not theirs.

This isn't hypothetical. It's already being discussed at the ratings agency level. If you haven't reviewed your cyber insurance policy for war exclusions, now is the time.

What this means for GCC businesses specifically

The Gulf has spent the last decade positioning itself as a global hub — for finance, logistics, AI investment, data infrastructure. That ambition is exactly what makes the region strategically interesting to adversaries, and exactly what makes the current moment so consequential.

The drone strikes on AWS were targeted partly because those data centers had become load-bearing infrastructure for both commercial and military operations in the region. The more the Gulf grows as a digital hub, the more its infrastructure becomes worth disrupting.

And yet most SMEs across the GCC still treat cybersecurity as a box to check rather than a posture to maintain. No regular penetration testing. Unpatched systems. Shared passwords. No incident response plan. In normal times, this is a slow-burning risk. Right now, it's an open invitation.

Don't wait to be tested by hackers

There's a version of this where your business finds out it has a vulnerability because you hired someone to look for it. And there's a version where you find out because a hacktivist group posts your data online at 2am with a message about the war.

The difference is who does the testing first.

The immediate steps every GCC business should take, regardless of size (we wrote a practical step-by-step guide if you want the full walkthrough):

  • Patch everything. Unpatched systems are Iran's preferred entry point. Check your software versions, your server configurations, your CMS, your plugins. All of them.
  • Audit your third-party dependencies. List every US-based SaaS tool, cloud provider, and vendor you use. Understand what data they hold and what happens to your operations if they go offline. The AWS outage showed exactly how fast this can cascade.
  • Review your cloud architecture. If everything runs in a single region, you have no resilience. Multi-region redundancy isn't optional infrastructure anymore — it's crisis planning.
  • Check your insurance. Read your cyber policy for war exclusion clauses. If it's there, speak to your broker about specialist war risk coverage before you need it.
  • Have an incident response plan. Not a document that lives in a folder. An actual tested plan — who gets called, what gets shut down, how you communicate to customers, what your backup systems are.
  • Get a penetration test done. Not a compliance checkbox, a real adversarial test of your systems. Know what attackers would find before they find it themselves.

The attacks are not that sophisticated. But if a business has failed to keep up with its cybersecurity, it could pay a steep price. Patch your systems. Ensure your firewalls and security solutions are up to date. Remove your stale accounts. All the cyber hygiene that you should be doing — it's more critical now than ever.

That's Shaun Williams, formerly of the FBI and CIA, speaking last week. He's not describing the threat to governments. He's describing the threat to businesses exactly like yours.

This isn't alarmism. It's timing.

Geopolitical conflicts produce spikes in cyber activity. This one already has — a 700% increase in cyberattacks targeting Israel in the first weeks of the escalation, according to Radware. The GCC is explicitly named as a target zone by Google's own threat intelligence team. The physical infrastructure that GCC businesses run on has already been hit with drones.

The question isn't whether your business could be affected. It already operates inside the blast radius. The question is whether you've done anything to reduce your exposure before someone decides to find out what's there.

We do this work — penetration testing, security audits, incident response planning — for businesses across the region. If you want to understand where you actually stand, get in touch. The conversation is free. Finding out through a breach isn't.

← Go to main page