In early February, prior to the start of the 2026 conflict in the Middle East, the United Arab Emirates saw anywhere from 90,000 to 200,000 breach attempts every day.
Following the opening of military operations by Israel and the US against Iran, cyberattacks surged a few weeks later, with the current daily average ranging between 600,000 and 800,000 breach attempts, Mohammed Al Kuwaiti, chairman of the UAE Cyber Security Council, told various publications.
In addition, the mix of cyberattacks has changed from denial-of-service boasts on Telegram by hacktivists to more serious claims of intrusions and compromise, according to CypherLeak, a cybersecurity services firm with offices in the UAE and Morocco. Several Gulf nations saw a big jump in their “cyber-relevant activity” — a proxy for attacker and defender activity. The UAE saw 15 times the normal volume of cyber-relevant activity, Saudi Arabia 25 times, and Qatar more than quadrupled.
The cyberthreat baseline has clearly shifted upward, says CypherLeak CEO Mohamed Amine Belarbi.
“The conflict has created a real mobilization effect — hacktivists, opportunistic cybercriminals, and Iran-aligned actors now have a political trigger and a target list,” Belarbi says. “So we are seeing more attacks, but we are also seeing more of the attacks that were previously below the radar.”
The conflict in the Middle East has continued to expand the utility of cyber operations. Both Iran and Israel — and presumably, the US — have used compromised IP cameras to gain intelligence on their enemies and judge the impact of bombing and missile strikes. Cyberattacks on critical infrastructure and industrial systems continue to raise the stakes, even though defenders have hardened many systems, leading to fewer consequences from infrastructure attacks.
Whether the increase in attacks will outlast the current military conflict is a question mark, says Austin Warnick, director of the national-security intelligence team at threat-intelligence provider Flashpoint.
“It remains to be seen whether the frequency baseline of cyberattacks has been permanently raised.
“Typically, a surge in cyberattacks follows a major Middle Eastern geopolitical event — those attack surges tend to become less frequent as geopolitical tensions cool,” he says. “However, given the current climate, even if the conflict ends completely, it is possible that the baseline of attacks could be raised compared to the pre-conflict baseline as a ‘new normal.'”
Less Infrastructure, More Diplomacy?
In their own analysis of UAE cyber-readiness, CypherLeak found little evidence of successful destructive cyberattacks against UAE critical infrastructure. Yet, the company did find that attackers are more focused on critical business sectors, such as finance, telecoms, aviation, law enforcement, and energy-adjacent infrastructure, says CypherLeak’s Belarbi.
“A genuinely damaging attack on UAE infrastructure would not look like a website defacement,” he says. “It would look like disruption of identity and access systems, payment processing, port logistics, aviation operations, telecom routing, or cloud-dependent government services. Even without physical damage, that type of attack could create cascading delays and undermine public confidence.”
Several Middle Eastern nations — most notably, the UAE and Saudi Arabia — are much better at detecting and blocking threats, significantly improving their cyber visibility, which is likely driving up the number of detected attacks and reducing the impact of those attacks, says Cypherleak’s Belrabi.
The cyberattacks may also more resemble a pressure campaign to convince the UAE and other Gulf states to support a more favorable outcome for Iran in negotiations to end the war, says Alexis Rapin, a cyber threat analyst at cybersecurity firm ESET. The most visible attacks by Iran have been drone strikes and missile attacks against the infrastructure of other Gulf states, but cyber operations could succeed where other attacks have fallen short, he says.
“By creating all sorts of difficulties for Gulf states, Tehran ultimately hopes that they will pressure their American allies into agreeing to a deal more reflective of Iran’s desires,” Rapin says. “It’s possible that what we’re seeing now is cyber being leveraged as well by Tehran to supplement and reinforce this broader coercive diplomacy.”
AI Advantage to the Attacker
While defenders are increasingly using AI to help triage detections, humans are still required for much of the threat detection and remediation pipeline, according to ESET. While attackers have jumped on AI, often the result is “poorly crafted and executed attacks,” says Adam Burgher, senior threat intelligence analyst with ESET.
AI certainly lowers the cost of cyber operations, allowing lower-skilled actors to become a more serious threat, says CypherLeak’s Belarbi.
“Right now, I would say AI gives attackers a scaling advantage, but not necessarily a sophistication advantage,” he says. “It makes mediocre attackers faster. It does not automatically make them elite operators. The real risk for Gulf states is volume: more convincing phishing, more automated probing, more fake breach claims, and more pressure on security teams.”
The most significant threat is one that has been around for a while. Iran is well-known for its use of wiper malware to cause operational disruption, and that is perhaps the most critical attack to defend against. Threat actors in the Gulf region are aggressive about finding and exploiting vulnerabilities, says ESET’s Burgher.
“Threat actors are readily willing to exploit exposed vulnerabilities — [such as] an unpatched application running on a Web server — and do so in a large number of compromises,” he says. “Maintaining solid patch-management policies, procedures, and guidelines are critically important for defending against [these] threat actors.”
