CLOUD WAR — MARCH 2026 / IRAN–ISRAEL HYBRID CONFLICT ANALYSIS
The March 2026 cyber-kinetic conflict marks the first large-scale convergence of physical military strikes and coordinated state-sponsored cyber operations against public cloud hyperscale infrastructure. Drone strikes on AWS facilities in the UAE and Bahrain triggered cascading failures across cloud regions, a record-breaking 5.2 Tbps DDoS campaign, a multi-actor supply-chain worm (Shai-hulud 2.0), and deep enterprise intrusions via the Dindoor/CHAR/RustyWater malware ecosystem. This report synthesizes the full kill chain, threat actor attribution, enriched IOCs, and strategic implications backed by current threat intelligence.
On Feb 28, 2026 22:00 UTC, US and Israeli forces launched a coordinated cyber-kinetic offensive against Iranian nuclear, C2, and air-defense infrastructure. Operation Epic Fury (US) ran parallel to Operation Roaring Lion (Israel).
Iran's response marked a fundamental doctrine shift from shadow-war espionage to Cloud-First destructive operations. The Electronic Operations Room was established Feb 28 — coordinating MOIS APTs, IRGC proxies, and Russian-aligned hacktivists from outside Iranian borders.
Joint US-Israeli cyber-kinetic strikes on Iranian nuclear, C2, and air-defense infrastructure. BGP manipulation collapses Iran's internet to 4% capacity within 60 minutes. BadeSaba prayer app (30M+ users) backend compromised — IRGC personnel receive defection-urging push notifications. IRIB state TV satellite feeds overridden for 10+ minutes via DVB-S signal injection with anti-regime content. GNSS jamming across the Persian Gulf disrupts Shahed-136 loitering munition navigation. B-2 Spirit and F-35I strikes execute under radar-silent corridors created by compromised Iranian SCADA-controlled air defense systems.
Two small aerial objects penetrate UAE airspace. First detonation near power distribution supplying AWS me-central-1 AZ mec1-az2. Second impact hits cooling infrastructure of the adjacent complex. AWS AZ mec1-az3 sustains nearby impact blast damage. Fire suppression agents deploy across multiple zones simultaneously — water floods PDUs under raised flooring, arc faults trigger emergency shutdowns, storage arrays lose controller connectivity, and network switches go dark.
Separate drone strike targets data center infrastructure in Bahrain. One AWS Availability Zone in me-south-1 sustains proximity damage. Foundational services (S3, DynamoDB) begin degraded operation. The Elastic IP 'EIP Trap' emerges: API calls to disassociate EIPs fail due to regional control-plane degradation — customers cannot failover away from impaired zones.
Millions of Kubernetes clusters, autoscaling groups, and serverless runtimes simultaneously attempt recovery. EC2 API saturates from simultaneous RunInstances calls. Lambda execution environments time out, generating cold-start storms. AWS begins throttling (HTTP 429) — applications interpret throttle responses as new failures and retry, exponentially amplifying the spiral. CloudFormation and IAM APIs return 500 errors. Pilot-light DR plans fail: they required the impaired region's Control Plane to function.
Electronic Operations Room (Handala + 313 Team + Russian Legion) launches record-volume attack combining IoT botnets, hijacked consumer routers, and cloud-hosted amplifiers. AI-assisted DDoS tooling sustains the volume. DNS infrastructure, financial clearing systems, and cloud edge gateways are targeted. Recursive DNS cache poisoning poisons regional resolvers. CloudFront and Route53 routing degrades globally due to control-plane lag.
MuddyWater/Seedworm activates pre-positioned Dindoor (Deno-based) backdoors in VPN gateways and firewall appliances across Gulf enterprise networks. Simultaneously, Shai-hulud 2.0 — a self-replicating npm/CI worm — activates in software supply chains, targeting AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault credentials. CI/CD pipelines with malicious pull_request_target workflows begin leaking secrets. Credential harvesting of cloud API tokens begins under cover of the AWS chaos.
Mobile banking platforms across the Gulf collapse. Emirates NBD customers experience login failures and delayed transactions. Careem, Alaan, Hubpay, and Sarwa report 24–48h outages. Bank Hapoalim and Bank Leumi (Israel) suffer 67 combined hours of disruption. DFM/ADX markets open limit-down (–5%). Brent crude surges above $81/bbl on Gulf supply disruption fears. Total Gulf economic impact estimated at $400M+.
APT33 deploys Shamoon 4.0 (MBR wiper with Rust companion modules) and SHAPESHIFT (Stonedrill evolution) against Israeli, Saudi, and Jordanian critical infrastructure. SPLITDROP dropper arrives via phishing lures mimicking Cisco Webex invitations (meetingapp.site). Targets include Israeli National Grain Silos, Saudi Aramco-linked suppliers, and Jordanian utility SCADA systems. APT34's SideTwist and DNS-tunneling implants simultaneously activate in Gulf financial sector networks, having maintained months-long silent pre-positioning.
Handala Hack Team announces exfiltration of 1.3TB from Sharjah National Oil Corporation (SNOC) on their Telegram channel, simultaneously claiming breaches of Israel Opportunity Energy and Aramco-linked suppliers. Exfiltrated data includes confidential bank records, oil contracts, exploration project data, and internal communications. Data is staged on Wasabi S3-compatible storage via Rclone using stolen API credentials.
AWS recommends migrating workloads to EU/US regions. SaaS platforms reroute GPU inference to Europe and Asia. Organizations unable to failover due to UAE data-residency requirements (NESA/TDRA) explore Azure UAE North as cross-cloud secondary. BGP stabilization gradually restores regional routing. UAE Central Bank confirms 146.6% liquidity coverage — no systemic financial collapse.
UAE Central Bank confirms all financial systems operational. Emirates NBD waives GCC ATM fees through March 31. Separate Amazon global retail outage (faulty code deployment, unrelated to strikes) briefly re-alarms public. No confirmed customer data breaches from AWS physical damage. UAE Sovereign Financial Cloud fast-track initiative formally announced.
Tap an actor to expand full operational details, tools, and IOCs
83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72decd6b94792a22119e1b5a1ed99e89610f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e8310876aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4bedb882c6e2cf896e14ecf12c90aaa6638f780017d1b8687a40b4a81956e230fAuthentication bypass via forged SAML response allows unauthenticated admin access. Exploited by MuddyWater to create persistent 'FortiSetup' super_admin accounts across Gulf enterprise VPN gateways.
Companion bypass used in combination with CVE-2025-59718 for full device compromise and persistent backdoor implantation. Used as a chained exploit for complete FortiGate takeover.
Unpatched firmware exploited by MuddyWater for lightweight Dindoor implant deployment. Persistent access established 3–6 months before March 1 as long-term pre-positioning.
Default quota allows any domain user to join machine accounts, enabling Resource-Based Constrained Delegation (RBCD) lateral movement. Exploited during the AWS API chaos window when security monitoring was degraded.
Malicious pull_request_target workflow injection leaks all repository secrets via toJSON(secrets). Part of Handala's npm supply chain worm targeting AWS/GCP/Azure credentials stored in CI environments.
APT34 uses Ethereum smart contract (0x2B77671cfEE...) as an immutable, uncensorable C2 resolver. Standard domain/IP blocklists are ineffective. Requires blocking blockchain RPC endpoints at the network level.
MuddyWater / MOIS · First observed Feb 2026 · Cert: "Amy Cherne"
Dindoor leverages the Deno JavaScript/TypeScript runtime as a compiled standalone executable, bypassing Windows Script Host detection and evading EDR telemetry. Pre-positioned 3–6 months before activation.
Handala Hack · Supply chain worm · AWS/GCP/Azure secret theft
A self-replicating worm distributed via poisoned npm packages with preinstall scripts targeting cloud secrets in CI/CD pipelines. Designed for mass credential harvesting during the chaos window.
MuddyWater / Operation Olalampo · Telegram bot: @stager_51_bot
CHAR uses a Telegram bot as its Command & Control channel, enabling operators to issue shell commands via chat messages. Built in Rust with AI-assisted development (emoji-based debug strings confirmed by Group-IB researchers).
AWS me-central-1 · AZ mec1-az2 & mec1-az3 impaired · EIP Trap
When two AZs lost power simultaneously, millions of recovery systems created a self-amplifying throttle cascade. Pilot-light DR plans failed because they required the impaired region's Control Plane APIs to function.
APT33 / Peach Sandstorm · Rust companion + Stonedrill evolution
APT33's fourth-generation wiper introduces Rust-based companion modules and SHAPESHIFT (evolved Stonedrill) with in-memory injection and advanced anti-EDR emulation bypass.
Handala Hack · SHA256: 83651b058...78b72 · Mass civilian infection
A trojanized Israeli rocket-warning app achieving mass civilian infection. Handala typically claims to "hack phones" — forensically, this is Telegram session hijacking via tdata theft rather than direct device compromise.
APT34 / OilRig · Contract: 0x2B77671cfEE4907776a95abbb9681eee598c102E · Immutable C2
APT34 uses an Ethereum smart contract as a dead-drop C2 resolver. The contract stores the current C2 IP/domain — immutable on-chain, immune to domain seizure and standard takedown mechanisms. Implants perform JSON-RPC eth_call to resolve the live C2 address.
UAE stock exchanges hit circuit-breaker on market open
Oil surged on Gulf supply disruption fears and shipping disruption
Careem, Alaan, Hubpay, Sarwa — all offline simultaneously
Bank Hapoalim & Bank Leumi combined disruption hours
Estimated DBS Bank (SEA) transaction losses from 19hr outage alone
UAE Central Bank confirmed adequate reserves — no systemic collapse
HSBC, Barclays, Lloyds hit on Feb 21 — 8.2M DBS customers stranded
me-central-1 AZ mec1-az2/az3 + me-south-1 AZ — weeks of repair
Emirates NBD waived all GCC ATM fees through end of March
| Model | RTO | Cost | March 2026 Verdict |
|---|---|---|---|
| Backup & Restore | 8–24h | $ | AVOID — hardware repair takes weeks |
| Pilot Light | 60 min | $$ | RISKY — API throttling blocks provisioning |
| Warm Standby | < 10 min | $$$ | CURRENT BEST PRACTICE |
| Active-Active | < 1 min | $$$$ | Mission-critical only |
Banking outages, market circuit-breakers, fintech failures. AWS recommends workload migration to EU/US. EIP Trap prevents standard failover.
BGP routes restored. GPU inference rerouted Europe/Asia. UAE Central Bank issues 146.6% liquidity confirmation. AWS me-south-1 partial recovery.
UAE Central Bank confirms all financial systems operational. Emirates NBD waives GCC ATM fees through March 31. Sovereign Financial Cloud initiative announced.
First confirmed kinetic attack on hyperscale public cloud. AWS data centers are now legitimate targets in nation-state conflict — sets global precedent.
Dindoor implants placed 3–6 months before activation. The conflict was the trigger, not the deployment. Iranian APTs demonstrated NSA/FSB-tier operational patience.
APT34's EtherHiding: Ethereum smart contracts as uncensorable C2 resolvers. Standard domain seizure and IP blocking are now insufficient.
CHAR backdoor contains LLM-generated code (emoji debug strings confirmed). SANDWORM_MODE targets AI assistant configurations (MCP servers) directly.
Electronic Operations Room demonstrated cross-MOIS/IRGC/Russian coordination at unprecedented scale — 6 distinct actors with synchronized timing.
Shai-hulud 2.0 proves npm ecosystem is a valid warfare vector. CI/CD pipelines are now contested infrastructure in nation-state conflict.
Unitronics PLCs — default PIN 1111 still primary entry point. CyberAv3ngers / FAD Team actively scanning.
78.7K devices in US, 27.9K in Israel directly internet-exposed. No authentication by protocol design.
ICS protocol exposed on internet — targeted in Gulf energy sector reconnaissance by APT34.
| Actor | Attribution Confidence | Primary Evidence | Disputed Claims |
|---|---|---|---|
| MuddyWater | HIGH | Dindoor cert CN 'Amy Cherne', CHAR Telegram C2 forensics, C2 overlap with Olalampo IOCs | None — multiple vendors confirm |
| APT33 | HIGH | Tickler PE overlap, SPLITDROP hash, azurewebsites.net C2 pattern, SharePoint.exe sideloading | Shamoon 4.0 timeline vs historical |
| Handala | MEDIUM | SNOC leak site, RedAlert.apk hash, senvarservice-DC.exe decompilation | Phone hack claims — forensically only Telegram session theft |
| APT34 | MEDIUM | EtherHiding contract address, DNS tunneling patterns, SideTwist artifacts | Exact financial sector targets unconfirmed |
| Russian Legion | LOW | Self-claimed via Telegram channel, partial botnet infrastructure overlap | Iron Dome access — forensically unverified |