Iran uses hackers ahead of missile attacks

The massive strikes on the Middle East may not have been a spontaneous escalation, but a pre-prepared operation based on digital intelligence. A new report shows that the cyberattacks began long before the missile launches and may have directly pointed to future targets.

This refers to the conflict that erupted on February 28, 2026. Then the United States and Israel conducted Operation Epic Fury, striking Iran’s nuclear and military infrastructure. In response, Iran launched a large-scale campaign using ballistic missiles and drones, simultaneously attacking seven countries, including Saudi Arabia, the UAE, Kuwait, and Israel.

Alongside the military operations, a cyber war was also waged in parallel. According to the report, the APT35 group, also known as Charming Kitten, had been systematically studying and hacking the infrastructure of the region’s countries for several years before the conflict. Moreover, the list of targets almost completely coincided with those countries that were later targeted by missile strikes.

Cloudsek experts describe the pattern quite directly. Before the attack on Jordan, the attackers gained access to civil aviation data. Before the strikes on Dubai, they accessed internal systems and infrastructure. Saudi government documents were also compromised before the first missile strikes on Riyadh.

This sequence suggests that the cyberattacks were used as preparation for hostilities. At the same time, the authors of the report are careful in their wording and allow for an alternative explanation: both cyberattacks and military strikes could be based on the same strategic priorities of Iran.

It is also noted that APT35 is associated with the intelligence unit of the Islamic Revolutionary Guard Corps. The data leak on which the analysis is based also indicates that this group is linked to other well-known projects, including Moses-Staff and Al-Qassam Cyber Fighters. Previously, they were considered separate entities, but now there are signs of joint funding and coordination.

Cyberattacks were not limited to intelligence. Even during the conflict, destructive operations were recorded, including attacks on logistics, energy, and industrial systems. For example, the Shamoon malware destroyed about 15,000 workstations in the Saudi energy sector before the missile strikes began.

Experts also noted the model of modern conflict, where digital operations go hand in hand with military operations. First, covert reconnaissance, then cyberattacks to weaken the infrastructure, followed by physical strikes and a new wave of attacks on the weakened systems. The authors believe that this combination could become the new normal for conflicts between states. In such a scenario, cyberattacks cease to be a separate tool and become a full-fledged part of military strategy.