Cyber Espionage as the Foundation for Missile Strikes: The Iranian APT35 Case
Executive summary: The Iranian hacking group APT35 conducted long-term digital reconnaissance on Middle Eastern infrastructure, preceding missile attacks in February 2026. This demonstrates the integration of cyber operations into military strategy for target preparation.
Stages of Digital Target Preparation
In the lead-up to February 28, 2026—when Iran responded to the U.S.-Israeli operation "Epic Fury" with massive missile and drone strikes across seven regional countries, including Saudi Arabia, UAE, Kuwait, and Israel—hackers from APT35 systematically infiltrated critical systems. Access to Jordan’s civil aviation data, Dubai’s internal networks, and Saudi government documents enabled intelligence gathering on potential targets. These actions weakened defenses and refined coordinates for subsequent physical strikes.
This tactic stems from Iran’s limited resources for traditional espionage. Digital methods proved cheaper and more effective, allowing infrastructure monitoring without risking human agents. Consequences emerged in compromised energy and logistics sectors: the Shamoon malware wiped out 15,000 workstations in Saudi Arabia, disrupting supply chains and defense coordination.
APT35’s Ties to Iranian State Apparatus
APT35 is linked to an intelligence unit within Iran’s Islamic Revolutionary Guard Corps (IRGC). Leak analysis revealed coordination with other groups previously considered independent, such as Moses-Staff and Al-Qassam Cyber Fighters. Shared funding sources point to Tehran’s centralized approach to cyber warfare.
- Reconnaissance: Long-term monitoring of infrastructure (aviation, energy, government).
- Disruption: Attacks on logistics and industrial systems prior to kinetic strikes.
- Integration: Synchronization with missile launches for maximum impact.
- Expansion: Strikes across seven nations exploiting pre-identified vulnerabilities.
This model evolved from earlier incidents where cyberattacks served as distractions, now becoming a full phase of combat operations.
Implications for Regional Security
The fusion of cyber and kinetic attacks reshapes conflict dynamics in the Middle East. Regional nations now face the imperative to protect digital infrastructure as rigorously as military assets. Saudi Arabia and the UAE have since enhanced network segmentation and traffic monitoring, yet complete isolation of critical systems remains a challenge.
The industrial impact is clear: energy and logistics have become primary targets, driving global increases in cybersecurity investment. Experts estimate such operations can reduce strike preparation time from months to weeks, heightening unpredictability.
Key Takeaways
- APT35’s cyber espionage preceded missile attacks, refining targeting across seven nations.
- Shamoon destroyed 15,000 workstations in Saudi energy firms, weakening defensive readiness.
- Links to the IRGC and allied groups indicate state-level coordination.
- The "digital-first + missiles" model is emerging as the standard in hybrid warfare.
- Regional defenses are strengthening, but civilian infrastructure remains vulnerable.
— Editorial Team
No comments yet.