Back to Home

APT35: cyber reconnaissance before Iran's missile strikes

Iranian group APT35 integrated cyber reconnaissance into 2026 missile strikes on seven Middle Eastern countries. Attacks on energy and logistics preceded physical strikes, demonstrating evolution of hybrid conflicts. This increases the need to protect critical infrastructure.

How Iran Prepared Missile Strikes Through APT35 Cyberattacks
Advertisement 728x90

Cyber Espionage as the Foundation for Missile Strikes: The Iranian APT35 Case

Executive summary: The Iranian hacking group APT35 conducted long-term digital reconnaissance on Middle Eastern infrastructure, preceding missile attacks in February 2026. This demonstrates the integration of cyber operations into military strategy for target preparation.

Stages of Digital Target Preparation

In the lead-up to February 28, 2026—when Iran responded to the U.S.-Israeli operation "Epic Fury" with massive missile and drone strikes across seven regional countries, including Saudi Arabia, UAE, Kuwait, and Israel—hackers from APT35 systematically infiltrated critical systems. Access to Jordan’s civil aviation data, Dubai’s internal networks, and Saudi government documents enabled intelligence gathering on potential targets. These actions weakened defenses and refined coordinates for subsequent physical strikes.

This tactic stems from Iran’s limited resources for traditional espionage. Digital methods proved cheaper and more effective, allowing infrastructure monitoring without risking human agents. Consequences emerged in compromised energy and logistics sectors: the Shamoon malware wiped out 15,000 workstations in Saudi Arabia, disrupting supply chains and defense coordination.

Google AdInline article slot

APT35’s Ties to Iranian State Apparatus

APT35 is linked to an intelligence unit within Iran’s Islamic Revolutionary Guard Corps (IRGC). Leak analysis revealed coordination with other groups previously considered independent, such as Moses-Staff and Al-Qassam Cyber Fighters. Shared funding sources point to Tehran’s centralized approach to cyber warfare.

  • Reconnaissance: Long-term monitoring of infrastructure (aviation, energy, government).
  • Disruption: Attacks on logistics and industrial systems prior to kinetic strikes.
  • Integration: Synchronization with missile launches for maximum impact.
  • Expansion: Strikes across seven nations exploiting pre-identified vulnerabilities.

This model evolved from earlier incidents where cyberattacks served as distractions, now becoming a full phase of combat operations.

Implications for Regional Security

The fusion of cyber and kinetic attacks reshapes conflict dynamics in the Middle East. Regional nations now face the imperative to protect digital infrastructure as rigorously as military assets. Saudi Arabia and the UAE have since enhanced network segmentation and traffic monitoring, yet complete isolation of critical systems remains a challenge.

Google AdInline article slot

The industrial impact is clear: energy and logistics have become primary targets, driving global increases in cybersecurity investment. Experts estimate such operations can reduce strike preparation time from months to weeks, heightening unpredictability.

Key Takeaways

  • APT35’s cyber espionage preceded missile attacks, refining targeting across seven nations.
  • Shamoon destroyed 15,000 workstations in Saudi energy firms, weakening defensive readiness.
  • Links to the IRGC and allied groups indicate state-level coordination.
  • The "digital-first + missiles" model is emerging as the standard in hybrid warfare.
  • Regional defenses are strengthening, but civilian infrastructure remains vulnerable.

— Editorial Team

Advertisement 728x90

Read Next