Escalating Cyber Attack Techniques Targeting Organizations During the 2026 Middle East Conflict

The ongoing military conflict in the Middle East that erupted on February 28, 2026, has triggered what multiple cybersecurity firms describe as one of the most intense surges in offensive cyber operations ever observed. 

This advisory is applicable regardless whether you are working in a government, military or commercial business and regardless of the size of your organization. Organizations of all sectors and sizes are at elevated risk regardless of geographic location, as the conflict's cyber dimension has rapidly expanded beyond the Middle East to affect entities in North America, Europe, and Asia. 

Between February 28 and March 2 alone, 149 hacktivist-driven attacks targeted 110 organizations across 16 countries, carried out by at least 12 different threat groups. The techniques being deployed span the full spectrum of offensive cyber capability, from basic volumetric denial-of-service flooding to sophisticated, multi-stage intrusions designed to destroy data and cripple industrial control systems. 

Initial Access Techniques

The most prevalent method of initial compromise involves the exploitation of vulnerabilities in remote-access infrastructure. Threat actors have historically targeted VPN gateways and firewalls from Pulse Secure, Fortinet, Palo Alto Networks, F5, and Citrix. Organizations should prioritize patching of all VPN products. 

• Exploited flas include CVE-2019-11510 and CVE-2019-11539 (Pulse Secure), CVE-2019-19781 and CVE-2023-3519 (Citrix Netscaler), CVE-2022-1388 (F5 BIG-IP), and CVE-2024-3400 (Palo Alto PAN-OS), with actors using tools such as Shodan to scan for vulnerable devices at scale.
• More recent campaigns have exploited CVE-2024-30088 for privilege escalation and targeted industrial time-management software using CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952. T

A second major initial access vector is credential theft through spear-phishing. Campaigns increasingly use AI-enhanced social engineering, with phishing emails delivered via compromised internal mailboxes to hundreds of recipients simultaneously, as well as malicious documents distributed through legitimate file-sharing services. 

A particularly dangerous mobile attack vector involves a weaponized replica of the Israeli Home Front Command RedAlert application, distributed via SMS phishing and designed to deliver surveillance and data-theft malware once sideloaded. 

Additionally, IP cameras from Hikvision and Dahua have been systematically scanned and compromised for reconnaissance purposes, exploiting authentication-bypass flaws such as CVE-2021-33044 and CVE-2021-33045 and the Hikvision vulnerability CVE-2017-7921 (CVSS score 9.8).

Post-Compromise and Destructive Techniques

Once inside a network, threat actors employ a consistent playbook that defenders can prepare for: Groups rely heavily on living-off-the-land techniques using built-in Windows tools such as PowerShell and WMI, combined with abuse of legitimate remote monitoring and management (RMM) tools, to evade detection while moving laterally. 

Persistence is maintained through ASPX web shells deployed on compromised web servers, custom .NET backdoors, and scheduled tasks. 

One group specializes in exploiting edge infrastructure such as VPN appliances and Citrix gateways to establish persistent footholds, operating at the intersection of espionage and cybercrime by offering affiliates an 80% share of ransom proceeds for attacks. Picus Security 

The most dangerous phase of these operations is the deployment of wiper malware, which is designed to permanently destroy data and render systems unrecoverable. One ransomware-as-a-service variant called Sicarii contains a critical encryption flaw that discards its own keys after encrypting files, making recovery permanently impossible regardless of whether a ransom is paid. Multiple wiper families have been documented, including some that are geographically targeted to execute only on systems running specific regional time zones and language settings.

Denial-of-Service and Psychological Operations 

Volumetric DDoS attacks remain the primary tool for achieving immediate disruption and media amplification, with two groups alone, Keymous+ and DieNet, driving nearly 70% of all attack activity in the first 72 hours of the conflict. These attacks have targeted government portals, financial institutions, airports, and defense-related websites across the Middle East, North America, and Europe. Some groups have combined DDoS attacks against targeted networks to facilitate simultaneous intrusions into SCADA and industrial control systems, exploiting minimally secured internet-facing VNC connections. 

Pro-Russian hacktivist groups such as NoName057(16) use a crowdsourced DDoS tool called DDoSia, distributed via Telegram, to mobilize thousands of volunteers for coordinated attacks. 

Beyond technical disruption, large-scale social engineering campaigns are underway, including mass threatening text messages and phone calls designed to extract personal information or create psychological pressure. Cybercriminals are also capitalizing on the conflict with voice phishing scams impersonating government ministries and prompting victims to share identity numbers for supposed verification purposes. 

Recommended Defensive Actions

Organizations should treat the current period as one of heightened risk and implement protective measures:

• All internet-facing remote access systems, including VPN appliances, firewalls, and RDP gateways, should be patched against all known exploited vulnerabilities and audited for unauthorized accounts.
• BeyondTrust recommends organizations treat the next 14 days as the highest-risk window for opportunistic attacks, investing monitoring effort accordingly, while using the 30-to-90-day horizon to implement structural controls such as phishing-resistant MFA, network segmentation, OT device isolation, and behavioral detection for ransomware and wiper precursors.
• Credentials for remote access systems should have multi-factor authentication. MFA should be enforced on all privileged accounts.
• Organizations should verify that backups are stored offline, immutable, and tested for restoration under simulated wiper or ransomware scenarios.
• Telegram, WhatsApp and other messaging attempts should all bbe considered as very dangerous and suspicious and should not be responded to and verified independently
• Network communication to Telegram servers should be monitored, as multiple threat groups use Telegram as a command-and-control and exfiltration channel.
• Internet-exposed OT and ICS devices should be inventoried and segmented, with all default credentials removed.