Firewalls and Fault Lines: Cyber War in the Middle East

Following the Iran-Israel War, a conflict blending relentless Israel Defense Force (IDF) airstrikes with Iranian missile and drone barrages, some Middle Eastern battlefields have quieted, making it easy to forget that a less visible but equally perilous cyber war continues to rage beneath the surface. Iranian State-sponsored hackers have unleashed a 700% surge in attacks since June 13, 2025, targeting Israeli power grids, hospitals, and civilian apps, while suspected Israeli cyberattacks have targeted Iran’s military and civilian infrastructure.

There is nothing surprising in the ferocity of this cyber war, as Jerusalem and Tehran have been locked in constant digital conflict for over fifteen years, reflecting a global trend of cyber confrontation amplified in the Middle East. Nor is the confrontation limited to Israel and Iran. The region’s other primary State actors, notably Saudi Arabia and the United Arab Emirates, now operate mature cyber programs that have been deploying offensive cyber tools to disable infrastructure, collect intelligence at scale, conduct influence operations and retaliate in ways that remain plausibly deniable.

As cyber operations become a recognized component of statecraft globally, the Middle East stands out as a region where cyberspace has become a preferred arena for signaling, retaliation, deterrence and, as the Iran-Israel War demonstrates, complementing military operations.

In peacetime, the cyber realm operates largely below the thresholds of force and armed conflict and outside wartime rules of military engagement. Escalation tends to be asymmetric, and retaliation, if it occurs at all, is often delayed, deniable, or misattributed. As a result, incentives favor offense and exploitation of vulnerabilities without fear of proportional and attributable retaliation. In this environment, ambiguity is not merely tolerated, but it is weaponized.

Unlike other domains, cyber capabilities in the Middle East have not been developed in parallel with legal norms or institutional oversight. Instead, they have grown in a vacuum of enforceable international frameworks, often shaped by covert action, proxy warfare, and internal repression. International legal discourse continues to lag operational reality, as thresholds for what constitutes the use of force or armed attack in cyberspace remain undefined in most regional and international legal instruments. Asymmetries of military capabilities among regional actors have intensified reliance on cyber operations as a form of strategic equalization, which is especially true to Iran. The result is a persistent state of low-intensity conflict where attacks seldom provoke overt military responses but routinely undermine civilian security and political stability.

Cyber Genesis in the Middle East: Stuxnet

The introduction of cyber warfare into the Middle East’s strategic calculus can be traced with unusual clarity to a single operation: Stuxnet. Discovered in 2010, Stuxnet was a sophisticated worm designed to sabotage Iran’s nuclear enrichment infrastructure by targeting the now destroyed centrifuges at the Natanz facility. It represented the first known instance of malware engineered to cause physical damage, which, by some estimates, set back Iran’s nuclear program by at least a year.

More significant than its immediate tactical success, however, was Stuxnet’s strategic precedent. It demonstrated that cyber capabilities could deliver tangible results previously reserved for military action without crossing traditional thresholds for armed conflict. Although it was later attributed jointly to the United States and Israel, Stuxnet was not publicly claimed by any State actor and its deniability created the kind of ambiguity that would later define cyber operations across the Middle East. It introduced cyber sabotage as a viable, repeatable, and deniable tool of statecraft, opening Pandora’s box of digital escalation in the region.

Although Stuxnet violated Iranian sovereignty and the UN Charter’s Article 2(4) prohibition on the use of force, its physical damage to the Natanz centrifuges and eventual attribution to the U.S. and Israel made it one of the few cyber operations with a relatively clear legal profile under peacetime international law. Yet Iran’s decision not to pursue legal remedies, combined with the absence of defined thresholds for cyber sabotage allowed the operation to escape formal censure, ultimately emboldening other States to exploit cyberspace as a domain for covert aggression.

Tehran’s Rise in Cyberspace

In the wake of Stuxnet, Tehran recalibrated its strategic calculus and began accelerating investment in cyber infrastructure, shifting from a mainly passive target into one of the region’s two most assertive digital actors. Within a decade, Iran had cultivated the capacity to disrupt regional infrastructure, infiltrate sensitive government and corporate systems, coordinate transnational influence operations, while continuing to strengthen domestic surveillance to monitor dissent. What began as a unipolar domain dominated by Washington and Jerusalem quickly evolved into a contested and multi-directional battlespace shaped in no small part by Tehran’s rapid ascent.

Unlike traditional powers focused on espionage or deterrence, Iran’s doctrine favors disruption, a strategy that has been characterized as calculated harassment intended not to cripple but to coerce and provoke. Iranian cyber operations quickly moved from retaliatory disruption to continuous engagement, targeting not only States, but private industry, diaspora communities, and critical infrastructure. Prior to June 13, 2025, Iranian State-sponsored groups like APT33, APT34 (OilRig), and MuddyWater were already waging sustained campaigns against Gulf energy, aerospace and defense firms, government agencies, combining espionage with disruption, often deploying massive botnets to launch distributed denial of service (DDoS) attacks, while groups like CyberAv3ngers have been attacking water and gas systems globally.

Meanwhile, the Islamic Revolutionary Guard Corps-linked Pioneer Kitten group has orchestrated ransomware campaigns targeting critical infrastructure in Saudi Arabia, the United Arab Emerites (UAE), Israel, and the United States, exploiting vulnerabilities to enable extortion and espionage while evading international accountability. When not directly linked to an armed conflict, such operations are typically evaluated under peacetime international law, raising questions of sovereignty and non-intervention. Iran’s ransomware attacks on UAE or U.S. infrastructure, for example, are unrelated to the war and fall outside the scope of international humanitarian law (IHL) as they lack a direct nexus to the conflict, highlighting the challenge of applying legal frameworks to cyber operations targeting third parties or private entities during wartime.

Cyber operations have also contributed to redefining Tehran’s regional power projection. Rather than seek parity of force, it aims for a ubiquitous digital presence. Cheaper than inaccurate missiles, quieter than volatile proxy militias yet politically resonant, Tehran has made cyber operations a tool of choice in its asymmetric posture. This is particularly evident in Israel’s case. In the six months following the outbreak of the Gaza war in October 2023, around 60% of Iranian cyber operations were directed against Israel, intensifying across virtually all fronts, from espionage to infrastructure attacks, accompanied by operations carried out by Tehran-backed proxies in Lebanon, Iraq, and Syria.

It is telling that while Israel’s National Cyber Directorate issued 367 alerts in 2023, by 2024 the number rose to 736, including 518 high-priority “red alerts” and there is no doubt that in 2025 the number will rise steeply. With much of Iran’s defense infrastructure destroyed and several of its senior military officials killed by the Israeli air campaign, Tehran’s strategic options have narrowed considerably. This operational degradation reduces the feasibility of a significant conventional response in the near term, making asymmetric avenues, especially cyber tools markedly more attractive with retaliation being less constrained by material damage and more plausible in operational terms. With a surge in cyberattacks against Israel following 13 June 2025, there are signs that Tehran is already actively exploring this path, with a likely focus on compromising Israeli State and defense networks.

To what extent Tehran may go remains to be seen. Even prior to the war, Iran’s ransomware and influence campaigns frequently blurred the boundary between espionage and unlawful intervention, exploiting legal gray zones and the absence of binding prohibitions on cyber disruption under international law.

International law clearly prohibits cyber operations causing physical damage or significant disruption, like Stuxnet did, while espionage that merely accesses data without harm faces no prohibition. Much of Iran’s calculated disruption tactics such as ransomware attacks on Saudi or U.S. organizations, such as the 2025 Pay2Key.I2P campaigns, relatively easily mitigated DDoS attacks, or influence operations shaping public opinion without direct coercion exploit a gray zone where prohibitions are unclear. Limited consequences, like U.S. sanctions in 2024 highlight the challenge of enforcing accountability for these sovereignty-breaching cyber operations under peacetime international law.

These gaps are reflected in the Tallinn Manual 2.0 on International Law Applicable to Cyber Warfare, the most detailed academic effort to apply international law to cyberspace which, however, stops short of clearly defining when cyber intrusions amount to a prohibited use of force, or offering enforcement pathways or universally accepted thresholds and its application remains non-binding, leaving States to interpret cyber use of force without clear precedent. In the absence of collective political will to establish clearer normative frameworks or enforceable legal agreements, unless the regime itself is overthrown, Iran’s strategy of calculated disruption is likely to persist. And unless diplomatic negotiations yield binding commitments to regulate its cyber operations, Tehran will continue to exploit the legal vacuum to sustain its increasingly aggressive posture in cyberspace.

The Legal Landscape of Middle East Cyber Conflicts: Classifying the Armed Conflict

To understand cyber warfare in the Middle East’s volatile landscape, classify regional conflicts, and assess the legality of State cyber operations, a critical distinction should be made between IHL and peacetime international law. IHL governs cyber operations conducted during armed conflicts, requiring compliance with the principles of distinction, proportionality, and military necessity. In contrast, peacetime international law, rooted in the principles of sovereignty and non-intervention as well as Article 2(4) of the UN Charter, applies to cyber activities that occur outside the context of armed conflict. As defined by Common Article 2 of the 1949 Geneva Conventions, due to sustained State-to-State hostilities the Iran-Israel War constituted an international armed conflict (IAC) under IHL, which means that IHL applied to all cyber activities that had a direct nexus to the hostilities between Iran and Israel.

Indeed, given the status of Hamas and Hezbollah as organized armed groups, the Israel–Hamas and Israel–Hezbollah conflicts are arguably classified as non-international armed conflicts (NIACs). As such, cyber operations linked to these hostilities are governed by the rules of IHL applicable to NIACs.

By contrast, Iran’s repeated ransomware campaigns targeting civilian infrastructure, like attacks on Bahrain’s Electricity and Water Authority or the disruption of public services in Tirana last month, endangered civilian systems in peacetime, breaching norms of sovereignty and non-intervention but occurred outside the context of an armed conflict. Such attacks have resulted in limited consequences, mainly confined to diplomatic protests. Incidents like these highlight the challenge of enforcing peacetime international law, as attribution difficulties and the lack of swift, binding mechanisms under the UN Charter hinder accountability for cyber operations below the use of force threshold.

The Tallinn Manual 2.0 concludes that sovereignty is violated when cyber operations cause loss of functionality to systems on foreign territory. The Manual notes that cyber operations causing loss of functionality may breach sovereignty in peacetime, yet in both paradigms the lack of binding thresholds complicates accountability. Riyadh’s and Abu Dhabi’s defensive posture against Iranian cyberattacks do not consistently meet IAC thresholds but may qualify as NIACs or peacetime incidents, depending on intensity and State involvement.

Israel’s Digital Iron Dome

Israel’s cyber doctrine mirrors its conventional defense posture, which is proactive, layered, and unapologetically offensive. Since the early 2000s, Israel has invested heavily in cyber capabilities, treating the domain not as a discrete technical issue but as a strategic pillar of national security. The IDF cyber Unit 8200, widely considered one of the most advanced signals intelligence and cyber warfare units in the world, plays a central role, functioning simultaneously as a signals intelligence agency, cyber operations force, and talent incubator.

Unlike most countries that maintain strict firewalls between intelligence and commerce, Israel has nurtured a cyber ecosystem that blends both, as alumni of Unit 8200 have gone on to found some of the world’s most advanced cybersecurity firms, contributing to what can be described as a military-tech symbiosis. Indeed, Jerusalem remains one of the few capitals globally that treats cyber conflict as a public deterrent rather than an inconvenient secret, with Unit 8200 having an almost mystical status among the country’s military and tech circles and a source of national pride.

Although during the war Jerusalem was largely silent about its cyber operations, there is no doubt that it engaged in large scale cyber campaigns aimed at degrading Iranian military capabilities. Prior to the conflict, cyber operations attributed to Israel have reportedly targeted Hezbollah logistics networks, Syrian air defense systems, Hamas command and control infrastructure in Gaza, and foreign cyber units engaged in surveillance or influence operations. Following the Abraham Accords, cyber cooperation with the United Arab Emirates and Bahrain has deepened, supported by shared concerns over Iranian activity and regional digital threats. Joint cyber drills and intelligence sharing have become more frequent, quietly creating a regional cyber bloc.

Meanwhile, Israel’s stance on the legality of cyber operations reflects a strategy of legal and doctrinal ambiguity designed to preserve operational flexibility. Jerusalem affirms that international humanitarian law applies to cyber operations during armed conflict, including obligations of distinction, proportionality, and military necessity, however, Israel interprets the law-of-armed conflict term “attack” narrowly, applying it only to operations expected to cause physical damage, injury, or death, not to loss of functionality or data deletion.

Israel’s retaliatory cyber operations occupy a similarly ambiguous legal space under jus ad bellum. Even when they do not cross the conventional “use of force” threshold articulated in Article 2(4) of the UN Charter, their cumulative effects may, under the “pinprick” or “accumulation of events” theory, which posits that repeated minor cyberattacks aggregate to significant harm, rise to the level of a violation of a State’s sovereignty.

This very uncertainty raises unresolved questions about the necessity, proportionality, and legal accountability of a response. For example, when is a retaliatory cyber operation necessary if the attacks are individually minor? How can a State ensure a response is proportional to the individual but cumulative effect of the attacks? Who is ultimately held accountable for the aggregate harm caused by a distributed series of attacks? Although the “pinprick” theory is highly contested, it highlights the significant gap between traditional international law and the realities of modern cyber conflict.

Israel acknowledges that cyber operations could, in principle, rise to the level of use of force or even an armed attack, yet it refrains from defining a precise threshold or providing public criteria, supporting the application of existing international law to cyberspace while rejecting the need for a new legal regime. Jerusalem regards the principle of due diligence as a non-binding norm, noting that while it is a valuable component of responsible State behavior it has not yet crystallized into a binding rule of customary international law due to insufficient State practice and opinio juris. This cautious posture reflects a broader Israeli effort to affirm general legal principles without contributing to norm development that could constrain its own cyber doctrine. While such legal ambiguity affords a strategic advantage it also contributes to the erosion of clarity in an already unsettled international normative landscape.

Saudi Arabia and the United Arab Emirates

Although they began putting resources into cyber infrastructure relatively late, Saudi Arabia and its Gulf neighbor are increasingly turning to cyber tools as instruments of national security. Their reasons are pressing. The years since the Shamoon attack, one of the most destructive corporate breaches to date, which wiped more than 30,000 computers and briefly paralyzed Saudi Aramco’s operations, have seen both States face a growing surge in cyberattacks, galvanizing their long-term cyber ambitions. Hacktivism-related DDoS attacks surged over 70% in 2024, while ransomware incidents steadily rose, with advanced persistent threat actors primarily targeting government agencies, manufacturing firms, and the energy industry, and since 13 June 2025, both States braced for cyber fallout from the Iran-Israel War.

Unlike Israel and Iran whose cyber capabilities have developed largely in-house, to transform from quasi passive victims to key participants in the regional cyber conflict landscape, Saudi Arabia and the United Arab Emirates have relied extensively on external partnerships primarily with Western firms, foreign contractors and, at times, former intelligence operatives. Perhaps the most visible example for this has been both countries using surveillance software developed by firms like NSO Group, an Israeli cyber-intelligence firm widely known for creating Pegasus, a tool capable of remotely accessing smartphones, while the UAE cyber unit DarkMatter employed ex-National Security Agency (NSA) hackers for offensive operations targeting, among others, foreign officials and journalists.

Extraterritorial use of spyware like Pegasus by States arguably violates the International Covenant on Civil and Political Rights’ (ICCPR) Article 17 by enabling unauthorized surveillance but there is currently no specific, comprehensive, and internationally binding legal mechanism designed to regulate the development, sale, and transfer of commercial cyber arms, nor are clear enforcement mechanisms tailored to address State-enabled cyber repression. Part of the problem is that the rapid evolution of cyber capabilities renders traditional arms control models, which rely on precise definitions and verifiable limitations, largely unworkable. While the ICCPR is a binding treaty its general human rights provisions are not complemented by dedicated international instruments to control the proliferation and misuse of these dual-use technologies, an absence that makes it challenging to hold States and commercial entities effectively accountable for extraterritorial surveillance and repression.

Although the Wassenaar Arrangement implements export controls on certain “dual-use” cyber technologies like intrusion software, these are limited in scope, face definitional ambiguities, and are complicated by differing national interpretations and enforcement capacities. While it will be binding from 2026, even the UN Cybercrime Treaty raises significant concerns among human rights advocates regarding its broad scope and potential for misuse by repressive governments to legitimize intrusive surveillance and criminalize online speech.

Although the past few years saw a number of cyber laws being implemented in both Saudi Arabia and the United Arab Emirates, neither State has articulated a formal legal doctrine on cyber operations under international law. Both endorse voluntary norms in global forums but have refrained from endorsing binding interpretations of sovereignty, due diligence, or use of force in cyberspace. While cybersecurity frameworks like Saudi Arabia’s Essential Cybersecurity Controls exist, in practice they are built primarily around national security, capacity-building, and digital modernization, with little emphasis on multilateral accountability. As core capabilities remain opaque and largely unaccountable, Gulf States continue to frame cybersecurity as a modernization project, using national cyber authorities, public-private partnerships, and international forums to signal legitimacy.

These ambitions were further underscored during President Trump’s Gulf tour in May which aimed to reset U.S. Middle East policy and spotlighted the aspirations of Saudi Arabia and the United Arab Emirates to ascend as artificial intelligence (AI) powerhouses, backed by hundreds of thousands of Nvidia and AMD GPUs. While these projects are designed to drive innovation, the growing prominence of AI systems as prime targets for State-sponsored cyberattacks significantly heightens associated security risks.. It remains to be seen whether their rapidly expanding digital infrastructure can be effectively safeguarded, and how their evolving cyber and AI capabilities will ultimately reshape the region’s strategic calculus.

International Law, Sovereignty, and Escalation

Perhaps even more than in other regions, cyber operations in the Middle East consistently test the limits of international law, exposing how porous and discretionary those limits truly are. In a region where traditional warfare has long resisted neat classification, cyber conflict has introduced a domain in which violations are real, but consequences are discretionary. Most cyberattacks fall below the threshold of armed conflict under the UN Charter yet they yield outcomes typically associated with warfare such as infrastructure sabotage, disruption of essential services, and psychological harm to civilian populations. These calibrated exchanges amount to an informal signaling regime, one notably lacking guardrails.

Attribution continues to pose a central legal and operational challenge. Technical forensics may suggest origin but proving State responsibility is complex especially when proxies, contractors, or compromised infrastructure are involved. Consequently, responses from the UN, regional organizations, and bilateral partners tend to be inconsistent and largely symbolic and the escalating Israel-Iran cyber conflict exemplifies how legal gray zones enable unchecked digital warfare.

As Israel’s offensive cyber doctrine, Iran’s disruptive campaigns, and Saudi Arabia and the United Arab Emirates’ AI-driven ambitions cement cyberspace as a core arena of statecraft, they outpace efforts to build regional norms through the UN’s Open-Ended Working Group or the Gulf Cooperation Council’s 2019 Cybersecurity Strategy. Trust deficits and sovereignty concerns further stall progress, as nations in the region resist external oversight. These dynamics underscore a fragmented regional approach, where competing national interests and mutual suspicion undermine collective cyber governance even among Iran’s adversaries. Without global cooperation to forge enforceable legal frameworks and regional trust to bridge divergent interests, the Middle East risks a future where persistent cyber conflict amplifies instability, redefining power through dominance in the digital domain.

***

Dr Gerald Mako is a Research Affiliate at the Cambridge Central Asia Forum at Cambridge University.

The views expressed are those of the author, and do not necessarily reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published. Authorship does not indicate affiliation with Articles of War, the Lieber Institute, or the United States Military Academy West Point.

 

 

 

 

 

 

Photo credit: Unsplash