A text message sent from the MOI to mobile phones in the United Arab Emirates during the Iran war read: “Any safety hazards must be reported immediately.” However, the interior ministry never issued such a warning. It then warned residents not to act on “fake” messages.
As Tehran retaliates against Israel and the United States, the country that bore the brunt of the Iranian attack also faced a barrage of a more insidious nature, officials said.
Mohammed Al Kuwait, the UAE government’s cybersecurity chief, told state media last month that the UAE had already noticed a spike in cyberattacks weeks before the war. He said that in the early stages of the war, cyberattacks from Iranian proxies rose to 500,000 per day, most of them targeting critical infrastructure.
“After (the war started), the internet was shut down (inside Iran), but their proxies…continued (to attack us) from outside Iran,” he said. “Many people received phishing emails asking them to click on a link. This started as data collection and then turned into something destructive.”
During the war, Iran and its proxies launched thousands of missiles and drones at up to a dozen U.S. allies in retaliation for U.S. and Israeli attacks on its territory. But it is on the less visible fronts that Tehran exerts outsized influence: psychological and information warfare.
Threatening text messages purporting to be from Iran’s Revolutionary Guards told Israelis to “wait for death” in an evacuation order mimicking the controversial Israeli military style used in Gaza and Lebanon, urging civilians near critical infrastructure and major residential areas in the Gulf Arab state to leave.
In early March, attacks on web servers disrupted banking systems in the United Arab Emirates and Bahrain, halting financial transactions and daily banking operations. Iran’s Revolutionary Guards has released a target list of American companies and universities operating in the Middle East, including Meta, Oracle, Nvidia, Microsoft and Google, forcing many companies to ask their staff to work from home.
Paolo Napolitano, associate director of Dragonfly at Dow Jones, a London-based geopolitical and security risk firm, said cyber and influence operations are now an essential part of modern warfare, and Iran as well as Iran-linked actors have used them extensively during conflicts with the United States and Israel.
Economic opportunities in countries such as Saudi Arabia, Qatar and the UAE have long attracted foreign companies seeking access to favorable markets, capital and low tax rates. World-class talent is flocking to countries that have been seen as islands of stability in a volatile region for decades.
Iran’s campaign takes aim at this carefully cultivated image, aiming to inflict reputational damage even if the physical damage is minimal.
“Iran had no illusions that it could defeat the US and Israeli forces using conventional methods, so it has probably been preparing such methods for such a conflict for several years,” Napolitano said.
In Jordan, Iran-linked groups launched a cyber attack aimed at manipulating the storage temperature of wheat stockpiles in order to damage the country’s already economically struggling strategic reserves, Jordan’s National Cyber Security Center reported in early March.
Authorities asked residents to change their passwords after reports emerged that Iran was hacking surveillance and home surveillance cameras.
“Iranian hackers have been trying to access surveillance footage from cameras in Israel and the Gulf states since the start of the war,” said Seyoung Chong, principal cyber analyst at Dragonfly. “This appears to be intended to support airstrikes by helping to more accurately pinpoint target locations and assess damage from missile attacks.”
A creepy message also arrived on the cellphone of an Israeli living hundreds of miles away in the Persian Gulf.
“Thousands of Palestinian children have died because of you. You and your family are our targets. Please wait for death,” read a message in Hebrew that arrived on an Israeli cell phone and was signed by the Revolutionary Guards.
Weeks before the war, the Iranian government had warned that any attack on its soil would trigger retaliation against Washington’s regional allies. A pro-Iranian X account called “Iran Military Media” (often mistaken for an official military account) posted an image of the world’s tallest tower, the Burj Khalifa in Dubai, without a caption, as speculation intensified about an impending attack following the deployment of US warships to the region. The veiled threat to the city worried many residents.
On February 28, within hours of the first US and Israeli attack on Tehran, Iran made good on its threat.
Hundreds of projectiles were fired at what is known as one of the world’s safest cities, in what UAE official Anwar Gargash described as a “worst-case scenario”. While the attacks targeted U.S. military bases, the Revolutionary Guards also attacked civilian targets, including hotels in Dubai, high-rise residential buildings in Bahrain, a gas facility in Qatar and an airport in Kuwait.
As information and disinformation spread about the extent of the damage caused by the Iranian attack, Gulf Arab governments scrambled to control the press. Dozens of people have been arrested in the United Arab Emirates for filming interceptions and sharing videos deemed inappropriate.
In Kuwait, prominent Kuwaiti-American journalist Ahmed Shihab El-Din was detained after sharing a video related to the Iran war, and more than 300 people were arrested in Qatar on charges of “filming, sharing, and publishing misleading information.”
In the days that followed, this tactic appeared to be working. Residents began self-censoring private chats and deleting posts for fear of retaliation. Even journalists working for some Western news outlets in the region have begun taking precautions, such as avoiding signing news articles and photos.
Iran-linked hackers have been attacking targets far beyond the range of Iranian missiles, wreaking havoc at multiple U.S. oil, gas and water facilities in recent weeks, according to three people familiar with the U.S. advisory and investigation. Officials said the hack halted some industrial processes at the site, forcing them to operate manually.
Last month, Iranian-linked hackers leaked emails stolen from FBI Director Kash Patel’s personal account. Before that, they disrupted the business of a major medical device manufacturer in the United States.
The same hacker claimed responsibility for compromising the personal devices and accounts of former Israeli army chief of staff Helzi Halevi. The group released dozens of photos and identification documents as evidence of the breach.
Cyber activity often has a psychological component. Iranian hackers bragged about their hacks against Patel and the medical device maker online, exaggerating the impact.
Still, experts say Iran’s decision to shut down foreign internet services within the country has also limited the intensity of cyberattacks across the region.
Andy Piazza, senior director of threat intelligence at Palo Alto Networks’ Unit 42, told CNN: “We’re seeing geopolitical tensions spill over into cyberspace in ways that are more organized, sustained, strategic and publicized than ever before.”
However, Piazza added that while the Islamic Republic has a “proven ability to carry out highly sophisticated and multi-pronged cyber campaigns,” its “initial cyber operations were significantly hampered as internet connectivity in the country declined to between 1 and 4 percent after the initial conflict.”
Napolitano said it was difficult to judge the effectiveness of Iran’s asymmetric operations, but important objectives were undoubtedly achieved.
“The main purpose of these campaigns is to spread fear and increase uncertainty in the Gulf region, thereby demonstrating the inability of local authorities to deal with the threat from Iran,” he added.
