Threat intelligence links years of cyber reconnaissance to countries targeted during regional escalation, raising alarms for critical infrastructure
A new report from CloudSEK reveals that Iran-linked hacking group APT35 had already conducted extensive cyber reconnaissance and in some cases gained access across multiple Gulf nations before the onset of Operation Epic Fury.
The report, “The Kitten Had the Map All Along,” highlights a consistent pattern of targeting across United Arab Emirates, Saudi Arabia, Qatar, Bahrain, Kuwait, Jordan, and Israel all of which later became part of the regional strike landscape.
According to the findings, APT35 also known as Charming Kitten focused on high-value sectors such as government, aviation, energy, financial systems, and critical infrastructure. The alignment between earlier cyber activity and subsequent kinetic targeting suggests that cyber operations may have helped map and prepare targets well before the conflict escalated.
“The reconnaissance appears to have come first. When the same countries profiled in cyber operations later appear in the strike map, defenders must assume digital access may have been part of the larger operational picture.”
— Mohammed Rizvan, Cybersecurity Researcher, CloudSEK
The report also highlights active cyber threats running parallel to the geopolitical crisis. Groups such as APT33 and CyberAv3ngers are believed to be targeting aviation, telecom, logistics, and industrial systems, raising the risk of disruption beyond military domains.
One of the key revelations includes leaked insights into APT35’s malware and infrastructure, including tools like BellaCiao and Sagheb RAT. CloudSEK notes that these disclosures provide defenders with valuable indicators of compromise but also reflect the scale and sophistication of the threat landscape.
CloudSEK warns that organizations across the region should treat the situation as critical. Immediate steps include patching vulnerable systems, auditing internet-facing infrastructure, rotating privileged credentials, and actively hunting for signs of compromise.
The report underscores a broader shift: cyber operations are no longer peripheral but central to modern conflict. With adversaries potentially already embedded within networks, the focus for organizations must move from prevention to detection, response, and resilience.