“The first casualty of war is truth.” Attributed to Aeschylus — and never more apt than when the battlefield is invisible, the weapons are packets of data, and the targets are the digital foundations of a globalized civilization.
The Dashboard That Saw It Coming
On the morning of March 3, 2026, a dashboard quietly updated itself within a monitoring system known as NEXUS, an intelligence and observation platform developed by Cyberium Limited to track, in real time, the health of critical digital infrastructure across the world’s most sensitive regions. The screenshot, captured at 14:41:21 and reproduced here as part of this analysis, tells a story that no news broadcast was carrying at that precise moment. Bahrain, hosting simultaneously the AWS me-south-1 region and the US Navy’s Fifth Fleet headquarters, was sitting at 56% health. The UAE, home to me-central-1 and one of the most cloud-dependent financial ecosystems in the world, had dropped to 50%. Tel Aviv, paradoxically, read 100%. Two active incidents, both rated at maximum blast radius 5/5, were cascading through multi-service stacks across the Gulf. The dependency chain displayed on screen read: Multi-Svc, then EC2, then CloudWatch, then ECR. Estimated time to resolution: two to six hours.
This is not a metaphor. It is a live intelligence feed from one of the most consequential conflict zones on earth, translated into the cold grammar of service health monitoring, criticality ratings, and propagation risk scores. NEXUS does not editorialize. It observes, correlates, and computes. And on March 3, 2026, it was computing the digital signature of a war.
The Architecture of Modern War
There is a tendency, when wars begin, to reach for the vocabulary of the twentieth century. We speak of air campaigns, of strategic bombing, of the targeting of industrial infrastructure as though we were narrating the RAF over the Ruhr in 1943, or the American sorties over North Vietnam. The language of kinetic warfare gives us a framework we understand intuitively. But the war that began on February 28, 2026, between the United States and Israel on one side and Iran on the other, is not being fought solely in the airspace above Tehran. It is being fought, simultaneously and with equal intensity, in the electromagnetic spectrum, in the routing tables of internet service providers, in the authentication logs of cloud platforms, and in the operational technology networks of oil refineries and port logistics systems across the entire Gulf region.
Operation Epic Fury, as the American side named its campaign, and Operation Roaring Lion, the Israeli designation, launched their opening salvos against 500 military targets in a single night, deploying approximately 200 fighter jets in what the Israeli Air Force described as the largest combat sortie in its history. More than 1,200 bombs were dropped in the first 24 hours. US B-2 stealth bombers dropped dozens of 2,000-pound penetrator munitions on deeply buried ballistic missile launchers. The targets were selected with a precision that reflects decades of intelligence accumulation: air defense systems, ballistic missile launchers, nuclear-adjacent sites, the personal compound of Supreme Leader Ali Khamenei, who was killed in the opening strikes, and the headquarters of IRIB, Iran’s state broadcaster, struck on March 3.
That last target deserves more attention than it has received. The state broadcaster is not a military installation. It is the information nervous system of a government. Destroying it accomplishes something that a missile battery cannot: it severs the regime’s ability to narrate its own survival to its own people. The parallel with the BBC transmitters that the Allies fought to keep operational during the Second World War is not accidental. In this conflict, controlling the information environment is inseparable from controlling the physical battlefield.
The Cyberwar That Preceded the Bombs
What the conventional news cycle missed, because it always does, is that the kinetic campaign did not begin on February 28. The cyber campaign began weeks, perhaps months, earlier. Security researchers at Approov documented a significant surge in sophisticated API probing attacks targeting regional government applications beginning in early February 2026, probes that stopped abruptly on February 27, one day before the bombing started. Binary Defense reported that Iran appeared to be actively staging malware targeting entities in Israel and the Middle East even before the air strikes began. MuddyWater, APT42, APT33, APT34, and the rest of the Iranian cyber arsenal had been running persistent intrusion campaigns for months, positioning themselves inside networks they might need to activate at a moment of their choosing.
This is the architecture of modern hybrid warfare, and it follows a logic as old as military strategy itself, even if the technical instruments are entirely new. You do not begin a war; you position yourself for one. You pre-place capabilities. You establish persistence. You wait. When the bombs fall, the cyber operations shift from intelligence gathering to disruption and active degradation. What Israel did on February 28 was remarkable not only for its kinetic scale but for its digital scale. Independent monitors confirmed that Iran’s internet connectivity collapsed to between 1 and 4 percent of normal levels within hours of the opening strikes, described by analysts at CloudSEK as potentially the largest single cyberattack against a nation-state’s digital infrastructure in recorded history.
Government digital services went dark across Tehran, Isfahan, and Shiraz. The IRGC communications systems were disrupted. The prayer app BadeSaba was reportedly compromised to display messages urging military personnel to defect. The state news agency IRNA saw its front page replaced with anti-regime messaging. These are not the acts of hacktivists operating from laptops in cafes. They are coordinated state operations, timed to the minute with the kinetic campaign.
Why These Targets, and Why Again
The nuclear sites and missile launchers represent the obvious stratum of targeting. Iran’s 460 kilograms of 60% enriched uranium, enough by US officials’ own estimates for eleven nuclear weapons if further enriched, provided the strategic rationale. The ballistic missile stockpile, with over 500 ballistic and naval missiles and nearly 2,000 drones fired against Israel and regional US bases by early March, provided the immediate military justification. Air defense systems had to be neutralized first. This layer of targeting logic is conventional and well-understood.
But look more carefully at what was struck in the first ten days, and a second layer becomes visible. Oil storage depots. Fuel refining facilities. The Shahran oil depot on the outskirts of Tehran, burning for days after the strike. The Shokouhiyeh industrial area in Qom, where residents were given hours to evacuate. These are infrastructure targets whose destruction does not degrade military capability in the first instance. They degrade the economic substrate on which military capacity depends. Brent crude surged to $119.50 per barrel. The Strait of Hormuz was explicitly threatened. Bahrain’s Bapco Energies declared force majeure. GPS spoofing and AIS disruption was confirmed across more than 1,100 ships in Gulf waters.
The NEXUS dashboard recorded all of this in real time. The 56% health score for Bahrain and 50% for the UAE were not technical glitches at Amazon data centers. They were the digital signature of a war being waged on the nervous system of a region. Iran has since named Mojtaba Khamenei, son of the assassinated supreme leader, as his successor. A regime that names a successor under fire is a regime that intends to continue fighting. The US Defense Secretary stated openly that the bombardment was about to surge dramatically. These strikes will happen again.
What We Are Not Talking About
There is a subject that almost nobody in the mainstream coverage of this conflict has addressed seriously: the question of what the Gulf’s digital disruptions mean for infrastructure beyond the region. The AWS me-south-1 region in Bahrain and me-central-1 in the UAE serve financial institutions, government agencies, healthcare systems, and critical infrastructure operators across a region whose economic arteries feed directly into the global economy. When Multi-Svc incidents cascade through those regions with a blast radius of 5/5, as the NEXUS dashboard recorded at 17:14 on March 3, the dependency chain does not stop at the regional border.
CISA, the United States Cybersecurity and Infrastructure Security Agency, was operating at approximately 38% of its authorized staffing levels at the time this conflict began, the result of a partial government shutdown and a management reshuffle that had left the agency effectively without a director. The most dangerous moment for American critical infrastructure since at least 2021 arrived precisely when the agency designed to defend against it was in administrative freefall.
Iran’s cyber capabilities are not limited by the domestic internet blackout. The groups that operate under IRGC direction, Handala, APT34, APT35, MuddyWater, APT42, Hydro Kitten, the Electronic Operations Room established on February 28, 2026, operate through proxies, through pre-positioned infrastructure outside Iran, through affiliated operators in Lebanon, Iraq, and Yemen who are entirely unaffected by the domestic blackout.
Perhaps most disturbing is the Sicarii ransomware group, which surfaced in December 2025 with a critical design flaw: its encryption discards its own keys after encrypting files, making decryption permanently impossible for both victims and operators. A group that deploys ransomware that cannot be reversed is not running a criminal extortion operation. It is running a destruction operation with a financial veneer. Halcyon analysts noted that Sicarii had recently signaled intent to dramatically expand its targeting volume, describing not a ransomware group but a wiper campaign wearing ransomware clothing.
The History We Forgot to Read
In 2010, a piece of malware called Stuxnet, later attributed to a joint US-Israeli operation, destroyed approximately one fifth of Iran’s nuclear centrifuges at the Natanz facility by causing them to spin themselves apart while reporting normal operation to the monitoring systems. It was the most sophisticated cyberweapon ever deployed in a conflict, and its lesson was that a nation’s critical infrastructure could be destroyed remotely, invisibly, and with complete deniability. Iran absorbed that lesson. It spent the following fifteen years building the capability to respond in kind.
CyberAv3ngers, an IRGC-linked group, attacked water and gas systems in the United States in 2024, compromising Programmable Logic Controllers in facilities across multiple states. The Boston Children’s Hospital was targeted in 2017. Iranian cyber actors had established persistent footholds in Middle Eastern critical infrastructure through credential theft and VPN compromise since at least early 2025.
Sun Tzu’s dictum that the supreme art of war is to subdue the enemy without fighting finds its contemporary expression in the pre-positioned malware that waits in silence inside an adversary’s network, in the API probes that map vulnerabilities months before the first kinetic strike, and in the GPS spoofing that makes 1,100 ships suddenly uncertain of their position in one of the world’s most transited maritime corridors. The bombs are the visible part of a campaign whose most consequential elements may never appear in a damage assessment.
What Could Happen Next
As Iran’s conventional missile inventory depletes, with analysts estimating consumption has reduced usable stores by approximately 40% since the campaign began, the strategic incentive to substitute cyber operations increases. A regime with fewer missiles has stronger reasons to maximize the use of weapons that cost nothing to replicate: the malware, the wipers, the DDoS botnets, the pre-positioned implants in operational technology networks that can be activated with a single encrypted command from an operator sitting nowhere near Tehran.
The oil and energy infrastructure of the Gulf, already disrupted by the conflict’s kinetic phase, is the most exposed and most consequential target for the cyber phase that will follow. SCADA systems controlling refinery operations, pipeline pressure management, offshore drilling platforms, and LNG terminal logistics are precisely the kind of operational technology environments in which CyberAv3ngers and APT34 have demonstrated persistent access. A coordinated campaign against Gulf energy OT infrastructure, executed from pre-positioned assets outside Iran, could cause physical damage to energy production systems with a speed and scale that would make the Shahran oil depot strike look modest.
European infrastructure operators who believe this scenario is geographically remote are making a category error. The cloud architecture that underpins European financial systems, logistics networks, and critical infrastructure is not isolated from the Gulf regions currently under attack. The NEXUS dependency chain, multi to ec2 to cloudwatch to ecr, is a simplified representation of pathways that extend into workloads running in Frankfurt, Paris, London, and Milan. The cascade from a Gulf region disruption to a European workload outage is not a theoretical possibility. It is a documented, observable pathway.
Technical Analysis: What the Data Tells Us
The following tables present the structured intelligence assessment produced by the NEXUS platform and corroborated by open-source intelligence from Unit 42 (Palo Alto Networks), CloudSEK, CSIS, the Canadian Centre for Cyber Security, Google Threat Intelligence Group, CrowdStrike, and Halcyon. They are intended not as a comprehensive technical briefing but as a calibration instrument, a way of assigning relative weights to threats that the narrative coverage of this conflict has so far treated as equivalent or has ignored entirely.
Table 1 — Target Categories, Strike Logic, and Cyber Correlation
| Target Category | Objective | Kinetic | Cyber | Re-strike likelihood |
| Air Defense / SAM | Degrade A2/AD envelope | Yes | Comms jamming | Very High |
| Ballistic Missile Sites | Reduce strike capacity | Yes | Pre-strike spoofing | Very High |
| Nuclear Facilities | Non-proliferation / WMD denial | Yes | SCADA disruption | High |
| IRIB State Broadcaster | Narrative control | Yes | Website defacement | Medium |
| Oil depots / Refineries | Economic attrition | Yes | SCADA / OT attack | High |
| Leadership Compound | Decapitation strike | Yes | Comms blackout | Low (achieved) |
| Power Grid Nodes | Systemic disruption | Partial | Pre-positioned malware | Very High |
| Port / Maritime Logistics | Supply chain pressure | No | AIS/GPS spoofing | High |
| Cloud / Telecom Infra | Info blackout, C2 severed | No | BGP hijack, DDoS | Ongoing |
Table 2 — AWS Regional Health Status, March 3, 2026 (NEXUS Real-Time Intelligence)
| AWS Region | Location | Health Score (03/03) | Active Incident | Blast Radius | MTTR Est. |
| me-south-1 | Bahrain | 56% | Multi-Svc DISRUPTION | 5/5 | 2–6 h |
| me-central-1 | UAE | 50% | Multi-Svc DISRUPTION | 5/5 | 2–6 h |
| il-central-1 | Tel Aviv | 100% | None detected | 0/5 | — |
| Global Edge | CloudFront | 94% | Minor (Resolved) | 1/5 | Resolved |
Table 3 — Iran-Aligned Threat Actors, Capabilities, and Target Sectors
| Threat Actor | Affiliation | Primary TTP | Target Sector | Sophistication |
| Handala Hack | MOIS | Exfil + wiper + leak ops | Defense, healthcare, energy | High |
| APT34 / OilRig | IRGC | Spear-phish, PLC exploit | Gov, finance, OT/ICS | Very High |
| APT35 / Charming Kitten | IRGC | Cred. theft, mobile surv. | Journalists, diaspora, gov | High |
| MuddyWater / Op. Olalampo | MOIS | VPN backdoor, webshell | Gov, telecom, finance | High |
| APT42 | IRGC-IS | Social eng., surveillance | Civil society, western gov | High |
| Hydro Kitten | IRGC-aligned | DDoS, financial sector | Banking, GCC finance | Medium |
| CyberAv3ngers | IRGC | OT/ICS PLC attacks | Water, gas, utilities | High |
| Electronic Ops Room | IRGC coord. | Multi-vector hybrid ops | Regional infra., media | Very High |
| Sicarii Ransomware | Criminal/IRGC proxy | RaaS — permanent data destruction | Industry, META region | Medium-High |
| KillNet (Russia-aligned) | Opportunistic | DDoS campaigns | NATO-adjacent targets | Medium |
Table 4 — Future Scenario Assessment (6-Month Horizon)
| Scenario | Probability (6m) | Attack Vector | Target | Potential Impact |
| Wiper malware on Gulf OT infra | >60% High | Pre-positioned implants | Oil/gas SCADA | Regional supply disruption, oil >$150 |
| BGP/DNS hijack GCC cloud | ~40% Medium | Routing manipulation | Financial sector | Auth failure, mass data exposure |
| DDoS European critical infra | ~45% Medium | Botnet, proxy chain | Energy, hospitals | Service disruption, ~€50M+ |
| AIS/GPS saturation Hormuz | >65% High | Electronic warfare | Commercial shipping | Cargo rerouting, oil spike |
| US municipal water attacks | ~35% Medium | PLC exploit (CyberAv3ngers) | Water utilities | Contamination risk, public health |
| Western telecom interception | ~25% Lower | VPN backdoor (APT34) | ISP, satellite ops | Long-term intel collection |
| EU financial market disruption | ~20% Lower | DDoS + disinfo campaign | Stock exchanges, banks | Market volatility, systemic risk |
| Supply chain ransomware | >50% Med-High | Compromised vendor | Shipping, ports, logistics | Cascade disruption, weeks of delay |
Table 5 — Key Risk and Performance Indicators: Current Operational Status
| KPI / KRI | Current Value | Alert Threshold | Status | Recommended Action |
| AWS me-south-1 Health | 56% | <70% = Alert | CRITICAL | Activate DR failover to eu-west-1 |
| AWS me-central-1 Health | 50% | <70% = Alert | CRITICAL | Failover to ap-south-1 |
| Brent Crude | ~$113–119/bbl | >$100 = Elevated | ELEVATED | Review energy supply hedging |
| Active Hacktivist Groups | 8+ active | >5 = High | HIGH | Raise EDR alert threshold |
| CISA Staffing Level | ~38% | <75% = Danger | CRITICAL | Engage private-sector MSSP |
| Gulf AIS/GPS Spoofing | 1,100+ ships | >500 = Alert | ELEVATED | Activate alternative nav protocols |
| Iranian Missile Inventory | Est. 40% depleted | <30% = Tactical shift | WATCH | Monitor for cyber escalation surge |
| Cloud Blast Radius (max) | 5/5 | >=4 = Critical | CRITICAL | Isolate regional cloud dependencies |
| Pre-positioned Malware (known) | Active (unquantified) | Any = Alert | HIGH | Threat hunt in OT/ICS, audit VPN logs |
| Strait of Hormuz Traffic | Disrupted | >10% deviation = Alert | ELEVATED | Activate alternate logistics routes |
What NEXUS Tells Us That Generals Do Not
The NEXUS platform does not predict the future. It observes the present with enough granularity to make the future legible. When it shows Bahrain at 56% and the UAE at 50%, it is not reporting a technical glitch. It is reporting the digital consequence of a war. When it shows a dependency cascade from Multi-Svc to EC2 to CloudWatch to ECR, it is not describing an architecture diagram. It is tracing the path along which a disruption becomes a failure becomes a cascade becomes a crisis.
The question that every CISO, every infrastructure manager, every regulator, and every policymaker who reads this analysis should be asking is not whether they are watching the Iran war on television. It is whether their dependency map looks anything like the one the NEXUS dashboard is displaying in real time, and what they intend to do about it before the cascade reaches them.
History does not repeat itself. But it rhymes. The rhyme we should be listening for, in the frequency spectrum between the bombs and the silence, is the sound of malware that was planted months ago, in a network whose owner is watching the news and thinking: that war is happening over there. It is not happening over there. It has been in your network since February.
Source data: AWS Health RSS feeds, status.aws.amazon.com, Unit 42 / Palo Alto Networks, CloudSEK, CSIS, Canadian Centre for Cyber Security, Google Threat Intelligence Group, CrowdStrike, Halcyon, Al Jazeera, House of Commons Library, CNBC, The Register, Cybersecurity Dive, Nextgov/FCW.
Raffaele Di Marzio
Executive Cybersecurity Consultant
raffaele.dimarzio@cyberium.limited
About the author:
🇮🇹 https://www.amazon.it/stores/Raffaele-DI-MARZIO/author/B0FB47T6Q4
🇫🇷 https://www.amazon.fr/stores/Raffaele-DI-MARZIO/author/B0FB47T6Q4
🇬🇧 https://www.amazon.com/stores/Raffaele-DI-MARZIO/author/B0FB47T6Q4