Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

Default Author Image
Flashpoint Intel Team
March 18, 2026
Table Of Contents
Table of Contents
Timeline: March 2026 Conflict Updates
The Escalating Cyber and Information Front
Strategic Chokepoints and Systemic Risk
Business and Security Implications
What to Expect Next (48–72 Hours)
Ongoing Updates
More
subscribe to our newsletter

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through March 18.

Operation Epic Fury Timeline: March 2026 Conflict Updates

February 28, 2026 — Initial Strikes and Regional Retaliation

Feb 28
07:00 UTC
US and Israeli forces launch coordinated operations targeting Iranian missile sites and strategic infrastructure.
07:30 UTC
Strike reported on Supreme Leader Ali Khamenei’s compound/office in Tehran; subsequent updates describe his death as confirmed.
08:04 UTC
Missile strike hits a girls’ school in Minab; reports indicate significant civilian casualties.
13:30 UTC
Iran retaliates with reported strikes against Jebel Ali port (Dubai) and Camp Arifjan (Kuwait).
15:00 UTC
Ballistic missiles target Al Udeid (Qatar) and Ali Al Salem (Kuwait) air bases.
17:40 UTC
A Shahed-136 drone hits a radar installation at the US Naval Support Activity in Bahrain (5th Fleet-associated).
20:00 UTC
Iran launches a wave of missiles toward Israel (reported as ~125).

In parallel to these events, Flashpoint observed immediate system-level disruption: flight suspensions at Dubai airports following nearby strikes, and Iran’s move to blockade the Strait of Hormuz, elevating global energy and logistics risk.

March 1, 2026 — Air War Over Tehran, Soft Targets, and Hybrid Expansion

By March 1, the conflict had shifted from stand-off strikes to direct air operations over Tehran, signaling degradation of Iran’s integrated air defenses over the capital. Iranian state media described a transition to “offensive defense,” and retaliatory activity expanded across the region.

Notable developments included the reported strike on the Crowne Plaza Hotel in Manama, Bahrain, signaling increased risk to soft targets and commercial environments. Flashpoint also observed indicators of command-and-control friction on the Iranian side, including a reported friendly-fire incident involving the sanctioned “shadow fleet” tanker Skylight.

Mar 1
01:30 UTC
Press TV announces a massive retaliatory wave against US and Israeli bases.
04:45 UTC
A massive explosion rocks Erbil, Iraq, near US and coalition facilities.
05:30 UTC
Israeli Defense Minister Israel Katz confirms IAF jets are now dropping heavy munitions directly over Tehran.
06:15 UTC
The “shadow fleet” tanker Skylight (previously sanctioned by the US) is struck by an Iranian missile in a friendly-fire incident.
07:00 UTC
An Iranian projectile strikes the Crowne Plaza Hotel in Manama, Bahrain, causing multiple civilian casualties.
09:00 UTC
IDF confirms the mobilization of 100,000 reservists to defend against Iran and its regional proxies.
11:30 UTC
Heavy, continuous IAF bombardment of IRGC command-and-control sites in Tehran is reported.
13:15 UTC
An Iranian Shahed drone successfully hits the American Ali Al Salem Air Base in Kuwait.
15:00 UTC
UK Prime Minister Keir Starmer announces the deployment of experienced Ukrainian counter-UAS operators to the Gulf.
18:30 UTC
IDF confirms Hezbollah has begun firing missiles from Lebanon, opening a major new front in the north.
20:00 UTC
IRGC claims waves 7 and 8 of “Operation True Promise 4” are underway, declaring the Ali Al Salem base “completely disabled”.

March 2, 2026 — Infrastructure and Economic Warfare Escalation

Mar 2
Early AM
Iranian Shahed-136 drones strike Saudi Aramco’s Ras Tanura facility.
AM
AWS confirms its UAE data center was impacted by physical attacks, resulting in significant service disruptions.
12:35 UTC
n unmanned drone strikes the runway of the UK’s RAF Akrotiri base in Cyprus.
~17:00 UTC
IDF issues evacuation warnings for Tehran’s Evin district and Southern Beirut.
21:00 UTC
CENTCOM confirms six US service members killed in action (updated figure).
PM
Israeli airstrikes destroy Iran’s national broadcasting headquarters (IRIB) and the Assembly of Experts’ building in Tehran.
Late PM
US forces confirm Iran’s naval capability in the Gulf of Oman has been neutralized (reported sinking of all 11 previously active warships).

March 3, 2026 — Expansion of Infrastructure Warfare and Regional Combat

Mar 3
Early AM
IAF strikes the Iranian Regime’s Leadership Compound, dismantling a heavily secured leadership site.
AM
An Iranian drone attack sets the US Consulate in Dubai on fire; France deploys Rafale jets to protect military bases in the UAE.
~13:00 UTC
An airstrike hits the Defense Ministry’s Iran Electronics Industries facility in Isfahan.
PM
US and Israeli forces destroy Mehrabad Airport in Tehran to prevent regime officials from fleeing.
18:00 UTC
A Farsi-language numbers station appears on 7910 kHz radio frequencies, believed to be transmitting coded instructions to sleeper cells.
PM
The White House releases the full objectives of Operation Epic Fury, defining it as a major combat operation focused on destroying Iran’s missile and naval forces.
Late PM
A GBU-31 bunker-buster strike destroys an IRGC-linked site in Urmia.

March 5, 2026 — Offensive Defense and Geographic Expansion

Mar 5
04:00 UTC
Iranian attack drones strike Nakhchivan International Airport in Azerbaijan, causing explosions near civilian infrastructure.
06:30 UTC
Azerbaijan’s Ministry of Defence places its military on highest alert and prepares potential retaliatory measures.
09:15 UTC
A complex missile and drone attack triggers a major fire at Ali Al Salem Air Base in Kuwait.
11:45 UTC
The Israeli Air Force conducts large-scale strikes against roughly 200 targets in western and central Iran, focusing on ballistic missile launch systems.
18:00 UTC
Iraq’s national power grid reportedly collapses, resulting in a nationwide.

March 6, 2026 — Regime Fragmentation and Strategic Targeting

Mar 6
AM
Approximately 50 Israeli aircraft drop more than 100 bombs on an underground bunker within Tehran’s leadership compound, reportedly eliminating remaining senior regime figures.
AM
US forces destroy a hidden Iranian ballistic missile factory located inside Tehran.
Mid-Day
Israeli Air Force eliminates Hossein Taeb, former head of the IRGC Intelligence Organization, in a targeted strike on his residence.
PM
Azerbaijan begins moving artillery and military equipment toward the Iranian border while evacuating diplomatic personnel from Tehran and Tabriz.
Active
Mehrabad International Airport remains under heavy combined US–Israeli bombardment as strikes continue against remaining regime infrastructure.
Late PM
US leadership issues a public demand for Iran’s “unconditional surrender,” rejecting negotiated settlement proposals.

March 8–9, 2026 — Leadership Consolidation and Hybrid Warfare Expansion

Mar 8
Mar 8
Mojtaba Khamenei is officially appointed Supreme Leader following the death of Ayatollah Ali Khamenei.
Mar 8
Israeli forces kill Abolghasem Babaeian, newly appointed military secretary to the Supreme Leader, in a rapid-response airstrike in Tehran.
22:46 UTC
Hacktivist group Cyber Islamic Resistance claims defacement of the Kurdish Peshmerga special forces website (unverified).
23:23 UTC
Cyber Islamic Resistance claims control of a Saudi medical care application website (unverified).
Mar 9
Mar 9
Bahraini desalination and oil infrastructure is struck, causing injuries and triggering a declaration of force majeure.
Mar 9
Grand Ayatollah Sistani issues a fatwa declaring a “collective religious obligation” for communal defense.
11:12 UTC
Pro-Russian hacktivist group NoName057(16) claims DDoS attacks against Israeli political parties and defense contractor Elbit Systems.
15:26 UTC
Reporting confirms the Iranian MOIS-linked group MuddyWater has infiltrated US aerospace and defense networks.
16:06 UTC
Iran’s nationwide internet blackout enters its sixth day.

March 10, 2026 — Decentralized Retaliation and Economic Pressure

Mar 10
13:35 UTC
Multiple reports indicate that major Iranian banks, including Bank Melli Iran and Bank Sepah, are unable to provide services following suspected cyberattacks.
15:20 UTC
A drone strike hits the Ruwais industrial complex in Abu Dhabi, forcing the shutdown of the Middle East’s largest oil refinery.
18:00 UTC
The UAE Defense Ministry reports intercepting hundreds of projectiles over a 24-hour period, confirming six deaths and more than 120 injuries.

March 11–12, 2026 — Economic and Technological Warfare Expansion

Mar 11
04:30 UTC
Handala begins signaling a major cyber operation on Telegram.
07:15 UTC
Tasnim publishes a new target list naming major Western technology and cloud firms, including Amazon, Google, Microsoft, Nvidia, and other companies with military or cloud ties.
09:15 UTC
Reports emerge of a global operational shutdown affecting Stryker Corporation.
11:00 UTC
Iranian forces attack the Mayuree Naree and the Israeli-owned Express Room near the Strait of Hormuz.
13:30 UTC
HSBC notifies customers in Qatar that branches are closing immediately.
14:45 UTC
Iran launches drone and missile volleys targeting the US Fifth Fleet headquarters in Bahrain and Al Udeid Air Base in Qatar.
18:20 UTC
The ADNOC Ruwais refinery in the UAE halts operations following a targeted drone strike.
Mar 12
04:15 UTC
Reports emerge of severe strain inside Iran’s armed forces, including frontline supply shortages and rising desertions.
09:45 UTC
Israel Railways display screens are compromised with fake Iranian missile warnings.
11:00 UTC
Poland announces it foiled a cyberattack on its national nuclear center, with possible Iranian links under investigation.
14:20 UTC
Stryker confirms disruption to its Microsoft environment; reporting indicates the actor leveraged legitimate cloud administration tools.
16:00 UTC
Ismail Dehghan, a commander in the IRGC Aerospace Force, is reportedly assassinated in Arak.
18:00 UTC
A written statement attributed to Mojtaba Khamenei is read on state TV, vowing the Strait of Hormuz will remain closed.

March 12–13, 2026 — Expanded Kinetic Theater and Coordinated Cyber Offensive

Mar 12
22:58 UTC
A US helicopter fires Hellfire missiles at an Iranian vessel approaching the USS Abraham Lincoln in the Persian Gulf.
Mar 13
00:14 UTC
Saudi Arabia intercepts 12 drones entering its airspace.
00:25 UTC
Air raid sirens activate at Incirlik Air Base in Turkey amid reports of an Iranian ballistic missile attack.
00:38 UTC
The Islamic Resistance in Iraq claims responsibility for downing a US KC-135 aircraft.
01:12 UTC
Iran launches another wave of ballistic missiles toward Israel; one reportedly scores a direct hit in northern Israel.
03:48 UTC
Saudi Arabia reports intercepting four additional drones.
05:12 UTC
Israel reports that more than 90 fighter jets conducted two waves of airstrikes against command centers and military bases in Tehran.
06:17 UTC
A drone strike reportedly hits the UK’s RAF Akrotiri base in Cyprus.

March 1–13, 2026 — Infrastructure Targeting and Internationalization

Since March 1, Flashpoint analysis indicates the conflict has evolved from broad regional exchanges into systematic targeting of energy, data, logistics, and command-and-control infrastructure with global downstream impact. The targeting of Saudi Aramco’s Ras Tanura facility, disruption affecting an AWS data center in the UAE, continued strikes on Gulf military and transport infrastructure, and threats directed at commercial districts and Western firms all point to a widening campaign against the systems that support both state and private-sector operations.

Over this time period, the conflict expanded geographically and economically. NATO-aligned assets came under pressure, strategic communications and military infrastructure were degraded, and commercial coercion intensified through attacks and warnings affecting banks, refineries, desalination systems, shipping lanes, and named corporate locations in Jordan and the UAE. Taken together, these developments indicate that economic warfare is now an overt operational objective rather than a secondary effect of the conflict.

The Escalating Cyber and Information Front

From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier.

One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation, where trusted everyday applications become vectors for narrative control during kinetic shock.

Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum and driving users toward unverified channels for situational awareness.

As kinetic pressure increased, Flashpoint tracking indicated fluctuations in cyber tempo. Some updates suggested a temporary lull in broader Iranian cyber activity — potentially due to operational disruption from physical strikes — while other indicators pointed to a risk of renewed disruptive campaigns, including activity linked to personas associated with state-aligned hacktivist ecosystems.

Coordinated Disruption Campaigns

Beginning on March 2, Flashpoint observed reporting around a coordinated campaign branded #OpIsrael, involving pro-Iranian and pro-Russian-aligned actors. Reported activity included DDoS attacks against Israeli defense and municipal entities, claimed breaches affecting health and government systems, and attacks targeting Gulf-state infrastructure and public-facing services. Over the following days, these campaigns expanded to include regional councils, telecommunications companies, transportation systems, and media outlets.

Shift Toward Enterprise and Financial Targeting

As the conflict progressed, cyber activity increasingly focused on private-sector organizations and commercial infrastructure. Reported and claimed incidents included targeting of banks, payment systems, medical technology companies, and cloud-connected environments. The most significant example was the Handala-linked campaign against Stryker, which was framed as a destructive operation involving data wiping and exfiltration. Flashpoint also tracked claims involving Verifone and continued pressure on financial institutions and commercial platforms in the Gulf and beyond.

Espionage, LOTL Tradecraft, and Psychological Operations

Flashpoint also observed a widening mix of tradecraft and objectives. Verified activity linked to MuddyWater targeted US aerospace, defense, aviation, and financial organizations, while Telegram-based recruitment networks and public warning operations suggested a growing emphasis on espionage, intimidation, and distributed proxy activity. At the same time, reporting around the Stryker incident indicated a shift toward “Living-off-the-Land” techniques that abuse legitimate cloud administrative tools, reducing the usefulness of traditional signature-based detection. Across the conflict, cyber operations have spanned espionage, disruption, psychological operations, financial coercion, and destructive attacks against both regional and international private-sector targets.

Strategic Chokepoints and Systemic Risk

Two chokepoints have consistently driven systemic risk throughout the conflict: maritime energy transit and regional air mobility. Iran’s blockade of the Strait of Hormuz, attacks on commercial vessels, pressure on Gulf refineries, and warnings directed at energy-linked infrastructure have all increased volatility in energy markets and maritime logistics. In parallel, attacks on desalination systems and refineries have expanded the threat from energy disruption to wider civilian and economic stability.

Airspace disruption and pressure on major transit hubs have compounded these risks. Flight interruptions, threats to major Gulf airports, and the broader degradation of maritime and aviation routes mean organizations should plan for sustained disruption to commercial mobility, logistics, and regional service availability.

Business and Security Implications

As the conflict expands into commercial infrastructure, civilian logistics, and private-sector economic targets, enterprise exposure now extends well beyond traditional “high-risk” sectors. The targeting patterns observed throughout this conflict indicate that energy infrastructure, cloud assets, maritime corridors, and civilian-facing systems are all within scope.

Organizations should plan for volatility across personnel security, supply chains, cyber disruption, and regional service availability.

1. Personnel and Physical Security

Recent incidents involving Gulf transit hubs, diplomatic facilities, and named commercial districts indicate that exposure is no longer confined to military installations.

  • On March 3 the US State Department issued expanded “DEPART NOW” guidance across multiple Middle Eastern countries, while embassies and diplomatic compounds in the region have already experienced elevated threat conditions.
  • Drone attacks and warnings affecting diplomatic facilities in Dubai, Riyadh, Amman, and other regional locations indicate expanding risk to government and Western-linked sites.
  • Iranian-aligned warning lists now identify specific commercial districts and office locations in Jordan and the UAE tied to Western defense, technology, finance, aviation, and energy firms.

Organizations with personnel in the Gulf region and surrounding areas should:

  • Reassess travel posture to the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia.
  • Elevate security protocols at commercial offices, hotels, and logistics facilities.
  • Reinforce operational security practices (routine variation, avoidance of identifiable clothing tied to government or defense sectors).
  • Coordinate closely with local authorities and diplomatic advisories regarding movement restrictions and emerging threat indicators.
  • Reevaluate occupancy and travel policies for personnel located in named commercial districts, banking hubs, aviation corridors, and technology parks in the Gulf and Jordan.

2. Supply Chain, Energy, and Commercial Operations

The conflict is increasingly affecting the systems that support trade, finance, and daily commercial activity. The blockade of the Strait of Hormuz, pressure on refineries and shipping lanes, branch closures by major financial institutions, and public designation of Western banking and cloud firms as targets all indicate that organizations should plan for both physical disruption and business continuity challenges across the Gulf.

Organizations should:

  • Model extended disruption to Gulf maritime routes rather than short-term interruption.
  • Identify alternative shipping corridors and overland routing options.
  • Stress-test supplier dependencies tied to Gulf ports, energy inputs, and payment infrastructure.
  • Prepare for price volatility, delivery delays, and possible closure of regional business operations.
  • Assess dependencies on Gulf-based financial services, banking access, and payment processing in addition to physical logistics routes.

3. Cloud and Technology Infrastructure

The reported physical impact to an AWS data center in the UAE reflects a significant escalation: commercial cloud infrastructure is no longer insulated from kinetic spillover. More recent reporting also indicates Iranian strikes targeting Microsoft Azure data infrastructure in the Gulf, expanding the threat profile to additional Western cloud platforms.

Iranian strikes against early-warning radars and satellite communication terminals across Gulf bases indicate a coordinated effort to degrade regional missile defense networks.

Enterprises should:

  • Confirm geographic redundancy for critical workloads.
  • Validate disaster recovery timelines (RTO/RPO) for Middle East–hosted environments.
  • Review third-party dependencies tied to regional data centers.
  • Ensure executive teams understand potential cascading impacts from localized physical disruption.
  • Organizations operating near or dependent on US or allied military infrastructure in the region should monitor potential disruptions to air defense coverage and communications networks.
  • Review physical and operational exposure tied to named technology campuses, cloud offices, and regional data infrastructure in Jordan and the UAE.

4. ICS / OT Environments

Claims involving industrial control systems and related logistics infrastructure indicate elevated risk to operational technology environments, especially where cyber disruption and physical attacks may combine to produce cascading outages.

Organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:

  • Audit all remote access pathways and eliminate unnecessary external exposure.
  • Enforce phishing-resistant MFA for privileged and engineering accounts.
  • Segment industrial networks from corporate IT and public internet access.
  • Validate incident response plans for destructive malware or system manipulation scenarios.
  • Conduct tabletop exercises assuming loss of visibility or control in critical systems.

What to Expect Next (48–72 Hours)

Flashpoint analysis indicates the conflict is entering a more entrenched and decentralized phase. The activation of Iran’s “Mosaic Defense” framework means retaliatory strike authority is increasingly distributed across provincial and local commands, reducing the likelihood of any rapid operational off-switch even if diplomatic pressure increases.

At the same time, the conflict is continuing to expand beyond direct military exchanges. The use of public target lists naming commercial districts, financial institutions, cloud providers, and defense-related firms suggests private-sector entities will remain exposed to both kinetic and sabotage risk across the Gulf and neighboring states.

Cyber activity is also expected to remain elevated. Reporting around recent incidents indicates that Iranian-aligned actors are increasingly relying on hybrid tradecraft that blends espionage, psychological operations, destructive attacks, and abuse of legitimate administrative tools. This means organizations should not assume that traditional malware-based detection alone will be sufficient to identify emerging threats.

Finally, the conflict is likely to remain geographically fluid. Maritime disruption in the Strait of Hormuz, continued pressure on Gulf energy infrastructure, and the possibility of new fronts involving regional actors and proxy mobilization suggest that the next phase will be shaped less by a single decisive escalation and more by persistent, distributed instability across multiple domains.

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

Get a Demo

Contact Sales