Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through March 2.

Timeline: March 2026 Conflict Updates

February 28, 2026 — Initial Strikes and Regional Retaliation

In parallel to these events, Flashpoint observed immediate system-level disruption: flight suspensions at Dubai airports following nearby strikes, and Iran’s move to blockade the Strait of Hormuz, elevating global energy and logistics risk.

March 1, 2026 — Air War Over Tehran, Soft Targets, and Hybrid Expansion

By March 1, the conflict had shifted from stand-off strikes to direct air operations over Tehran, signaling degradation of Iran’s integrated air defenses over the capital. Iranian state media described a transition to “offensive defense,” and retaliatory activity expanded across the region.

Notable developments included the reported strike on the Crowne Plaza Hotel in Manama, Bahrain, signaling increased risk to soft targets and commercial environments. Flashpoint also observed indicators of command-and-control friction on the Iranian side, including a reported friendly-fire incident involving the sanctioned “shadow fleet” tanker Skylight.

March 1–2, 2026 — Infrastructure Targeting and Internationalization

Between March 1 and March 2, Flashpoint analysis identified a further escalation: targeting expanded toward economic and logistical critical infrastructure with global relevance. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and a disruption at an AWS data center in the UAE attributed to physical impact on the facility. The Israel–Lebanon front also intensified following Hezbollah missile launches and a broad Israeli response across Lebanon.

Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri (Cyprus). Meanwhile, the UK, France, and Germany signaled readiness to support action focused on Iran’s missile and drone capabilities — an indicator of potential further conflict expansion.

The Escalating Cyber and Information Front

From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier.

One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation, where trusted everyday applications become vectors for narrative control during kinetic shock.

Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum and driving users toward unverified channels for situational awareness.

As kinetic pressure increased, Flashpoint tracking indicated fluctuations in cyber tempo. Some updates suggested a temporary lull in broader Iranian cyber activity — potentially due to operational disruption from physical strikes — while other indicators pointed to a risk of renewed disruptive campaigns, including activity linked to personas associated with state-aligned hacktivist ecosystems.

At the same time, the cyber threat picture broadened from disruption and defacement to higher-impact claims involving operational technology. Pro-Iranian actors claimed intrusions into ICS/SCADA environments and disruption of civilian logistics — most notably claims tied to a Jordanian grain silo company’s control systems, including alleged manipulation of temperature and weighing functions. While such claims require careful verification, the pattern aligns with Flashpoint’s assessment that the cyber domain is shifting toward high-impact targets with civilian and economic consequences.

Strategic Chokepoints and Systemic Risk

Two chokepoints have emerged as persistent systemic risk drivers: maritime energy transit and regional air mobility.

Iran’s reported blockade of the Strait of Hormuz remains the primary near-term global economic concern. Even partial disruption introduces immediate volatility in energy markets and maritime logistics, increasing shipping costs, insurance premiums, and delivery delays well beyond the region.

Airspace disruption and interruptions to transit hubs — especially the reported suspensions affecting Dubai — compound that risk. Taken together, the maritime and aviation constraints create a reinforcing cycle: constrained routes increase congestion elsewhere, raise operational costs, and compress the time available for organizations to reroute people and goods.

Business and Security Implications

As the conflict expands into commercial infrastructure and civilian logistics, enterprise exposure now extends well beyond traditional “high-risk” sectors. The targeting patterns observed over the past 48 hours indicate that energy infrastructure, cloud assets, maritime corridors, and civilian-facing systems are all within scope.

Organizations should plan for volatility across personnel security, supply chains, cyber disruption, and regional service availability.

1. Personnel and Physical Security

Recent incidents including strikes near Gulf transit hubs, the targeting of a Western-branded hotel in Bahrain, and warnings regarding potential asymmetric attacks underscore that risk is no longer confined to military installations.

Organizations with personnel in the Gulf region and surrounding areas should:

• Reassess travel posture to the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia.
  
• Elevate security protocols at commercial offices, hotels, and logistics facilities.
  
• Reinforce operational security practices (routine variation, avoidance of identifiable clothing tied to government or defense sectors).
  
• Coordinate closely with local authorities and diplomatic advisories regarding movement restrictions and emerging threat indicators.
  

2. Supply Chain and Energy Exposure

The reported blockade of the Strait of Hormuz, disruption to Dubai aviation, and the strike on Saudi Arabia’s Ras Tanura oil facility demonstrate that global energy and logistics systems are active pressure points.

Organizations should:

• Model extended disruption to Gulf maritime routes rather than short-term interruption.
  
• Identify alternative shipping corridors and overland routing options.
  
• Stress-test supplier dependencies tied to Gulf ports or energy inputs.
  
• Prepare for price volatility and delivery delays impacting downstream operations.
  

3. Cloud and Technology Infrastructure

The reported physical impact to an AWS data center in the UAE reflects a significant escalation: commercial cloud infrastructure is no longer insulated from kinetic spillover.

Enterprises should:

• Confirm geographic redundancy for critical workloads.
  
• Validate disaster recovery timelines (RTO/RPO) for Middle East–hosted environments.
  
• Review third-party dependencies tied to regional data centers.
  
• Ensure executive teams understand potential cascading impacts from localized physical disruption.
  

4. ICS / OT Environments

Claims of intrusion into industrial control systems — including grain silo logistics and remote control infrastructure — signal elevated risk to operational technology environments.

Organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:

• Audit all remote access pathways and eliminate unnecessary external exposure.
  
• Enforce phishing-resistant MFA for privileged and engineering accounts.
  
• Segment industrial networks from corporate IT and public internet access.
  
• Validate incident response plans for destructive malware or system manipulation scenarios.
  
• Conduct tabletop exercises assuming loss of visibility or control in critical systems.

What to Expect Next (48–72 Hours)

Flashpoint analysis indicates the conflict is likely to enter a more grueling operational phase. As air superiority over Tehran is consolidated, “stand-in” strike operations may expand beyond the capital to secondary cities and hardened underground missile infrastructure. The entry of Hezbollah into active missile combat increases the likelihood of sustained escalation along the Israel–Lebanon axis, including the potential for ground operations in Southern Lebanon depending on further developments.

At the same time, the hybrid dimension is expected to remain active. The combination of regional proxy activity, cyber claims involving ICS and logistics disruption, and the targeting of globally relevant infrastructure suggests continued cross-domain escalation dynamics that are difficult to model using conventional state “red line” assumptions.

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.