The Iran War: What You Need to Know

This report details the escalating cyber dimensions of the US-Iran conflict, with Iran conducting physical and cyber strikes against critical infrastructure across the Gulf region, including AWS Bahrain and industrial facilities. Multiple Iran-linked threat actors are conducting coordinated operations: Peach Sandstorm (APT33) and Gray Sandstorm (DEV-0343) are executing password-spraying campaigns against Microsoft 365 environments in Israel, UAE, US, UK, and Europe—apparently supporting kinetic damage assessment. China-aligned RedDelta (TA416) is expanding espionage targeting EU and NATO diplomatic missions. Additionally, the hacktivist group Handala claims breach of FBI Director Kash Patel's personal email, and Pay2Key ransomware has targeted a US healthcare organization using living-off-the-land techniques, assessed as state-aligned disruption. Organizations in the US, Israel, UAE, and Gulf states face elevated risk from these converging geopolitical and cyber threats targeting critical infrastructure.

Insikt Group tracks the cyber, physical, and geopolitical components of the US-Israeli strikes on Iran — with continuously updated threat analysis and scenarios.

This report details the escalating cyber dimensions of the US-Iran conflict, with Iran conducting physical and cyber strikes against critical infrastructure across the Gulf region, including AWS Bahrain and industrial facilities. Multiple Iran-linked threat actors are conducting coordinated operations: Peach Sandstorm (APT33) and Gray Sandstorm (DEV-0343) are executing password-spraying campaigns against Microsoft 365 environments in Israel, UAE, US, UK, and Europe—apparently supporting kinetic damage assessment. China-aligned RedDelta (TA416) is expanding espionage targeting EU and NATO diplomatic missions. Additionally, the hacktivist group Handala claims breach of FBI Director Kash Patel's personal email, and Pay2Key ransomware has targeted a US healthcare organization using living-off-the-land techniques, assessed as state-aligned disruption. Organizations in the US, Israel, UAE, and Gulf states face elevated risk from these converging geopolitical and cyber threats targeting critical infrastructure. Insikt Group tracks the cyber, physical, and geopolitical components of the US-Israeli strikes on Iran — with continuously updated threat analysis and scenarios. Last updated: 3 April 2026 at 1700 GMT This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation. The Latest Updates Geopolitical Landscape The status of peace talks. Iran has publicly denied Trump's claim that it requested a ceasefire, with Foreign Minister Araghchi stating Iran would continue fighting until "full compensation is paid." Regional mediation efforts by China and Pakistan have failed to gain traction, and Iran's preconditions for ending the war - including acknowledgment of its jurisdiction over the Strait of Hormuz - remain nonstarters for the US. On April 3, Russian President Putin and Turkish President Erdogan jointly called for an immediate ceasefire and "compromise peace agreements," with the Kremlin warning that the conflict is producing "serious negative consequences" globally across energy, trade, and logistics. Their joint call represents the most significant coordinated diplomatic pressure from outside the region to date, though neither country has the direct leverage to compel either side. Iran escalating targeting of civilian and industrial infrastructure. Iran has threatened eighteen specific US technology companies operating in the Gulf, and struck Amazon's cloud computing facility in Bahrain on April 1, taking AWS Bahrain offline. IRGC-affiliated media announced further waves of strikes targeting steel industries in Abu Dhabi and Bahrain, and issued explicit threats against major bridges in Kuwait, Saudi Arabia, the UAE, and Jordan. Strait of Hormuz closure compounds pressure for negotiations. Despite public statements suggesting diplomatic progress, US-Iran negotiations remain deeply stalled. A UK-led virtual summit of 40 countries convened on April 2 to discuss non-military options to pressure Iran into reopening the chokepoint, including a UN humanitarian corridor for food security commodities. Trump's April 1 speech notably dropped explicit demands for Iran to relinquish control of the Strait, suggesting the US may end the conflict without resolving the chokepoint through force or a formal agreement. Iran, meanwhile, is drafting a protocol asserting joint Iranian-Omani oversight of Strait transit - a move that would normalize Tehran's administrative control over the waterway long-term. UAE moves toward active military involvement. The Wall Street Journal reported on April 1 that the UAE is preparing to assist the US in opening the Strait by force, which would make it the first GCC member to join the fight. Iran has struck UAE targets with over 2,000 drones and 400 missiles since February 28, and UAE authorities have begun arresting IRGC-linked financial networks operating in the country. Houthi forces enter the war directly. Houthi spokesperson Yahya Saree confirmed their entry into the conflict in late March, adding a significant new proxy dimension and increasing the risk of broader regional crisis. Cyber Threat Landscape Microsoft 365 password-spraying campaign hit 300+ organizations. An Iran-linked threat actor conducted a password-spraying campaign targeting Microsoft 365 environments across critical infrastructure sectors in Israel, the UAE, the US, the UK, Europe, and Saudi Arabia, per Check Point. Targeting correlated with cities struck by Iranian missiles, suggesting the campaign was designed to support bombing damage assessment and kinetic operations. Activity overlaps with infrastructure and targeting patterns associated...