SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Hooded hacker in dim middle east government office night scene
#
Phishing
#
Email Security
#
Cybersecurity

Conflict sparks surge in Middle East cyber espionage

Thu, 12th Mar 2026
Author image
By Mark Tarre, News Chief

Research from Proofpoint links the outbreak of fighting involving Iran to a rapid rise in state-sponsored espionage targeting governments and diplomatic missions across the Middle East. The activity is attributed to a wider set of actors than Iran alone.

Proofpoint's tracking indicates that intelligence services and state-backed groups suspected of aligning with China, Belarus and Pakistan, as well as Hamas, moved quickly after the initial US and Israeli strikes. The activity varied: some actors used the conflict as topical cover for familiar operations, while others shifted their collection priorities in response to the war.

The research found that targeted campaigns began within 24 to 72 hours of the conflict's start. Proofpoint characterised the activity as disciplined rather than indiscriminate, with methods designed to limit delivery of messages and payloads to intended recipients in specific countries or regions.

Fast-moving campaigns

At least four state-aligned actors launched espionage operations against Middle Eastern government targets and diplomatic missions in the first few days of the conflict, according to Proofpoint. It did not identify the countries behind every operation, but said the set of actors it observed extended beyond Iran-linked groups.

The findings also point to possible new entrants. Several previously unidentified groups appeared quickly and built operations using conflict-related themes as cover.

Shifts in targeting suggested changing strategic priorities. One group assessed as aligned with Belarus had previously focused on European targets but has since turned to Middle Eastern governments, a change that can indicate new state-level intelligence requirements.

Compromised senders

The research also described the use of hijacked government email accounts in multiple campaigns, a tactic that can lend credibility to messages and make them harder to detect.

Examples included a compromised account linked to Iraq's Ministry of Foreign Affairs and an account associated with Syria's Ministry of Emergency and Disaster Management. Proofpoint did not specify how the accounts were compromised or how long attackers controlled them.

Using legitimate government infrastructure remains a long-running challenge for defenders, since recipients and filtering systems may treat messages from known domains as more trustworthy. It also complicates incident response, blurring the line between compromised internal communication and external impersonation.

Iran focus unchanged

While the conflict has increased attention on Iranian cyber activity, Proofpoint said the Iranian state-linked espionage groups it tracks have largely maintained existing collection priorities rather than dramatically escalating.

One Iranian group, known as Charming Kitten or APT42, continued a pre-existing operation against a US think tank. Proofpoint said the group used a fabricated invitation to a roundtable on Middle Eastern air defence as a lure.

Proofpoint described Iran-linked activity during the conflict as a mix of traditional espionage and disruptive campaigns associated with war efforts. It also reported that non-Iranian groups have used conflict-themed social engineering in operations targeting Middle Eastern governments and diplomats.

Some campaigns matched the usual targeting patterns of the groups involved, with the conflict used mainly as a topical hook. Others showed tighter focus on intelligence collection from government and diplomatic targets in the region, suggesting the conflict is influencing collection priorities for some state-aligned actors.

Regional exposure

The findings underline how quickly geopolitical events can reshape the volume and focus of cyber espionage, particularly when diplomatic and military decision-making is active and fast-moving. During crises, government departments, embassies and related agencies often exchange sensitive information at pace, increasing reliance on email and making conflict-themed pretexts more believable.

The observations also point to a broader set of actors seeking insight into regional positioning and international responses. Diplomats and officials can provide routes to information on negotiations, military preparedness, humanitarian planning and alignment with partner governments.

Proofpoint described the activity as intelligence-driven: targeted operations rather than broad campaigns associated with cybercrime, with steps taken to reach specific recipients and reduce unwanted exposure.

Proofpoint said its threat researchers are available to discuss the technical details of the campaigns and the strategic implications of the shift in activity as the conflict continues.

Related stories
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks
CommBank deploys AI to spot emerging fraud patterns
Commvault extends Clumio support to Google Cloud Storage

Top stories

Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools