Escalation in the Middle East - Tracking “Operation Epic Fury”
Escalation in the Middle East - Tracking “Operation Epic Fury”
On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury. The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets. Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes. 🚀
Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. Between March 1 and March 2, Flashpoint analysis identified a further escalation: targeting expanded toward economic and logistical critical infrastructure with global relevance. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and a disruption at an AWS data center in the UAE attributed to physical impact on the facility. Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri (Cyprus).
- From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier. One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation. Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum. At the same time, the cyber threat picture broadened from disruption and defacement to higher-impact claims involving operational technology. Pro-Iranian actors claimed intrusions into ICS/SCADA environments and disruption of civilian logistics — most notably claims tied to a Jordanian grain silo company’s control systems, including alleged manipulation of temperature and weighing functions. While such claims require careful verification, the pattern aligns with Flashpoint’s assessment that the cyber domain is shifting toward high-impact targets with civilian and economic consequences. ⚠️
Two chokepoints have emerged as persistent systemic risk drivers: maritime energy transit and regional air mobility. Iran’s reported blockade of the Strait of Hormuz remains the primary near-term global economic concern. Even partial disruption introduces immediate volatility in energy markets and maritime logistics. Airspace disruption and interruptions to transit hubs — especially the reported suspensions affecting Dubai — compound that risk. As the conflict expands into commercial infrastructure and civilian logistics, enterprise exposure now extends well beyond traditional “high-risk” sectors.
For ICS / OT Environments, organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:
- Audit all remote access pathways and eliminate unnecessary external exposure.
- Enforce phishing-resistant MFA for privileged and engineering accounts.
- Segment industrial networks from corporate IT and public internet access.
- Validate incident response plans for destructive malware or system manipulation scenarios.