About this report
The countries of the Middle East possess a well-developed industry, modern infrastructure, and ambitious digital transformation programs. The region invests heavily in innovative technology including artificial intelligence, the Internet of Things (IoT), cloud solutions, and the automation of routine tasks, making it one of the fastest-growing digital spaces in the world. However, the rapid evolution of technology is accompanied by an expansion of the digital perimeter, increasing the surface area vulnerable to potential cyberattacks. Vulnerabilities—many of them introduced by new technology—as well as geopolitical factors make the Middle East a target for hacktivists and APT groups.
This study covers the period from the start of 2024 through the first quarter of 2025 and aims to analyze the cyberthreat landscape in the region's countries. The study considers the following countries: Bahrain, Egypt, Israel, Jordan, Iraq, Yemen, Qatar, Cyprus, Kuwait, Lebanon, the United Arab Emirates (UAE), Oman, the State of Palestine, Saudi Arabia, and Syria.
The objectives of the study are:
- To analyze the activity of APT groups targeting organizations in the region.
- To assess the region's current digital landscape from a cybersecurity perspective.
- To review the techniques and tactics used by attackers.
- To explore dark web activity associated with the countries in the region.
We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.
Our incident database is updated regularly. Note that information about certain incidents may be reported online long after the actual cyberattack. Therefore, the data presented in this study is accurate at the publication date. For an explanation of terms used in this report, please refer to the Positive Technologies glossary.
Introduction
The technological landscape in the Middle East is undergoing rapid evolution, impacting numerous sectors of the economy, society, culture, and government administration. Countries in the region—particularly Saudi Arabia and the UAE—are investing heavily in innovative technology, aiming both to upgrade existing infrastructure and to unlock new avenues for growth. This approach is driven by a desire to diversify the region's economies, reduce dependence on oil revenues, and take a leading position in the global tech race. New technologies such as artificial intelligence, IoT, machine learning, and blockchain are thriving in this supportive environment.
Given this rapid digitalization, cybersecurity is becoming a crucial issue in the region. Middle Eastern countries face growing cyberthreats, including targeted attacks on critical infrastructure, financial institutions, and government agencies. To combat these threats, countries are developing cybersecurity strategies, establishing cyberthreat response centers, and strengthening their cybersecurity partnerships with other nations.
Digital transformation and cyberthreats
Digitalization leads to the expansion of a country's digital perimeter, encompassing more and more areas of the economy, public administration, and society. In one way or another, every digital initiative increases the amount of data, systems, and technology connected to the network. This inevitably broadens the attack surface and creates new vulnerabilities. As a result, the development of digital initiatives is accompanied by a rise in the number of cyberattacks, which grow more varied and sophisticated, affecting an ever wider range of infrastructure.
Artificial intelligence and machine learning
Middle Eastern countries are actively implementing artificial intelligence across various sectors, reflecting the technology's rapid growth in the region. The UAE became the first country to establish a Ministry of Artificial Intelligence, which is already producing tangible outcomes. The Ministry approved a strategy aimed at creating a favorable ecosystem: integrating AI into service sectors to improve the quality of life and labor, and attracting top global AI talent. Saudi Arabia's investments in AI highlight the technology's importance for regional growth. The Kingdom works closely with foreign companies to share technological expertise and enhance service quality.
Despite its advantages, AI is also both a target and a tool in cyberattacks. Previously, Positive Technologies published a study on vulnerabilities in AI and its use in hacking. AI algorithms can generate content on unethical or restricted subjects, craft sophisticated phishing emails, generate malicious code, or produce deepfake videos to serve attackers' goals. For example, last year, the cybercrime group Cotton SandStorm disrupted a UAE streaming service and broadcast a fake news report created using AI algorithms.
Hacker groups like Funksec are said to use AI algorithms in approximately 20% of their operations. Our analysis of dark web sites revealed more than a dozen posts on bypassing AI protection algorithms and forcing it to execute any command.

(Filter bypass commands redacted for ethical reasons)
These instructions allow even beginner hackers to significantly increase the chances of a successful attack. According to a Bug Crowd survey, 93% of ethical hackers believe the use of AI in an organization's business processes introduces new attack vectors.
To offset threat actors' AI advantage, AI-driven technology is proposed as a means of enhancing organizational cyber-resilience. According to an IBM study, organizations using AI in their cybersecurity systems have reduced damage from data breach incidents by $2.2 million. Positive Technologies integrates AI into its metaproducts—MaxPatrol Carbon and MaxPatrol O2—which can autonomously detect potential attack paths and stop hacker activity before non-tolerable events occur.
Automation, internet of things (IoT), and smart cities
With its significant economic resources, the Middle East is successfully adapting modern technology to optimize human labor, improve living standards, and boost productivity across industries. More and more IoT devices are being integrated into the daily life of the region's countries. The technology can be found in transport, energy, healthcare, and many other sectors. The region's digitalization programs are combining these technologies into ambitious smart city projects.
Among the most ambitious projects are Saudi Arabia's NEOM, and the UAE's Digital Dubai and Masdar City. The $500 billion NEOM project envisions a fully autonomous megacity powered by renewable energy and managed by AI-driven systems. Masdar City is a developing city aiming to achieve zero carbon emissions. Digital Dubai is a major initiative to create a smart city, using the IoT to manage street lighting, traffic, and public utilities.
In megaprojects such as NEOM—where key aspects of urban life will be AI-managed—cybersecurity becomes a top priority. Obviously, if the automated systems of such a city are compromised, the consequences could be catastrophic. Attackers could paralyze critical infrastructure, disrupt transportation, or cause power supply and life support system failures. Already, posts offering illegal access to the infrastructure being built are being posted on the dark web.

E-government
As part of the digitalization drive, Middle Eastern countries are actively developing e-government systems. The UAE can be seen as a regional pioneer in integrating information technologies into government. The e-government initiative, launched in 2002, now offers UAE citizens over a hundred public services online. Saudi Arabia is also making progress through its Vision 2030 initiative, which includes the Absher portal offering a wide range of e-government services. These programs are just a few examples of all the efforts in the region to implement digital governance. They aim to enhance the efficiency of public administration, reduce bureaucracy, and improve the quality of services provided to citizens.
From a cybersecurity perspective, e-government services attract both ordinary hackers seeking to access citizens' personal data for fraud and APT groups aiming to destabilize government agencies.
Security policies for the systems supporting e-government initiatives must take into account the risk of administrative credential compromise. Access to critical systems must be reinforced through the following measures:
- Stricter access control policies (applying the principle of least privilege)
- Multi-factor authentication
- Application of the Zero Trust model.
- Enhanced activity monitoring within protected segments
- Imposing strict cybersecurity requirements on contractors with access to confidential information
Implementing the above measures will enhance the cyber-resilience of infrastructure and support rapid detection and response to intrusions.
Digitalization of the economy and the fintech industry
Digital economy projects aim to fundamentally transform traditional economic models using modern digital technology. As part of this transformation, Middle Eastern countries are developing integrated fintech ecosystems and finding innovative solutions in digital payments, mobile banking, and blockchain technology. The United Arab Emirates is a leader in this field. The Central Bank of the UAE supports fintech startups through the DIFC FinTech Hive platform. Meanwhile, digital banks like Liv offer convenient services to both businesses and individuals, eliminating the need for customers to visit the bank in person.
Saudi Arabia is rolling out contactless payment technology and digital financial services. Its financial regulator (SAMA) has launched a Regulatory Sandbox allowing fintech companies to test new technology in a secure environment. Bahrain, in addition to developing the Bahrain FinTech Bay hub, is fostering the cryptocurrency sector by attracting major global payment systems.
However, the rapid growth of digital financial solutions leads to an expansion of the digital perimeter, encompassing more systems, users, and connected platforms. This creates new entry points and increases the vulnerability of the financial infrastructure. Mobile banking, crypto wallets, and payment gateways blur traditional perimeter boundaries, creating new points of entry for cyberattacks.
Given this, the fintech sector has become a prime target for cybercriminals. Their primary objectives include:
- Theft of funds
- Compromise of client data (e.g., bank card info)
- Extortion
- Fraudulent transactions
Cybercriminals exploit vulnerabilities in digital finance systems for illegal profits.
Among the non-tolerable events1 for national payment systems and financial infrastructure are disruptions to the continuity of operations. Such events can halt financial activity, erode public trust in institutions, and potentially trigger widespread panic and unrest in society. For instance, the hacker group BlackMeta (also known as DarkMeta) launched a DDoS attack on a financial institution in the UAE that lasted approximately 100 hours. While specific consequences have not been disclosed, experts report that services remained limited for six days. Just months earlier, several Iranian banks were attacked by the IRLeaks group. The attack paralyzed 20 of the country's 29 banks, compromised customer data and posted it for sale on the dark web, and caused ATMs to display provocative political messages.
- A non-tolerable event is an event caused by a cyberattack that prevents the organization from achieving its operational or strategic goals or leads to significant disruption of its core business.
E-learning
The educational technology (EdTech) sector is actively developing in the countries of the Middle East. Governments in these countries are investing significant resources in the digitalization of education and the creation of modern educational infrastructure. The UAE is funding educational programs established by the UAE Prime Minister Mohammed bin Rashid Al Maktoum, including The Digital School, which provides access to modern educational platforms and learning materials to anyone interested. Saudi Arabia is developing the national educational platform Madrasati, which unites teachers and students in a single digital environment and is being implemented as part of the Vision 2030 program.
Educational institutions process a large amount of confidential data, such as students' personal data, academic records, financial documents, and research results. At the same time, due to students using the computing resources of the educational institution, the digital perimeter of the institution's IT infrastructure is blurred and expanded. Students often connect to the institution's network from personal devices, which may be insufficiently protected or already infected, creating additional entry points. The large number of users and the diversity of devices they use increases the complexity of monitoring and managing access to the network, making it significantly more difficult to secure. For these reasons, educational institutions become targets for attackers. They are attracted by the opportunity to access poorly protected confidential data, to influence or disrupt the educational process, and to use the computing resources of the institution for their own purposes, such as mining cryptocurrency or conducting DDoS attacks. Stolen data or access credentials for the information resources of educational institutions are sold on various dark web platforms.
We managed to find one such listing. In the ad, a hacker offers access to the email account of the Ministry of Education of the Kingdom of Saudi Arabia. The stated cost of this access is $500. The poster left out the details, but based on the screenshot, it is most likely access to the mailbox of an education official. In any case, the mailbox itself may contain sensitive information that could be stolen, and access to the address list could be used to develop the attack further by distributing phishing emails with malware.

It is important to recognize the difficulty of preventing a hacker from infiltrating the infrastructure, as well as the corresponding importance of establishing effective incident response processes. A positive example of responding to a cyberattack occurred at the educational center GEMS, located in Dubai, where cybersecurity specialists managed to swiftly detect and stop an attack and minimize the consequences.
Digitalization of critical infrastructure
The widespread digitalization of the Middle East has also affected critical infrastructure facilities. This has touched all major areas, including energy, transport, healthcare, telecommunications, and the defense industry. In 2024, Zayed International Airport in Abu Dhabi set a new record by serving 29.4 million passengers. This success was made possible through the integration of various service databases and the implementation of the Biometric Smart Travel system, which uses artificial intelligence algorithms to optimize passenger flow analysis processes.
Changes are also occurring in Saudi Arabia's energy sector. The Kingdom, through the Saudi Electricity Company in partnership with Chinese company BYD, intends to build the world's largest battery energy storage facility. This initiative aims to optimize the country's transition to renewable energy sources and mitigate power grid fluctuations in dependent facilities. The region's military-industrial complex is also undergoing digitalization. One of Israel's largest defense enterprises designs and manufactures a wide range of products based on machine vision and artificial intelligence technologies. These products are intended not only for military applications, such as imagery intelligence (IMINT) systems, but also for civilian use, such as METRO DOME, an airspace monitoring system for unmanned aerial vehicles.
However, along with technological progress comes an expansion of the digital perimeter, making critical infrastructure even more vulnerable to cyberattacks. The increase in the number of connected devices, integration of disparate systems, remote access for contractors and employees, implementation of cloud solutions and the Internet of Things (IoT) all create additional entry points for attackers. The most dangerous among these are:
- Remote access (VPN, RDP)
- Vulnerable web applications
- IoT devices lacking proper security
- Weak links in the supply chain
- Compromised accounts of employees and contractors
Critical infrastructure is of particular interest to both regular hackers and advanced APT groups. Key motivations include financial gain (extortion, data theft), political pressure, undermining national security, and even cyberterrorism. Ransomware attacks, such as on energy companies or hospitals, can cause serious disruptions and pose a threat to the life and health of citizens.
The Shamoon virus attack on Saudi Aramco remains the largest incident in the region's oil and gas sector to date. Some time later, the hacker group ZeroX attempted to repeat the attack on Saudi Aramco's infrastructure, this time gaining access to company data through one of its partner organizations. As a result, the attackers managed to steal about 1 TB of data, including system specifications, network maps, client data, and other valuable information. The stolen data was listed for sale on the dark web for $50 million.

The consequences of the incident are not yet known, but the fact that this major company has been a target for over 10 years indicates its high value to cybercriminals—in terms of both financially motivated attacks (ransom, extortion) and acts of cyberterrorism.
Cyberthreat landscape of the middle east
During the period under review, the most common attack method on organizations was social engineering, accounting for 61% of all successful attacks in the region. The use of malware was slightly lower at 51%, although it is worth noting that social engineering is often combined with malware in attacks. One such incident occurred in Bahrain in 2024, when McAfee discovered a virus for Android smartphones disguised as an official app of the Bahraini government. The virus spread via fake social media pages and SMS messages claiming the app was an update for accessing government services. In reality, once installed, the app harvested users' personal data (passwords, bank card numbers, and other sensitive information) and sent it to the attackers.
Figure 5. Methods of compromising organizations
At the beginning of 2024, one of the UAE's largest airlines, FlyDubai, was targeted with a DDoS attack. The hacker group Anonymous Sudan claimed responsibility. On their Telegram channel, they stated that the airline's entire infrastructure, including its booking system, had been seriously damaged, leaving only the website operational. The airline itself did not issue any official statements. While Anonymous Sudan's claims may be exaggerated, many organizations refrain from sharing such information publicly, as it can damage their reputation.

The statistical dominance of social engineering over other methods of compromise can be attributed to the fact that, regardless of technological sophistication, the human factor remains the weakest link in cybersecurity and a heavily exploited vulnerability. Meanwhile, the use of malware allows hackers not only to automate routine actions but also to hide their presence within the victim's infrastructure.
Malware used in attacks on middle eastern organizations
Cybercriminals continuously adapt their techniques, choosing malware best suited to their objectives. As noted repeatedly in Positive Technologies' quarterly reports, malware for remote access and data encryption remains the most widely used tool globally. This trend is also evident in incident data from the Middle East. According to the statistics, remote access malware (27%) ranks first. Its popularity is due to the wide range of opportunities it opens up for attackers. Having gained remote access to an infected system, attackers can steal sensitive data, deploy additional malware, and erase traces of their activity. The prevalence of this type of malware suggests that many attacks are aimed at establishing a long-term presence in the victim's infrastructure.
Figure 7. Malware used in cyberattacks (by percentage)
Wipers, although less common than loaders or spyware (9% vs. 11%), poses a severe threat. Data destruction can inflict enormous damage, causing significant financial and reputational losses. This type of malware is often used in attacks intended to cause maximum harm, rather than steal data or gain control over systems. Unlike ransomware, which offers the possibility of data recovery upon payment, wipers can cause irreversible loss, making it a particularly dangerous tool in the hands of cybercriminals.
On October 8, 2024, hackers believed to be linked to the APT group Wirte gained access to a server belonging to the Israeli ESET distributor. This allowed them to use the organization's legitimate domain to send phishing emails containing a malicious file disguised as antivirus software. Running the file wiped data from the victim's computer. The malware targeted government entities including hospitals, and private companies. Details of the incident have not been publicly disclosed.

Consequences of attacks on organizations
An analysis of cyberincidents in the Middle East shows that 80% of attacks have resulted in data breaches. The statistics suggest that hackers were particularly interested in account credentials (29%), trade secrets (29%), and personal data (20%). The stolen data was typically sold on the dark web or used for blackmail, under threat of publication.
Figure 9. Categories of leaked data (by percentage)
One such case occurred in Saudi Arabia. A major construction company in Riyadh fell victim to hackers, losing more than 6 terabytes of confidential data. The breach became known on February 14, 2025, when the hackers posted about it on a dark web forum and demanded ransom in exchange for not publishing the stolen information. The deadline was set for February 27, just one day before the start of Ramadan. On that date, DragonForce published all the stolen data, including confidential documents on operations and customer data.
Figure 10. Categories of attack consequences
Disruption of core operations occurred in 38% of cases. This included business process shutdown, suspended services, IT infrastructure failures, and other disruptions to organizational stability. Such disruptions are particularly critical in sectors like healthcare, transport, and public services, where even brief outages can have serious consequences for the public. For example, the Kuwaiti Ministry of Health was the victim of a cyberattack in September 2024. Hackers disabled critical systems, paralyzing the operation of several hospitals. The Ministry was able to quickly restore vital systems using data backups. It worked with state security agencies to implement measures to prevent the threat from spreading and strengthen infrastructure defenses. Although core databases remained intact, some systems were temporarily shut down for security updates. At the time of publication, officials had not provided a precise timeline for full recovery. No known ransomware group has claimed responsibility for the attack.
Apt group activity in the region
There are various categories of threat actors behind hacker attacks. They differ in their level of competence as well as their motivations. The most dangerous among them are APT (Advanced Persistent Threat) groups due to their financial resources and computing power. In 2024, APT groups accounted for 32% of all attacks. Groups targeting government institutions and critical infrastructure were especially busy, driven by the region's geopolitical tensions. Such attacks often transcend typical cybercrime, taking on the characteristics of cyberespionage or cyberwarfare. Their objectives extend beyond compromising sensitive data to include destabilizing key systems, undermining trust in state institutions and demonstrating digital power.
Figure 11. Categories of APT victims in the Middle East (percentages)
While analyzing incidents in the region, Positive Technologies researchers reviewed all cases and identified the most active groups based on the number of attacks in 2024–Q1 2025:
MuddyWater (also known as Static Kitten, Seedworm, TEMP.Zagros, Mercury): specializes in attacks against public- and private-sector organizations in the Middle East, Central and South Asia, Europe, Africa, and North America. The group's primary motivations are espionage and intelligence gathering. It shows a heightened interest in government agencies, telecom companies, and the energy and defense sectors.
Tactics include:
- Phishing emails with malicious attachments
- Malware for password theft (LaZagne)
- PowerShell-based exploits (PowGoop, PowerSploit)
- Microsoft Netlogon remote access protocol vulnerabilities (CVE-2020-1472)
Examples of activity: At the end of 2024, MuddyWater launched a phishing attack on Israeli organizations to infiltrate their internal networks, conduct espionage, and assume control over victims' infrastructure. Earlier, the group used similar tactics to distribute the BugSleep malware, a new backdoor that enables the use of remote access tools like Atera Agent and Screen Connect. According to Check Point, phishing emails were sent to India, Israel, Saudi Arabia, Turkey, and Portugal.
OilRig (APT34, Helix Kitten, Cobalt Gypsy, Earth Simnavaz): a hacker group active since 2014. Primarily targets the Middle East, focusing on the finance, energy, and telecommunications sectors.
Tactics include:
- Brute-forcing credentials
- Phishing emails and LinkedIn messages with infected DOC and XLSX attachments to deliver malware (Quadragent and OopsIE)
- Sophisticated targeted attacks on victims' resources (watering hole attacks)
- Use of legitimate services and tools to disguise activities (OWA, VPN, Bitrix)
Examples of activity: In the fall of 2024, Trend Micro researchers reported a surge in OilRig attacks. These involved compromising Microsoft Exchange servers to steal user credentials and exploiting the CVE-2024-30088 privilege escalation vulnerability in Windows.
SideWinder (Rattlesnake, T-APT-04): an APT group targeting government, military, and business organizations in South and East Asia. Their activity was recently observed in the Middle East.
Tactics include:
- Phishing emails with malicious attachments
- Exploiting vulnerabilities like CVE-2017-11882 in Microsoft Office and CVE-2020-0674 in Internet Explorer for arbitrary code execution
- Using HTTP/HTTPS to hide C2 server communications
- Employing the Koadic tool to deliver payloads via browsers or Office applications
Examples of activity: Originally active in South and East Asia, the group has now been detected in the Middle East. According to Kaspersky researchers, the group distributes targeted phishing emails with an infected DOCX file containing an injector that downloads an RTF file from a remote server. This file exploits CVE-2017-11882 to initiate a multi-stage infection process, eventually deploying a backdoor dubbed "Backdoor Loader". This backdoor delivers StealerBot, a toolkit used exclusively by SideWinder. This campaign targeted numerous organizations, including those in Saudi Arabia and the UAE.
Based on the analysis of APT group attacks in the region, the following trends and techniques have been identified:
- A hybrid attack approach is evident: threat actors use both social engineering (infected documents) and technical exploitation of infrastructure vulnerabilities (web apps, mail servers). This points to a sophisticated level of attack preparation and a focus on specific targets.
- Roughly 40% of groups exploited client-side vulnerabilities as an initial intrusion vector (T1203). The use of macro-infected documents indicates that employees remain a weak point in organizational security, especially when awareness is low or email filtering is poor.
- The exploitation of public web applications (T1190) remains relevant for 80% of APT groups—particularly with outdated or poorly maintained systems. This highlights the need for regular software updates and vulnerability assessments.
- Heavy emphasis is placed on concealing activity. A combination of obfuscation (T1027) and subsequent de-obfuscation (T1140) techniques allows attackers to bypass detection systems, and hinder threat analysis and response. These techniques are used by 70% of the groups.
- To maintain stealthy C2 communication, 40% of groups use uncommon network protocols (T1095), which suggests an effort to reduce the chances of being detected during post-exploitation or control of infected devices.
APT group activity represents a serious national security threat for Middle Eastern countries. Unlike ordinary cybercriminals, these actors operate in a highly targeted manner, often sponsored by another state, and can remain within victim systems for extended periods, collecting data and preparing large-scale attacks. This is confirmed by a heat map of APT group techniques and tactics.
Analysis of incidents in the region shows that government bodies and the industrial sector are the prime targets of APT groups. Successful compromise in these areas could have severe consequences: disruption of public administration, industrial accidents, and threats to national security. Therefore, it is critical to develop early detection techniques and implement comprehensive cyber-resilience strategies, with a strong focus on protecting governmental and industrial systems.

Dark web data analysis
An analysis of data found on the dark web reveals an alarming picture of high levels of malicious activity across the Middle East. Dark web platforms are rife with offers to sell or freely distribute confidential data—and not just personal information. We found mentions and evidence of hacking attacks against various industries and organizations in countries across the region, with government institutions making up the largest share (34%), followed by the industrial sector (20%).
Figure 12. Industry categories mentioned on the dark web
The most frequently mentioned countries included the United Arab Emirates, Saudi Arabia, Israel, and Qatar. Significantly, these countries are regional leaders in digitalization. The large number of listings offering stolen data from these countries underscores the challenge of securing a rapidly expanding digital landscape, something cybercriminals are heavily exploiting.
Most of the posts we found offered free databases and so-called combo lists. In many cases, the data had been extracted from previously compromised databases or even obtained from open sources. Despite their low cost, these materials are often used in phishing attacks. Their popularity on the dark web demonstrates the threat actors' interest in conducting attacks against individuals in the region.

We also came across cases of hacktivists freely sharing databases obtained from their attacks. In such instances, the attackers were not seeking financial gain but were instead using cyberattacks as a vehicle to express their ideological beliefs. The fact that such databases are distributed for free only worsens the cybercrime landscape—more malicious actors gain access to the data, which fuels further attacks and makes the compromised organization an even bigger target.
One dark web forum featured a post offering a free SQL database, allegedly stolen from Saudi Arabia's Ministry of Health (moh.gov.sa). The database contained thousands of records with personal patient data, including sensitive medical information.

Among the many listings on the dark web, we also found a post offering free access to a database related to Israel's Iron Dome, a missile defense system designed to intercept and destroy short-range rockets. While there has been no official confirmation from Israel's Ministry of Defense, the mere presence of that data suggests that the political conflict involving Israel has moved beyond public media and into the dark corners of the web.

On underground forums, hacktivists also share the results of their attacks, publishing stolen data, announcing successful breaches, and revealing future targets.

Cybercriminals are also offering access to corporate networks, which allows them to profit without conducting the attacks themselves. This is part of a broader cybercrime ecosystem, where roles are clearly delineated: some actors obtain access, while others (such as ransomware operators) carry out further malicious actions. These access credentials—including for VPNs, RDP, or internal systems—are typically distributed via dark web platforms. The sale of this data can lead to serious consequences, including malware attacks, confidential data breaches, significant financial losses, reputational damage, and supply chain compromise.

Analysis of dark web listings shows that platforms for selling stolen data are increasingly being used as tools of cyberwarfare, turning conventional conflicts into digital battlegrounds. The information published there highlights the vulnerabilities of critical sectors in Middle Eastern countries and underscores the urgent need to enhance national cybersecurity measures.
As noted in our dark web research, since 2015, subscription-based models of hacking products and services have become increasingly popular among cybercriminals. Services like MaaS (Malware-as-a-Service), RaaS (Ransomware-as-a-Service), PhaaS (Phishing-as-a-Service), and DaaS (DDoS-as-a-Service) offer ready-made attack tools on a subscription basis. It is expected that the use of these models by threat actors will continue to grow in 2025, making cyberattacks easier to execute and lowering the barrier to entry for less experienced attackers.

Strengthening cybersecurity in middle eastern countries
The data above shows that despite large investments and considerable efforts by Middle Eastern countries to strengthen cybersecurity, threat actors are still successfully carrying out sophisticated attacks using increasingly advanced tactics and techniques. As states pursue digitization and automate routine functions, they are significantly blurring the boundaries of their digital infrastructure. In this situation, ensuring cybersecurity becomes significantly more challenging and requires the adoption of comprehensive, innovative approaches.
To build true cyber-resilience, organizations must go beyond deploying technical protection tools—they need to adopt a practical, outcome-oriented strategy that ensures attackers cannot execute scenarios that threaten critical business operations.
The first step in implementing this strategy is identifying non-tolerable events: incidents that, if realized, would prevent the organization from achieving its strategic or operational goals, or disrupt its core business. These might include the shutdown of critical business processes, leakage of sensitive data, or the loss of control over key systems.
To identify these events, it is essential to involve senior leadership and heads of key departments, as they best understand the consequences that are truly non-tolerable. Next, IT and cybersecurity professionals must analyze the infrastructure to identify systems whose compromise would lead to non-tolerable events, as well as any interconnected systems and potential points of intrusion.
This analysis helps focus cybersecurity efforts on critical areas and establish top-priority measures to improve cyber-resilience.
These measures include:
- Reengineering business processes: minimizing the number of users with access to critical systems, segmenting and isolating critical processes
- Staff training: creating awareness programs and conducting regular hands-on training to counter the latest cyberthreats
- IT infrastructure restructuring: reducing the number of entry points, configuring security settings, and updating software and hardware
- Setting up monitoring and incident response: optimizing security event monitoring processes and ensuring the rapid detection and mitigation of incidents before non-tolerable events occur
Once these steps are complete, a security assessment should be conducted to evaluate the effectiveness of implemented measures in practice.
To definitively confirm cyber-resilience, we recommend conducting regular cyberdrills or exposing infrastructure to bug bounty platforms. Engaging external experts helps uncover remaining vulnerabilities and address them in a timely manner.
This result-driven approach is scalable: it can be applied not only to individual organizations or sectors but also to broader digital ecosystems, including entire countries or international alliances. The core idea here is to focus on achieving measurable, specific cybersecurity results, not just meeting formal compliance requirements or deploying isolated technical tools.
When applied at the national or regional level, this result-driven approach can:
- Establish a unified system of priorities: identify the most critical assets and processes that need protection first, based on national interests and strategic goals. VM (vulnerability management) systems are used to automate asset management, and detect and remediate infrastructure vulnerabilities based on severity. These tools also help track how well infrastructure is protected against vulnerabilities exploited in real-world attacks.
- Coordinate the efforts of different stakeholders: align the actions of government agencies, private companies, and civil society in the field of cybersecurity.
- Optimize resource allocation: direct funding and human resources toward the most effective security measures, including protecting the personnel. When building a robust defense system, it is especially important to enhance employee cybersecurity awareness. Being aware of and adhering to digital hygiene principles significantly reduces the risk of endpoint compromise and human error in attacks.
- Increase resilience to cyberattacks: build a comprehensive security system capable of withstanding complex and targeted attacks, including those aimed at critical infrastructure. Effective and timely incident response requires full visibility into events occurring across the infrastructure. Implementing SIEM (security information and event management) solutions enables the collection and analysis of security events, helping detect suspicious activity and early signs of an attack.
- Consider regional threat characteristics: adapt cybersecurity strategies to regional realities, such as the prevalence of certain types of cybercrime, geopolitical tensions, and the level of digital development. This also includes protection against attacks targeting the public, such as disinformation and public opinion manipulation.
Cyberthreat forecast for the middle east and conclusion
Given the rapid technological advancement in the Middle East, a decrease in cyberthreats is unlikely in the near future. On the contrary, we can confidently predict the continued presence of cyberthreats—and in some cases, a rise in the number of attacks. This forecast is based on several key factors.
- The ongoing digitalization of the economy, public sector, and infrastructure is significantly expanding the digital perimeter. Emerging technologies, including the Internet of Things, artificial intelligence, and mobile services, are creating new attack vectors and entry points.
- The cyberspace is increasingly being used as a battleground for resolving geopolitical issues. Conflicts that were previously addressed through diplomatic or military channels are now often shifting into the digital realm, where attacks on information systems and infrastructure serve as tools of pressure.
- Critical infrastructure (including the energy and healthcare sectors), as well as financial institutions, remain among the most likely targets for cyberattacks. These entities are of strategic importance to national security, making them highly valuable, including to malicious actors. The history of attacks on Saudi Aramco's infrastructure demonstrates that even well-protected assets can be vulnerable, especially when contractors and affiliated organizations are not properly monitored.
- In addition, APT groups are active in the region, focusing on attacks against government agencies and industrial targets. Their operations are systemic and covert. Data associated with government bodies, industrial companies, and financial institutions in Middle Eastern countries is regularly leaked on the dark web, evidence that cybercriminals have been able to compromise their systems.
- Social engineering continues to be a widely used primary attack method. With hackers leveraging artificial intelligence—including for generating phishing emails—the quality of such attacks is set to improve in parallel with advances in AI technology. This also lowers the barrier for attackers launching attacks in countries where they do not speak the local language, thus broadening their geographic reach.
Based on the above, it is clear that cyberthreats in Middle Eastern countries will continue to increase in scale and complexity in the foreseeable future. While the evolution of digital technology and the integration of new IT solutions into key sectors across the region boosts efficiency, it also exposes these sectors to a wider range of attackers with varying levels of expertise.
Governments in the Middle East should pay close attention to malicious activity targeting critical infrastructure, financial institutions, and public agencies, as such threats may lead to serious consequences for national security and state sovereignty.
Get in touch
will contact you shortly