On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.
Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.
Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through March 10.
Operation Epic Fury Timeline: March 2026 Conflict Updates
February 28, 2026 — Initial Strikes and Regional Retaliation
In parallel to these events, Flashpoint observed immediate system-level disruption: flight suspensions at Dubai airports following nearby strikes, and Iran’s move to blockade the Strait of Hormuz, elevating global energy and logistics risk.
March 1, 2026 — Air War Over Tehran, Soft Targets, and Hybrid Expansion
By March 1, the conflict had shifted from stand-off strikes to direct air operations over Tehran, signaling degradation of Iran’s integrated air defenses over the capital. Iranian state media described a transition to “offensive defense,” and retaliatory activity expanded across the region.
Notable developments included the reported strike on the Crowne Plaza Hotel in Manama, Bahrain, signaling increased risk to soft targets and commercial environments. Flashpoint also observed indicators of command-and-control friction on the Iranian side, including a reported friendly-fire incident involving the sanctioned “shadow fleet” tanker Skylight.
March 2, 2026 — Infrastructure and Economic Warfare Escalation
March 3, 2026 — Expansion of Infrastructure Warfare and Regional Combat
March 5, 2026 — Offensive Defense and Geographic Expansion
March 6, 2026 — Regime Fragmentation and Strategic Targeting
March 8–9, 2026 — Leadership Consolidation and Hybrid Warfare Expansion
March 10, 2026 — Decentralized Retaliation and Economic Pressure
March 1–10, 2026 — Infrastructure Targeting and Internationalization
Between March 1 and March 10, Flashpoint analysis indicates the conflict has evolved from broad regional exchanges into systematic targeting of energy, data, and command-and-control infrastructure with global downstream impact. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and a disruption at an AWS data center in the UAE attributed to physical impact on the facility. The Israel–Lebanon front also intensified following Hezbollah missile launches and a broad Israeli response across Lebanon. March 2 also featured expanded strikes against Tehran’s state apparatus, including reported destruction of Iran’s national broadcasting headquarters and the Assembly of Experts’ building.
Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri (Cyprus). Meanwhile, the UK, France, and Germany signaled readiness to support action focused on Iran’s missile and drone capabilities — an indicator of potential further conflict expansion.
By March 3 and March 4, targeting patterns expanded further to include strategic communications infrastructure and hardened military facilities. Satellite analysis confirmed damage to US military communication nodes and early-warning radar infrastructure across multiple Gulf bases, while naval combat escalated with a US submarine sinking the Iranian frigate IRIS Dena in the Indian Ocean. These developments signal a shift toward degrading regional command-and-control networks alongside continued pressure on energy and logistics infrastructure.
Developments on March 5 further expanded the geographic scope of the conflict. Iranian drone strikes targeted infrastructure in Azerbaijan, drawing the country’s military onto high alert and raising the possibility of a northern expansion of the kinetic theater. At the same time, complex missile and drone attacks continued against US military facilities in the Gulf, including a major strike that caused significant damage at Ali Al Salem Air Base in Kuwait. These developments reflect a continued shift toward distributed regional engagements rather than isolated bilateral exchanges.
Developments on March 6 through March 9 indicate continued degradation of Iranian command infrastructure alongside widening regional impacts. Precision strikes reportedly targeted remaining Iranian leadership compounds and clandestine missile and nuclear facilities, while diplomatic evacuations and military mobilization along Iran’s northern border suggested the potential expansion of the conflict into new geographic theaters. At the same time, infrastructure targeting expanded beyond energy and communications to include water desalination facilities and additional cloud and data infrastructure, highlighting the growing risk to civilian survival systems and regional economic stability.
Developments on March 10 further underscored the economic dimension of the conflict. A drone strike on the Ruwais industrial complex in Abu Dhabi forced the shutdown of the region’s largest oil refinery, while global shipping giant MSC suspended exports from Gulf ports due to continued instability in the Strait of Hormuz. These disruptions highlight how the conflict is increasingly affecting global energy production and maritime supply chains beyond the immediate combat zone.
The Escalating Cyber and Information Front
From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier.
One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation, where trusted everyday applications become vectors for narrative control during kinetic shock.
Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum and driving users toward unverified channels for situational awareness.
As kinetic pressure increased, Flashpoint tracking indicated fluctuations in cyber tempo. Some updates suggested a temporary lull in broader Iranian cyber activity — potentially due to operational disruption from physical strikes — while other indicators pointed to a risk of renewed disruptive campaigns, including activity linked to personas associated with state-aligned hacktivist ecosystems.
On March 2, Flashpoint observed reporting on a coordinated campaign branded #OpIsrael, involving pro-Iranian and pro-Russian-aligned actors, with activity spanning DDoS, data exposure, and claimed intrusions.
- NoName057(16) + Cyber Islamic Resistance: Claimed large-scale DDoS activity targeting Israeli defense and municipal entities (including Elbit Systems).
- Cyber Islamic Resistance: Claimed breach of an Israeli health insurance provider and released internal CCTV footage as evidence of access.
- FAD Team (Iraq’s “Resistance Hub”): Claimed SQL injection activity and PII exposure across a wide set of targets, including US and non-US entities.
- Fatimion Cyber Team: Claimed disruption targeting Gulf states perceived as US-aligned, including Bahrain and Qatar-linked targets.
- Infrastructure claims: FAD Team claimed access to firewall monitoring dashboards in Mecca and Medina.
Additional activity observed March 3–4 includes:
- Handala Team: Claimed a breach of Saudi Aramco infrastructure and released internal documentation and schematics intended to validate the attack. Flashpoint has not verified these claims.
- PalachPro: Signaled coordination with Iranian hackers to amplify cyber campaigns targeting US and Israeli organizations.
- NoName057(16): Claimed access to an Israeli water management SCADA system under the ongoing #OpIsrael campaign. These claims remain unverified.
- Fatemiyoun Electronic Team: Conducted a denial-of-service attack against the Kuwaiti News Agency website.
- Targeting rhetoric shift: Pro-IRGC propaganda channels began framing major technology companies — including Google — as potential targets due to alleged support of US military operations.
Additional activity reported on March 5 indicates a renewed surge in coordinated cyber operations under the #OpIsrael banner:
- NoName057(16): Claimed administrative access to Israeli industrial control systems and SCADA interfaces, alleging the ability to manipulate pump activity and water flow. These claims remain unverified but represent a high-risk threat to essential services.
- Handala Group: Claimed the exfiltration and wiping of approximately 1.3 TB of data from Atlas Insurances Ltd., while simultaneously launching a doxxing campaign targeting individuals alleged to be connected to Israeli intelligence.
- Fatemiyoun Electronic Team: Claimed responsibility for taking multiple government ministry websites offline in Jordan and Kuwait and releasing personal data from a Kuwaiti government application.
- Cyber Islamic Resistance (Team 313): Claimed disruptions targeting Bahraini government infrastructure and published images allegedly taken from compromised surveillance camera networks.
Additional activity reported March 6–9 includes:
- MuddyWater (MOIS / Seedworm): Verified intrusions into US aerospace, defense, aviation, and financial networks using a newly identified backdoor known as “Dindoor.” These operations reportedly began prior to the kinetic phase of the conflict and have continued during the war.
- Telegram-Based Recruitment Networks: Iranian intelligence is reportedly using Telegram channels to recruit loosely affiliated operatives and criminal intermediaries across Europe for espionage and potential sabotage operations.
- Handala: Claimed to have wiped Israeli military weather servers and intercepted urban security feeds in Jerusalem (unverified).
- Cyber Islamic Resistance (Team 313): Claimed multiple website defacements targeting regional institutions, including Kurdish and Saudi organizations (unverified).
- NoName057(16): Continued distributed denial-of-service attacks under the #OpIsrael banner targeting Israeli political parties, telecommunications companies, and defense contractors.
Additional activity reported March 10 includes:
- Suspected banking-sector attacks: Multiple reports indicate that Iran’s largest banks, including Bank Melli Iran and Bank Sepah, experienced widespread service disruptions following suspected cyberattacks.
- NoName057(16): The pro-Russian group continued operations under the #OpIsrael banner, claiming distributed denial-of-service attacks targeting Israeli and Cypriot infrastructure, including Israel’s national water company Mekorot and UAV firm E.M.I.T. Aviation (unverified).
- BD Anonymous & MrSutrator Alliance: A newly formed pro-Palestinian cyber alliance announced “Operation Electronic Holocaust,” targeting Israeli defense contractor Rafael (unverified).
- DieNet: The group issued warnings of a potential large-scale cyber campaign targeting Israeli government infrastructure (unverified).
These developments indicate continued expansion of cyber activity across both offensive and retaliatory fronts, including financial infrastructure and public-facing services.
Strategic Chokepoints and Systemic Risk
Two chokepoints have emerged as persistent systemic risk drivers: maritime energy transit and regional air mobility.
Iran’s reported blockade of the Strait of Hormuz remains the primary near-term global economic concern. Flashpoint reporting also indicates an explicit escalation toward energy system disruption, with IRGC messaging framing a “war on energy supplies” and kinetic targeting expanding to oil and gas infrastructure. Even partial disruption introduces immediate volatility in energy markets and maritime logistics, increasing shipping costs, insurance premiums, and delivery delays well beyond the region.
Additional developments reported on March 3 indicate the IRGC has conducted strikes against multiple oil tankers operating in the Strait of Hormuz, further elevating risks to global energy transport. Iran has also declared the waterway effectively closed to most commercial shipping, introducing the possibility of sustained maritime disruption.
Infrastructure targeting has expanded to include desalination facilities and water supply systems in the Gulf. Because these plants provide essential potable water to large urban populations, attacks on desalination infrastructure represent a significant escalation that directly threatens civilian survival systems and urban stability across the region.
Global shipping disruption has also intensified. As of March 10, following continued instability and the effective closure of the Strait of Hormuz, major shipping firms including MSC have suspended exports from Gulf ports, introducing additional pressure on global logistics and energy markets.
Airspace disruption and interruptions to transit hubs — especially the reported suspensions affecting Dubai — compound that risk. Taken together, the maritime and aviation constraints create a reinforcing cycle: constrained routes increase congestion elsewhere, raise operational costs, and compress the time available for organizations to reroute people and goods.
With regional airports and Gulf maritime corridors under threat, organizations should plan for sustained degradation of commercial mobility and service availability rather than short-lived closures.
Business and Security Implications
As the conflict expands into commercial infrastructure and civilian logistics, enterprise exposure now extends well beyond traditional “high-risk” sectors. The targeting patterns observed throughout this conflict indicate that energy infrastructure, cloud assets, maritime corridors, and civilian-facing systems are all within scope.
Organizations should plan for volatility across personnel security, supply chains, cyber disruption, and regional service availability.
1. Personnel and Physical Security
Recent incidents including strikes near Gulf transit hubs, the targeting of a Western-branded hotel in Bahrain, and warnings regarding potential asymmetric attacks underscore that risk is no longer confined to military installations.
- The US State Department issued an expanded “DEPART NOW” advisory for Americans across 16 Middle Eastern countries, reflecting elevated risk to civilian and commercial environments.
- US Embassy in Amman reported active “duck and cover” alarms, signaling increased threat pressure on diplomatic facilities beyond core combat zones.
- Reporting indicates Iranian threats now extend to US bases in Europe, expanding the geographic risk envelope.
- Drone attacks targeting diplomatic facilities — including the US Consulate in Dubai and attempted strikes on the US Embassy in Riyadh — indicate expanding risk to diplomatic and government installations.
- Precautionary evacuations have also been implemented near US embassies across several Gulf states as regional tensions and retaliatory threats continue to rise.
Organizations with personnel in the Gulf region and surrounding areas should:
- Reassess travel posture to the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia.
- Elevate security protocols at commercial offices, hotels, and logistics facilities.
- Reinforce operational security practices (routine variation, avoidance of identifiable clothing tied to government or defense sectors).
- Coordinate closely with local authorities and diplomatic advisories regarding movement restrictions and emerging threat indicators.
2. Supply Chain and Energy Exposure
The reported blockade of the Strait of Hormuz, disruption to Dubai aviation, and the strike on Saudi Arabia’s Ras Tanura oil facility demonstrate that global energy and logistics systems are active pressure points. Iranian naval forces reportedly struck multiple oil tankers transiting the Strait of Hormuz on March 3, increasing the likelihood of extended maritime disruption and global energy price volatility.
IRGC statements framing a “war on energy supplies” increase the likelihood of sustained pressure on Gulf oil and gas infrastructure. Organizations must reassess exposure not only to energy price volatility, but also to infrastructure-driven availability shocks.
Organizations should:
- Model extended disruption to Gulf maritime routes rather than short-term interruption.
- Identify alternative shipping corridors and overland routing options.
- Stress-test supplier dependencies tied to Gulf ports or energy inputs.
- Prepare for price volatility and delivery delays impacting downstream operations.
3. Cloud and Technology Infrastructure
The reported physical impact to an AWS data center in the UAE reflects a significant escalation: commercial cloud infrastructure is no longer insulated from kinetic spillover. More recent reporting also indicates Iranian strikes targeting Microsoft Azure data infrastructure in the Gulf, expanding the threat profile to additional Western cloud platforms.
Iranian strikes against early-warning radars and satellite communication terminals across Gulf bases indicate a coordinated effort to degrade regional missile defense networks.
Enterprises should:
- Confirm geographic redundancy for critical workloads.
- Validate disaster recovery timelines (RTO/RPO) for Middle East–hosted environments.
- Review third-party dependencies tied to regional data centers.
- Ensure executive teams understand potential cascading impacts from localized physical disruption.
- Organizations operating near or dependent on US or allied military infrastructure in the region should monitor potential disruptions to air defense coverage and communications networks.
4. ICS / OT Environments
Claims of intrusion into industrial control systems — including grain silo logistics and remote control infrastructure — signal elevated risk to operational technology environments. March 2 cyber reporting also emphasized blended risk: cyber operations paired with physical disruption, increasing the chance of cascading outages and degraded visibility during response.
Organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:
- Audit all remote access pathways and eliminate unnecessary external exposure.
- Enforce phishing-resistant MFA for privileged and engineering accounts.
- Segment industrial networks from corporate IT and public internet access.
- Validate incident response plans for destructive malware or system manipulation scenarios.
- Conduct tabletop exercises assuming loss of visibility or control in critical systems.
What to Expect Next (48–72 Hours)
Flashpoint analysis indicates the conflict is entering a more decentralized phase characterized by hybrid warfare and expanding geographic scope.
Following the formal appointment of Mojtaba Khamenei as Supreme Leader, the Iranian state is expected to maintain a hardline military posture under strong IRGC influence. With conventional military capabilities increasingly degraded, Iranian strategy may rely more heavily on asymmetric tactics, including cyber operations, proxy mobilization, and attacks against economic and civilian infrastructure.
The fatwa issued by Grand Ayatollah Sistani introduces an additional destabilizing variable, potentially mobilizing Shiite militias across Iraq and the broader region. Combined with Kurdish mobilization along Iran’s western border and Azerbaijan’s heightened military posture in the north, the conflict may increasingly involve non-state and regional actors.
At the same time, cyber operations targeting Western defense, aviation, and infrastructure networks are likely to intensify as Iranian-linked actors attempt to expand the conflict’s impact beyond the immediate battlefield.
The activation of Iran’s decentralized “Mosaic Defense” protocol further complicates potential de-escalation. Because retaliatory authority is distributed across regional commanders, localized strike cycles may continue even if diplomatic negotiations emerge at higher political levels. This structure increases the likelihood of continued intermittent attacks across multiple theaters even as international pressure for conflict termination grows.
Ongoing Updates
Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.
For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.
Facts Only
On February 28, 2026, the United States and Israel launched coordinated strikes against Iran under Operation Epic Fury, targeting senior leadership and missile infrastructure.
Iran retaliated with large-scale attacks, expanding the conflict across the Gulf region.
By March 1, 2026, the conflict escalated to direct air operations over Tehran, with strikes on soft targets like the Crowne Plaza Hotel in Bahrain.
On March 2, 2026, infrastructure and economic warfare intensified, with strikes on Saudi Aramco’s Ras Tanura facility and disruptions at an AWS data center in the UAE.
Iran blockaded the Strait of Hormuz, threatening global energy supplies.
Cyber operations intensified, with groups like NoName057(16) and Cyber Islamic Resistance targeting Israeli and Gulf state infrastructure.
By March 5, 2026, Iranian drone strikes targeted infrastructure in Azerbaijan, drawing the country’s military onto high alert.
On March 6, 2026, precision strikes targeted remaining Iranian leadership compounds and clandestine missile and nuclear facilities.
By March 10, 2026, a drone strike on the Ruwais industrial complex in Abu Dhabi forced the shutdown of the region’s largest oil refinery.
Mojtaba Khamenei was formally appointed as Supreme Leader, signaling a hardline military posture under IRGC influence.
Cyber operations targeted Western defense, aviation, and infrastructure networks, with groups like MuddyWater conducting verified intrusions into US aerospace and financial networks.
The conflict has decentralized, with Iran adopting asymmetric tactics, including proxy mobilization and attacks on civilian infrastructure.
Executive Summary
On February 28, 2026, the United States and Israel launched coordinated strikes against Iran under Operation Epic Fury, targeting senior leadership and missile infrastructure. Iran retaliated with large-scale attacks, expanding the conflict across the Gulf region. By March 1, the conflict escalated to direct air operations over Tehran, with strikes on soft targets like the Crowne Plaza Hotel in Bahrain. Over the following days, the war broadened to include economic and logistical infrastructure, cyber operations, and psychological messaging. Key developments included strikes on Saudi Aramco’s Ras Tanura facility, disruptions at an AWS data center in the UAE, and Iran’s blockade of the Strait of Hormuz, which threatened global energy supplies. Cyber operations intensified, with groups like NoName057(16) and Cyber Islamic Resistance targeting Israeli and Gulf state infrastructure. By March 10, the conflict had decentralized, with Iran adopting asymmetric tactics, including proxy mobilization and attacks on civilian infrastructure. The situation remains volatile, with potential for further regional expansion and economic disruption.
The conflict has evolved into a hybrid war, combining kinetic strikes, cyber operations, and information warfare. While initial strikes focused on military and leadership targets, the conflict has expanded to include economic chokepoints, cloud infrastructure, and civilian systems. The involvement of multiple state and non-state actors, including NATO-aligned forces and regional militias, complicates de-escalation efforts. The blockade of the Strait of Hormuz and attacks on energy infrastructure pose significant risks to global markets, while cyber operations target critical services, raising concerns about cascading disruptions. The appointment of Mojtaba Khamenei as Supreme Leader suggests Iran will maintain a hardline stance, potentially relying more on asymmetric tactics as conventional capabilities degrade.
Full Take
The strongest version of this narrative presents a coherent and detailed account of a rapidly escalating hybrid war, blending kinetic strikes, cyber operations, and economic warfare. The analysis effectively highlights the multifaceted nature of the conflict, from initial military strikes to the broader implications for global energy markets and regional stability. It provides a clear timeline of events, identifies key actors, and underscores the decentralized, asymmetric tactics employed by Iran as conventional capabilities degrade. The inclusion of cyber operations and their integration with physical attacks adds depth, illustrating the modern complexity of warfare.
However, the narrative leans heavily on the perspective of Western and allied intelligence sources, particularly Flashpoint analysts, which may introduce bias in framing Iran’s actions as uniformly aggressive while downplaying potential provocations or strategic miscalculations by the U.S. and Israel. The focus on Iran’s "offensive defense" and decentralized retaliation could be interpreted as a motte-and-bailey tactic, where Iran’s actions are framed as inherently destabilizing while the initial strikes by the U.S. and Israel are presented as justified or defensive. Additionally, the emphasis on systemic risks—such as the Strait of Hormuz blockade and cyberattacks—could amplify fear appeals, potentially overshadowing diplomatic or de-escalatory efforts not covered in the report.
The root cause of this narrative appears to be a paradigm of great-power competition and regional hegemony, where military and economic dominance is pursued through both kinetic and hybrid means. The unstated assumption is that Iran’s actions are primarily reactive, driven by a desire to retaliate rather than pursue strategic objectives. This echoes historical patterns of proxy wars and Cold War-era brinkmanship, where smaller conflicts serve as battlegrounds for larger geopolitical struggles. The narrative also reflects a broader trend of warfare evolving beyond traditional battlefields into economic, cyber, and informational domains, where civilian infrastructure becomes a legitimate target.
The implications for human agency and dignity are profound. Civilians across the Gulf region face direct threats to their survival systems, from water desalination plants to energy supplies, while global markets experience volatility that could disproportionately affect vulnerable populations. The decentralization of conflict—through proxy groups and cyber mercenaries—further erodes accountability, making it harder to attribute responsibility for attacks or negotiate ceasefires. Second-order consequences include the potential for broader regional conflagration, with actors like Azerbaijan and Shiite militias in Iraq being drawn into the fray. The economic disruptions, particularly in energy and shipping, could exacerbate global inflation and supply chain crises, further straining social cohesion.
Bridge questions to consider: What diplomatic or backchannel efforts might be underway that are not captured in this military-focused narrative? How might Iran’s actions be interpreted differently if viewed through the lens of defensive realism rather than aggressive expansionism? What role do non-state actors, such as hacktivist groups, play in escalating or de-escalating the conflict, and how might their motivations differ from state actors?
Counterstrike scan: If this narrative were part of a coordinated influence campaign, the playbook would likely involve amplifying the threat posed by Iran while minimizing the role of Western provocations, using fear appeals to justify further military or economic actions. The content aligns with this pattern to some extent, particularly in its framing of Iran’s actions as destabilizing and its reliance on Western intelligence sources. However, the detailed timeline and inclusion of cyber operations add credibility, suggesting the narrative is not purely manipulative but rather reflects a genuine assessment of the conflict’s complexity. The absence of alternative perspectives or diplomatic context remains a notable gap.
Patterns detected: ARC-0024 Ambiguity (potential downplaying of Western provocations), ARC-0043 Motte-and-Bailey (framing Iran’s actions as aggressive while initial strikes are presented as defensive)
Sentinel — Human
The article exhibits strong indicators of human authorship, including domain expertise, stylistic idiosyncrasies, and a structured yet flexible narrative. Minimal stylometric or coherence red flags suggest low probability of synthetic generation.