Cybersecurity & Resilience  ·  MENA Region  ·  April 2026

The threat is no longer theoretical: what MENA’s C-suite must confront in 2025

Iranian APT groups spent two years inside Gulf critical infrastructure. A six-day DDoS attack reduced a UAE bank’s legitimate traffic to 0.002%. A single software update grounded airports from Dubai to Riyadh in 78 minutes. This is the threat landscape MENA boards are navigating right now.

Kinverg Research  ·  Based on IBM, PwC, WEF, Kaspersky, Radware, NCA, CBUAE and CYFIRMA data 2024–2025

$8.75M
Average data breach cost in Middle East, 2024 — nearly double the global average
267%
Increase in UAE ransomware incidents in 2024, from 12 to 44 confirmed cases
2 years
Duration of Iranian Lemon Sandstorm’s undetected presence inside Gulf CNI

1. When your security vendor becomes the outage

On July 19, 2024, a single faulty content update from CrowdStrike rendered 8.5 million Windows machines inoperable worldwide. In the Gulf, the consequences were immediate and visible. Dubai International Airport’s check-in systems across Terminals 1 and 2 went offline. King Khalid International Airport in Riyadh activated emergency fallback procedures. UAE government services halted. The fix existed within 78 minutes — but manual recovery across complex enterprise environments took hours, and in some cases days.

This was not a cyberattack. It was a supply chain failure — and it exposed the concentration risk that now sits at the top of every Gulf CISO’s concern list. Over 70% of GCC enterprises operate hybrid or multi-cloud environments, yet many remain critically dependent on a handful of security and infrastructure vendors whose failure cascades across sectors simultaneously.

Supply Chain
Infrastructure
Red Sea submarine cable cuts — February 2024

Four cables were severed near the Yemeni coastline, disrupting 70% of Europe-Asia data traffic. The AAE-1 cable required five months to repair. Between 2024 and mid-2025, 44 cable damage events across 32 locations were recorded globally. The Red Sea’s narrow strait, through which 15+ cables pass, is now recognised as one of the world’s most consequential single points of failure for digital infrastructure.

Cloud Failure
AWS ME-CENTRAL-1 fire — UAE region, 2025

An external impact struck an AWS data centre in the UAE, triggering a fire and power loss. Thirty-eight cloud services went offline. A secondary cascade hit the ME-SOUTH-1 region in Bahrain, degrading 46 additional services. For Gulf organisations that had treated AWS’s UAE region as their primary resilience backstop, the incident raised a hard question: when your cloud provider is the incident, what is your recovery plan?

54% of large organisations cite supply chain challenges as their greatest barrier to cyber resilience. In a region where airports, banks, and government ministries share the same vendor stack, that number is not abstract — it is an operational reality that materialised in 2024.

2. Iran is already inside the network

The most significant development in MENA cyber threat intelligence during 2024–2025 is the confirmation that Iranian state-sponsored actors have moved from espionage into pre-positioning for destructive operations against Gulf critical infrastructure — and that several have maintained access for months or years without detection.

State-Sponsored
OT Target
Lemon Sandstorm — 22 months inside Gulf CNI

Documented by Fortinet in 2025, this IRGC-linked group maintained access to a Middle Eastern critical national infrastructure entity from May 2023 to February 2025 — nearly two years. The attacker deployed 15+ custom tools, pivoted through four distinct attack phases, and assessed the OT network as the primary target. Fortinet concluded the entity had “strategic value for Tehran” as a potential disruption target during wider regional conflict. Only network segmentation prevented physical-world consequences.

OT/ICS breach impact GCC 2024
73% of organisations
Prior year comparison
49%
Active OT threat groups globally
23 groups (9 active 2024)

APT34 (OilRig) deployed a new backdoor called StealHook against UAE government agencies in October 2024, abusing Microsoft Exchange to exfiltrate credentials. APT33 (Peach Sandstorm) deployed the Tickler backdoor targeting Saudi and UAE defence, satellite, and oil sectors — hosting command infrastructure on attacker-controlled Azure subscriptions. MuddyWater is currently targeting over 100 government-related organisations across MENA. CyberAv3ngers developed IOCONTROL malware, compromising over 400 OT/ICS devices globally, including in West Asia.

The pattern across all of these operations is consistent: establish persistent access quietly, move toward operational technology, and await instructions. The question is not whether these groups are active in the region — they demonstrably are. The question is whether your detection capability is calibrated to find lateral movement toward OT, not just perimeter intrusions.

3. Hacktivism has become a strategic financial services threat

The Israel-Gaza conflict triggered the most intense sustained hacktivist campaign ever directed at Gulf financial institutions. What began as politically motivated disruption has evolved into operationally significant attacks that strain incident response capabilities and damage customer trust.

DDoS
Financial Sector
SN_BLACKMETA — six-day assault on a UAE bank, July 2024

The group sustained a 100-hour DDoS campaign averaging 4.5 million requests per second, peaking at 14.7 million RPS. At peak intensity, legitimate traffic fell to 0.002% of total requests. Radware mitigated 1.25 trillion malicious requests over the course of the attack. This was not a flash attack but a deliberate, sustained operational campaign that redefined what “DDoS resilience” means for Gulf banks.

284%
Increase in DDoS attacks on MENA financial services, Q3 2024
238%
Year-over-year DDoS increase across the MENA region overall
88
Ransomware incidents in Saudi Arabia in 2024, plus 278,000+ DDoS events

Anonymous Sudan attacked Thuraya satellite, flydubai, Etisalat Egypt, First Abu Dhabi Bank, RAKBANK, and Mashreq Bank within a three-month window. Stormous ransomware claimed breaches of UAE government entities including TDRA and FANR, demanding 150 BTC. LockBit attacked Etisalat in February 2024, encrypting files and demanding $100,000. Kaspersky identified nearly 10 million stolen MENA account records on the dark web in the first half of 2024 alone.

4. Regulators are no longer setting targets — they are enforcing penalties

The Gulf’s regulatory response to the escalating threat environment has been swift and, for the first time, punitive. Boards that treated compliance as a checkbox exercise in 2023 are facing a materially different enforcement reality in 2025.

UAE
CBUAE Federal Decree-Law No. 6 of 2025

Maximum administrative fines for financial institutions rose from AED 200 million to AED 1 billion. Mandatory breach notification to affected customers is now required. The decree consolidates banking and insurance regulation with explicit cybersecurity obligations — making the UAE’s financial regulatory framework one of the most consequential in the region for security compliance.

Saudi Arabia
NCA ECC-2:2024 and PDPL enforcement — 48 decisions in year one

The NCA’s updated Essential Cybersecurity Controls introduced 108 controls across five domains, addressed quantum vulnerabilities, and mandated Saudization of cybersecurity roles. Enforcement regulations now carry penalties up to SAR 25 million (~$6.66 million). Saudi Arabia’s Personal Data Protection Law entered full enforcement in September 2024, with the SDAIA issuing 48 enforcement decisions in its first year.

Qatar & Kuwait
Binding AI guidelines and 24-hour breach notification

Qatar’s Central Bank issued legally binding AI guidelines for financial institutions — the only binding AI governance rules for financial firms in the entire GCC. Kuwait’s CITRA Regulation No. 26/2024 introduced strict data localization requirements and a 24-hour breach notification mandate. Bahrain proposed a standalone AI Regulation Law with 38 articles that could become the first comprehensive AI law in the GCC.

Organisations operating across multiple Gulf jurisdictions now face diverging data localization rules, AI governance requirements, incident reporting timelines, and cybersecurity control frameworks — all enforced simultaneously. For insurance and banking groups with operations across UAE, KSA, Qatar, Kuwait, and Bahrain, building a unified controls framework that satisfies all five regulators without redundant parallel programmes has become one of the most operationally complex challenges a CISO faces.

5. AI governance is the widest open gap in the region

Eighty-three percent of Middle East organisations plan to deploy generative AI tools for cyber defence within the next year, according to PwC’s 2025 Digital Trust Insights survey. Yet globally, only 37% have formal processes to assess the security of AI tools before deployment. That 46-point gap is not a planning problem — it is an active attack surface.

Plan to deploy GenAI for defence
83% of ME organisations
Assess AI security before deployment
37% globally

MuddyWater and Charming Kitten have incorporated generative AI into spear-phishing campaigns targeting Gulf entities, producing socially engineered messages at a scale and quality that defeats traditional awareness training. Iranian threat actors have used AI-enhanced living-off-the-land techniques against OT infrastructure to blend with legitimate network traffic and evade detection.

IBM’s 2025 Cost of a Data Breach report found that Middle East organisations with extensive AI deployment in security operations saw breach costs of SAR 26.54 million, versus SAR 38.85 million for those without — a 31% cost reduction. The same tools that reduce breach costs when governed well create new attack surfaces when deployed without oversight.

Gartner placed cyber resilience as the number one CISO priority globally for 2025 — the first time resilience has displaced prevention at the top of the agenda. In the Middle East specifically, 51% of respondents cite lack of cybersecurity funding as a top challenge, against 36% globally. The UAE announced a $2 billion national cybersecurity investment at GISEC 2025. Saudi Arabia’s cybersecurity market reached SAR 15.2 billion, growing at 14% annually.

What this means for banking, insurance, and government leaders

Five connected questions emerge from this threat landscape that every C-suite in a regulated MENA sector should be able to answer with specificity, not aspiration.

1

If your cloud provider, your EDR vendor, and your undersea cable fail in the same week — what is your manual fallback?

The CrowdStrike outage, AWS ME-CENTRAL-1 fire, and Red Sea cable cuts all occurred within twelve months of each other. Multi-cloud strategy is necessary but not sufficient. Organisations need tested manual operating procedures, not just architectural diagrams.

2

Are you detecting lateral movement toward operational technology, or only perimeter intrusions?

Lemon Sandstorm spent 22 months in a Gulf CNI network with OT as its explicit target. APT34, APT33, and CyberAv3ngers all have demonstrated OT compromise capability. IT-centric detection is not the same as OT-aware detection.

3

Is your incident response calibrated for a sustained six-day assault, not just an isolated event?

SN_BLACKMETA maintained 14.7 million requests per second for 100 hours. That requires team rotation, executive communication cadence, and coordinated mitigation at a scale that most IR plans were not designed for.

4

Can your compliance architecture satisfy five Gulf regulators simultaneously without running five parallel programmes?

With CBUAE fines now at AED 1 billion, NCA penalties at SAR 25 million, and PDPL enforcement actively issuing decisions, the penalty environment has fundamentally changed. A unified controls framework is now a board-level financial risk issue.

5

Who governs the security of your AI — and do they have a direct reporting line to the board?

With 83% of regional organisations deploying AI for defence and only 37% assessing its security before deployment, the governance gap is wider than any technical vulnerability on your estate. Qatar’s Central Bank has already made AI governance binding for financial institutions. Others will follow.

The organisations that navigate this environment successfully will not be those with the most tools — Gartner reports the average enterprise runs 45 security products. They will be those that have built genuine operational resilience: the ability to absorb disruption from any vector, maintain critical functions, and recover at speed. The Middle East’s data breach cost remains nearly double the global average for a structural reason: the region sits at the intersection of the world’s most active geopolitical conflicts, its most ambitious digital transformation programmes, and some of its most valuable critical infrastructure targets. That is not a temporary condition. It is the operating environment.

Sources: IBM Cost of a Data Breach 2024–2025  ·  PwC Middle East Digital Trust Insights 2025  ·  WEF Global Cybersecurity Outlook 2025  ·  Fortinet Threat Intelligence  ·  Radware Global Threat Analysis  ·  NCA ECC-2:2024  ·  CBUAE Decree-Law No. 6/2025  ·  Dragos OT Cybersecurity Report 2024  ·  StormWall MENA DDoS Report Q3 2024  ·  Kaspersky MENA Threat Report 2024  ·  Gartner CISO Survey 2025

Unlock top-tier solutions with Kinverg’s expert services tailored to drive your success.