UAE Foils AI-Powered Ransomware Campaign 200,000 Attacks/Day Intercepted

• .What: Sustained, multi-vector cyber campaign combining AI-powered ransomware, network infiltration, and phishing targeting UAE national infrastructure - described by the Cyber Security Council as "terrorist in nature."
• .Who: UAE government entities (30% of attacks), financial services and banking (7%), education (7%), technology, aviation, and healthcare (4% each). Both public and private sector organizations targeted.
• .How: AI-enhanced offensive tools including adaptive malware, polymorphic payloads that evade signature-based detection, deepfake-enabled social engineering, and automated phishing campaigns targeting national platforms.
• .Scale: 200,000 attacks per day intercepted at peak; 128 confirmed incidents since January 2026; 21 APT groups and 60 cybercriminal/hacktivist actors tracked.
• .Attribution: 71.4% state-sponsored (15 of 21 tracked APT groups). Origins: Asia 66.7%, Europe 14.3%, Middle East/cross-regional remainder. Attack infrastructure traced to 14 countries.
• .Outcome: Contained. The Council stated all attacks were "proactively thwarted without impacting service continuity or data security." No significant damage reported.

Beginning in January 2026, a sustained multi-vector cyber campaign targeted the UAE's digital infrastructure across government, financial, education, technology, aviation, and healthcare sectors.

Government administration absorbed the largest share at 30% of attacks, followed by financial services and education at 7% each.

The campaign employed AI-enhanced offensive tools - including polymorphic malware that modified its code signature with each deployment, automated phishing at scale targeting national platforms, and deepfake-enabled social engineering that cloned the voices and faces of organizational leaders to authorize fraudulent actions.

On February 18, the UAE Cyber Security Council disclosed granular threat statistics: 128 confirmed cyber incidents since January 1, 21 active APT groups under surveillance, and 60 cybercriminal and hacktivist actors tracked.

Mohamed Al Kuwaiti, head of the Council, revealed that 71.4% of tracked threat actors were state-sponsored, with Asia accounting for 66.7% of origins. Attack infrastructure was traced to 14 countries. Daily interception volumes ranged from 90,000 to 200,000 attempts.

On February 21-22, the Council announced it had "successfully thwarted organized cyberattacks of a terrorist nature" targeting vital sectors. The Emirates News Agency carried the official statement.

Bloomberg, The National, and The Record confirmed the campaign involved ransomware deployment, network infiltration, and phishing operations using AI-generated tools - described by the Council as a "qualitative shift" in adversary methods.

The disclosure came six days before the February 28 US-Israeli military strikes on Iran, suggesting UAE cyber defenses were already operating at heightened alert due to pre-conflict intelligence.

February 18, 2026 - The UAE Cyber Security Council disclosed detailed threat statistics: 128 confirmed cyber incidents since January 1, 21 active APT groups under surveillance, 60 cybercriminal and hacktivist actors tracked.

Mohamed Al Kuwaiti, head of the Council, revealed that 71.4% of tracked threat actors were state-sponsored and that daily attack volumes ranged from 90,000 to 200,000 attempts.

February 21, 2026 - The Council announced that national cyber defenses had "successfully thwarted organized cyberattacks of a terrorist nature" targeting digital infrastructure and vital sectors. The Emirates News Agency (WAM) carried the official statement.

February 22, 2026 - Bloomberg, The National, and The Record reported the disruption of the AI-powered campaign.

The Council confirmed the attacks involved ransomware deployment, network infiltration, and phishing campaigns using AI-generated offensive tools - described as a "qualitative shift" in adversary methods.

February 28, 2026 - The US and Israel launched coordinated military strikes on Iran (Operation Epic Fury / Operation Roaring Lion), dramatically escalating the regional conflict.

Within 24 hours, over 60 active threat groups aligned with the conflict were tracked by researchers - 53 operating on the pro-Iranian side. The UAE disclosure six days prior now appears to have been an early indicator of the pre-conflict cyber posturing.

March 2026 (ongoing) - Iran launched retaliatory kinetic strikes against UAE targets (357 ballistic missiles, 1,815 drones, 15 cruise missiles as of March 25).

Cyber operations intensified in parallel - DDoS campaigns, data leak claims, and hacktivist operations surged across the Gulf. Multiple hacktivist groups including DieNet and Keymous+ launched coordinated attacks against UAE, Saudi, Bahraini, Kuwaiti, and Qatari infrastructure.

The AI Dimension

The Council's characterization of the campaign as employing a "qualitative shift" in methods represents one of the first official government disclosures of adversarial AI use in a sustained, real-world campaign against a nation-state's infrastructure.

Polymorphic and evasive malware - AI-generated payloads that modify code signatures with each deployment, rendering signature-based antivirus and endpoint detection ineffective.

The Council specifically noted "self-learning malware" and "evasive code morphing" among the techniques observed.

Automated phishing at scale - AI-generated lures tailored to UAE government and financial sector employees, with language and context sufficiently sophisticated to bypass traditional email security filters.

The phishing campaigns were "systematic" and targeted "national platforms" specifically.

Deepfake-enabled social engineering - Attackers used AI to clone voices and faces of organizational leaders, creating realistic audio and video that tricked recipients into revealing credentials or authorizing actions.

UAE authorities had separately warned of CEO-impersonation deepfakes used to authorize fraudulent wire transfers.

Adaptive offensive tooling - Tools that modified their behavior in response to defensive measures, suggesting real-time feedback loops between reconnaissance, exploitation, and evasion functions.

Attack Method Breakdown

The Council provided granular breakdown of attack types observed across the 200,000 daily attempts: denial-of-service attacks targeting endpoint devices accounted for 39% of volume; encryption and data leakage attacks comprised 37%; internet-connected application breaches represented 24%; and ransomware-specific attacks accounted for 7%.

Attacks on IT infrastructure represented 40% of total incidents, file-sharing attacks 9%, and database vulnerability exploitation 3%.

Operational Infrastructure

Of the 128 confirmed incidents, operational coordination was tracked across three primary channels: Telegram (49.2% of tracked activity), open web forums and marketplaces (40.6%), and Tor-based dark web infrastructure (10.2%) - the latter primarily associated with ransomware ecosystems.

The Telegram-heavy coordination is consistent with the hacktivist and state-aligned proxy group operational patterns observed across the broader Middle Eastern threat landscape.

Incident Type Distribution

Among the 128 confirmed incidents: website defacement accounted for 38.3%, data leaks 25.8%, data breaches 13.3%, with the remainder distributed across initial access sales, ransomware, DDoS, and APT-attributed intrusions.

Operational Impact

The UAE government characterized the outcome as a defensive success - all attacks were intercepted without disrupting service continuity or compromising data security.

If accurate, this represents a significant defensive achievement given the sustained volume (200,000/day) and the sophistication of AI-enhanced tooling.

However, the 128 confirmed incidents since January suggest that not every attack was stopped at the perimeter. Confirmed incidents - including government breaches and data leaks - indicate that some attacks achieved partial or full objectives before detection and containment.

Strategic Context

The timing is critical. The February 18 disclosure of detailed threat statistics and the February 21-22 announcement of the campaign disruption came six days before the February 28 US-Israeli strikes on Iran.

This suggests UAE cyber defenses were already operating at heightened alert due to pre-conflict intelligence indicating an imminent escalation.

After February 28, the cyber threat landscape escalated dramatically. Over 60 threat groups activated within 24 hours.

DDoS campaigns targeted banks (Riyad Bank, Al Rajhi Bank), airports (Kuwait International), telecoms (Batelco, du), and government portals across the GCC. The February campaign disclosed by the Council was the opening act - not the main event.

Financial and Economic Context

While the cyber campaign itself was contained, the broader conflict produced severe economic disruption: UAE oil production dropped by 500,000-800,000 barrels per day following kinetic strikes, a fire broke out at Jebel Ali Port attributed to debris from aerial interception, and the most extensive GPS spoofing and jamming campaign ever recorded in military conflict disrupted over 1,100 commercial vessels within 24 hours.

The campaign and the Council's response carry significant implications under UAE and international regulatory frameworks:

• .UAE PDPL (Federal Decree-Law No. 45/2021) - Article 26 requires data controllers to notify the UAE Data Office of personal data breaches within 72 hours. The 128 confirmed incidents - including data leaks (25.8%) and data breaches (13.3%) - trigger individual notification obligations for any incidents involving personal data of UAE residents. Administrative fines range from AED 50,000 to AED 5 million per violation.

• .NESA Information Assurance Standards - The National Electronic Security Authority's 188-control framework is mandatory for government entities and critical infrastructure operators. The campaign validates the framework's emphasis on adaptive threat detection, but the confirmed breaches raise questions about implementation maturity across all covered entities.

• .UAE National Cybersecurity Strategy 2025-2031 - Approved in February 2025 under the "We the UAE 2031" Vision, the strategy mandates centralized threat monitoring through the National Security Operations Center (NSOC). The 200,000/day interception rate demonstrates NSOC operational capacity. The 128 confirmed incidents demonstrate the limits of any purely defensive posture against sustained state-sponsored campaigns.

• .TDRA Regulations - The Telecommunications and Digital Government Regulatory Authority oversees digital infrastructure security. Telecom and technology sector targeting (4% of attacks) falls directly under TDRA jurisdiction.

• .DIFC Data Protection Law / ADGM Data Protection Regulations - Financial sector entities operating in the Dubai International Financial Centre and Abu Dhabi Global Market are subject to separate data protection regimes with independent notification requirements. Financial services were the second-most targeted sector (7% of attacks).

• .GDPR (Regulation 2016/679) - Any UAE-based organization processing data of EU residents that experienced a confirmed breach must notify the relevant EU DPA within 72 hours under Article 33. Fines up to EUR 20 million or 4% annual global turnover.

• .NIS2 Directive - EU-based organizations with UAE operations affected by the campaign may trigger essential/important entity incident reporting requirements.

The campaign also underscores a regulatory gap: the UAE PDPL's implementing regulations had not been published as of late 2024, creating uncertainty around specific compliance requirements during an active threat environment.

Organizations operating in the UAE face the challenge of meeting breach notification obligations under a law whose detailed enforcement mechanisms remain partially undefined.

The Council characterized the defensive outcome as successful, but 128 confirmed incidents - including data breaches and data leaks - indicate gaps that must be addressed:

1. AI-Powered Defense to Match AI-Powered Offense - Signature-based detection is insufficient against polymorphic, AI-generated malware.

Organizations in targeted sectors must deploy behavioral analytics and machine learning-based endpoint detection and response (EDR) capable of identifying novel attack patterns without prior signatures.

2. Deepfake Verification Protocols - Establish out-of-band verification procedures for all high-value requests (wire transfers, credential resets, access grants). No action should be authorized based solely on voice or video communication, regardless of apparent authenticity.

Implement code-word verification systems for executive communications.

3. Zero Trust Architecture Across Critical Sectors - The 30% targeting of government administration and 7% targeting of financial services demands mandatory Zero Trust implementation: continuous identity verification, micro-segmentation, least-privilege access, and encrypted communications for all inter-system traffic.

4. Threat Intelligence Sharing Across GCC - The 14-country attack origin and 21 tracked APT groups demonstrate that no single nation can defend in isolation.

Formalize real-time threat intelligence sharing between UAE CERT, Saudi CERT, Bahrain CERT, Qatar Q-CERT, and Oman national CERT - including indicators of compromise, TTP signatures, and attribution assessments.

5. Ransomware Resilience - The 7% ransomware component and 37% encryption/data leakage attacks require immutable offline backups, tested recovery procedures with defined RTOs, and network segmentation that prevents lateral movement from initial access to critical data stores.

6. Regulatory Clarity - The UAE Data Office should expedite publication of PDPL implementing regulations to provide organizations with clear breach notification procedures, enforcement expectations, and compliance benchmarks during a period of sustained state-sponsored cyber operations.

The Record, The National, Bloomberg, Zawya, Arabian Business, Khaleej Times, Emirates News Agency (WAM), Cyble, The Cyber Express, Security MEA, Gulf News, Economy Middle East, Palo Alto Networks Unit 42, CloudSEK, SOCRadar, Chambers and Partners, Data Protection Report, Insurance Journal, SC Media