Operation Sindoor, launched by India on May 7, 2025, marked a significant military response to the April 22, 2025 Pahalgam terrorist attack in Kashmir, which killed 26 civilians. The operation involved precision missile strikes on terrorist infrastructure in Pakistan and Pakistan-occupied Kashmir (PoK).
While the kinetic conflict drew global attention, a parallel war unfolded in cyberspace, where Pakistan-linked threat actors, hackers, and possibly indirect support from other non-state actors launched a massive wave of cyberattacks on Indian targets.
This episode represented one of the most intense cyber confrontations in an India-Pakistan crisis, blending state-sponsored advanced persistent threats (APTs), hacktivist disruptions, and disinformation campaigns. Although India’s defences largely held, the scale highlighted vulnerabilities in critical infrastructure and the growing role of cyber operations in a hybrid warfare.
In the currently escalating conflict gripping West Asia, a startling new front has opened: the physical targeting of cloud infrastructure. What began as retaliatory missile and drone barrages following US and Israeli strikes on Iran has now struck at the heart of the digital economy.
On March1-2, 2026, Iranian drones damaged three Amazon Web Services (AWS) facilities – two directly in the United Arab Emirates (UAE) and one in Bahrain through proximity impact. This incident is not just collateral damage in a regional war; it represents a paradigm shift in modern conflict where data centres, once viewed as neutral pillars of global connectivity, have become legitimate strategic targets.
In the currently escalating conflict gripping West Asia, a startling new front has opened: the physical targeting of cloud infrastructure. What began as retaliatory missile and drone barrages following US and Israeli strikes on Iran has now struck at the heart of the digital economy
The attacks come at a time when the Middle East is aggressively positioning itself as a global AI and cloud computing hub, with billions poured into hyperscale facilities. But the strikes expose a harsh truth: the cloud is not ethereal. It rests on concrete, power grids, and cooling systems that are as vulnerable to kinetic warfare as oil refineries or ports.
Drones Breach the Cloud Fortress Amid Retaliatory Strikes
The timeline is telling! On February28-29, 2026, joint US-Israeli strikes targeted Iranian sites, reportedly killing Iran’s Supreme Leader Ayatollah Ali Khamenei.
Iran’s response was swift and multi-pronged: waves of drones and missiles rained down on US bases and allied infrastructure across the Gulf – UAE, Bahrain, Qatar, Kuwait, and beyond. Airports, ports, and now data centres were hit.
AWS first reported issues on its health dashboard on March 1, noting that “objects” had struck a facility in its ME-CENTRAL-1 region (UAE), triggering sparks and fire. Power was cut for safety. By March 2, the company confirmed the worst: two UAE facilities were directly struck by drones, while a Bahrain site in the ME-SOUTH-1 region suffered physical damage from a nearby strike.
Structural harm, disrupted power delivery, and water damage from fire-suppression systems compromised server racks and cooling infrastructure. Recovery was described as “prolonged” due to the physical nature of the damage. AWS explicitly warned: “The broader operating environment in the Middle East remains unpredictable.”
This marks the first known instance of a major US tech company’s data centre suffering direct military damage. Unlike previous cyber incidents (Stuxnet on Iran or NotPetya), this was kinetic warfare – cheap drones achieving what sophisticated malware once attempted. AWS operates with multiple availability zones per region, designed for seamless failover, but the loss of multiple facilities within zones strained capacity.
Why Data Centres? The New Oil Fields of the Digital Economy
Traditionally, militaries target oil facilities, power plants, and ports to cripple economies. Data centres now play an analogous role. They concentrate immense computing power that underpins banking apps, e-commerce, government logistics, military communications, intelligence analysis, and burgeoning AI systems. A single strike on them can ripple across thousands of organisations.
In the Gulf, AWS’s Middle East regions are more than commercial assets. Launched in Bahrain in 2019 and expanded in Abu Dhabi, they serve businesses, governments, and universities across Africa, South Asia, and the Levant.
The attacks come at a time when the Middle East is aggressively positioning itself as a global AI and cloud computing hub, with billions poured into hyperscale facilities. But the strikes expose a harsh truth: the cloud is not ethereal. It rests on concrete, power grids, and cooling systems that are as vulnerable to kinetic warfare as oil refineries or ports
The region’s data centre market is exploding – capacity is projected to triple from 1 GW in 2025 to 3.3 GW within years, driven by AI ambitions and sovereign cloud initiatives. AWS alone has committed over $10 billion investment across UAE, Bahrain, and planned Saudi facilities. Microsoft and others are following suit. These sites power everything from ChatGPT-like services to national digital transformation visions.
Iran’s calculus appears deliberate. Disrupting cloud services hampers economic continuity for US allies without needing to strike military bases exclusively. As one analyst noted, data centres supporting surveillance, intelligence, and military comms have become “attractive targets.”
The Gulf’s trillion-dollar AI dream – positioning UAE and Saudi Arabia as neutral tech hubs – now faces a geopolitical reality check. The era of assuming digital infrastructure enjoying sanctuary is over.
Immediate Fallout: Banking, Payments, and Critical Services Grind to a Halt
The disruptions were not abstract. Within hours, consumer and enterprise services across the UAE and Bahrain reported outages. Banking apps went dark at scale.
Abu Dhabi Commercial Bank (ADCB) announced its mobile app and contact centre were unavailable due to “region-wide IT disruption.” Emirates NBD and First Abu Dhabi Bank faced intermittent digital banking and phone service issues.
Payment platforms Alaan and Hubpay saw mobile and web apps offline, with customers unable to log-in or process transactions. Delivery giant Careem reported service interruptions (later resolved), while investing app Sarwa and enterprise software like Snowflake experienced elevated errors and connectivity problems.
These were not total blackouts – AWS’s multi-zone architecture limited the scope – but the impact on daily life and finance was immediate.
Customers in the region, already jittery from missile interceptions over Doha and explosions in Dubai, faced delayed salary credits, failed online payments, and stalled logistics.
Financial institutions using AWS for core banking, fraud detection, or customer analytics scrambled to reroute traffic. A Reuters source confirmed multiple financial institutions were affected.
The episode underscores how deeply cloud-dependent modern banking has become. In the UAE alone, digital payments and mobile banking dominate; any latency or outage erodes public confidence and risks liquidity squeezes.
While services began recovering by 3 March as workloads migrated, the message was clear: critical systems tethered to single geographic clusters are now liabilities in conflict zones.
Cloud’s Illusion of Invulnerability Shattered
For years, the industry marketed the cloud as resilient by design – redundant power, global replication, automatic failover. Mike Chapple, IT professor at the University of Notre Dame, captured the rude awakening, “Cloud computing is not ‘magical’… it still requires physical facilities on the ground, which are vulnerable to all sorts of disaster scenarios.”
Existing physical security – fences, guards, cameras – deters intruders, not drones or missiles. Data centres are massive, power-hungry, and hard to conceal.
Traditionally, militaries target oil facilities, power plants, and ports to cripple economies. Data centres now play an analogous role. They concentrate immense computing power that underpins banking apps, e-commerce, government logistics, military communications, intelligence analysis, and burgeoning AI systems. A single strike on them can ripple across thousands of organisations
Previous outages (the 2021 AWS US-East-1 failure or 2023 Google Cloud disruptions) were software or configuration issues. This was different: physical destruction. Recovery involved not just rebooting servers but repairing buildings, replacing hardware soaked by suppression systems, and restoring power amid ongoing strikes.
AWS urged customers to “migrate workloads to alternate AWS Regions” and back up data – an advice that highlights the limitations of regional redundancy when entire zones are compromised.
Will Attacks Force Tech Companies to Rethink Global Cloud Strategy?
Absolutely – and the rethink is already underway. The incident accelerates trends which analysts had flagged pre-2026: geo-repatriation (moving workloads for sovereignty), distributed hybrid infrastructure, and multi-cloud architectures.
Centralisation delivered cost and performance benefits but concentrated risk. Hyper scalers like AWS, Azure, and Google Cloud must now treat geopolitical volatility as a core design parameter, not an edge case.
Expect accelerated investment in edge computing and micro-data centres closer to users, reducing latency and exposure might be in pipeline. Multi-region and multi-cloud strategies will move from best practice to mandatory for enterprises in volatile areas.
Tech giants may quietly de-emphasise expansion in conflict-prone zones or demand host governments provide explicit military protection. Some experts predict a “militarised approach”: reinforced buildings, underground facilities, anti-drone systems, and even private security partnerships with local forces.
The Gulf’s AI push will not reverse, but companies will spread data across more countries to avoid single-point failure.
AWS’s own response – prolonged recovery admission and migration advice – signals that even the largest provider cannot guarantee uptime against state actors.
Tech giants may quietly de-emphasise expansion in conflict-prone zones or demand host governments provide explicit military protection. Some experts predict a “militarised approach”: reinforced buildings, underground facilities, anti-drone systems, and even private security partnerships with local forces
Smaller providers and colocation operators will face pressure to prove physical resilience. Share prices of data centre REITs and cloud stocks dipped on the news, reflecting investor concern over war-risk premiums in the region.
Strategies for Tech Companies: From Redundancy to Hardened Resilience
Tech firms cannot wait for governments. Immediate actions include:
Architectural Diversification: Mandate multi-cloud and multi-region deployments for critical workloads. Use tools for seamless orchestration across AWS, Azure, Google Cloud, and sovereign providers.
Physical Hardening: Upgrade facilities with blast-resistant designs, redundant underground power and cooling, and advanced threat detection (radar for drones, AI surveillance). Partner with defence contractors for site protection.
Rapid Failover and Disaster Recovery: Test geo-failover drills quarterly, maintaining hot backups in neutral regions (Europe, US, Southeast Asia). Leverage edge and hybrid setups for low-latency critical apps.
Supply Chain and Talent Resilience: Diversify hardware sourcing beyond vulnerable chokepoints and train teams on hybrid operations to bridge skill gaps.
Customer Transparency: Publish clear risk disclosures and offer “conflict-resilient” tiers with premium pricing for fortified infrastructure.
Companies that act now will gain competitive advantage; those clinging to 2010s-era centralisation risk client flight.
Broader global action is also needed. International norms – perhaps through UN or G20 channels – could classify attacks on civilian cloud infrastructure as disproportionate, akin to targeting hospitals. Governments in stable regions (Singapore, Ireland, Nordic countries) can market themselves as “digital safe havens” with sovereign cloud offerings
Governments’ Role: Policy, Protection, and Digital Sovereignty
Host nations like UAE and Bahrain cannot treat data centres as ordinary real estate. They must designate them as critical national infrastructure, extending the same military umbrella given to ports and airports.
Joint exercises with US forces for air defence of tech-hubs are logical next steps. Regulatory frameworks should mandate minimum resilience standards – multi-region data residency, regular stress tests against kinetic threats, and incentives (tax breaks, subsidies) for distributed or hybrid deployments.
Broader global action is also needed. International norms – perhaps through UN or G20 channels – could classify attacks on civilian cloud infrastructure as disproportionate, akin to targeting hospitals. Governments in stable regions (Singapore, Ireland, Nordic countries) can market themselves as “digital safe havens” with sovereign cloud offerings.
India, with its massive data localisation push and neutral stance, could emerge as an alternative hub.
For users in conflict zones, governments can subsidise migration costs or require banks and essential services to maintain on-premise or hybrid backups.
Safeguarding Banking and Critical Systems: A Blueprint for Minimal Disruption
Banking faces unique risks because downtime equals financial loss and eroded trust. Regulators (Central Bank of UAE, Bahrain Monetary Authority) should enforce:
Hybrid Cloud Mandates: Core ledgers on private clouds or on-prem, customer-facing apps on public cloud with real-time replication.
Multi-Cloud Diversification: No single provider or region for payments rails. Use Azure or Google Cloud alongside AWS for failover.
Regulatory Stress Testing: Annual simulations of physical infrastructure loss, including drone or missile scenarios.
Data Localisation with Global Redundancy: Store sensitive data locally but maintain encrypted backups abroad.
Incident Response Coalitions: Banks forming shared threat-intelligence platforms with tech providers.
Globally, SWIFT and payment networks should accelerate adoption of distributed ledger backups. The goal: zero single point of failure, ensuring ATMs, mobile banking, and interbank settlements continue even if one cloud region vanishes.
The Broader Geopolitical Reckoning: Digital Infrastructure in a Fragmented World
This episode accelerates fragmentation of the global internet. Sovereign clouds will proliferate as nations demand control over critical data.
AI development in the Gulf – a cornerstone of post-oil economies – now carries explicit war-risk pricing. Supply chains for chips, cooling systems, and power infrastructure will be re-evaluated for resilience.
In longer term, we may see “digital demilitarised zones” or treaties protecting undersea cables and satellite constellations that support cloud connectivity.
Conversely, state actors will invest in anti-drone swarms and cyber-kinetic hybrids to target enemy data centres pre-emptively.
The human cost is subtler: developers and engineers in the region face disrupted lives, while global businesses reassess reliance on Gulf talent and infrastructure.
Tech companies must move beyond redundancy theatre to genuine resilience – physical, architectural, and geopolitical. Governments must treat digital infrastructure with the strategic seriousness once reserved for energy and transport
Preparing for the Inevitable – Tech as Collateral No More
Iran’s strikes on AWS data centres have irrevocably altered the calculus of cloud computing. The cloud was never truly in the sky; it always had feet of clay in the desert.
Tech companies must move beyond redundancy theatre to genuine resilience – physical, architectural, and geopolitical. Governments must treat digital infrastructure with the strategic seriousness once reserved for energy and transport.
For banks and critical systems, the playbook is clear: diversify, hybridise, and prepare for disruption as a certainty, not a black swan. The Middle East’s AI ambitions need not die, but they must evolve with hardened infrastructure and diversified footprints.
As the West Asia conflict enters uncertain phases, one lesson is inescapable: in 21st-century warfare, the server rack is as vital a target as the oil rig.
Those who adapt fastest – through innovation, policy, and foresight – will dominate the next digital decade. The rest risk becoming digital casualties in someone else’s war.
-The author retired as Major General, Army Ordnance Corps, Central Command, after 37 years of service. A management doctorate and expert on defence modernisation, he is the author of four books, including the Amazon bestseller “Breaking the Chinese Myth,” and a frequent media commentator. He is affiliated with several leading defence and strategic studies institutions in New Delhi. The views expressed are of the writer and do not necessarily reflect the views of Raksha Anirveda
