Researchers have reverse-engineered a piece of malware named Fast16. It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet:
“…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.”
Another news article.
Lots of interesting details at the links.
Bellingcat has identified at least 80 police stations or infrastructure related to law enforcement agencies and the Basij paramilitary group that has been damaged or destroyed in the first three weeks of the United States and Israel’s war against Iran. Experts told Bellingcat that both countries aim to degrade the Iranian regime’s “repressive capacity”.
Combined, the US and Israel have conducted thousands of strikes during the course of the 2026 war in Iran. Targets range from Islamic Revolutionary Guard Corps (IRGC) sites, Navy vessels to Iranian weapons manufacturers.
In early March, a Bellingcat analysis using satellite imagery and available photos and videos identified police stations as another apparent target, with at least 15 damaged or destroyed in the capital, Tehran.
We also identified multiple strikes against police infrastructure in the country’s north and west; these areas were targeted by the Israel Defence Forces according to a map released by the IDF on March 31.
“We are providing the brave people of Iran with the conditions to take their destiny into their own hands,” declared the Israeli Ministry of Foreign Affairs official X account, along with a photo of a destroyed police station.
اینجا کلانتری ۱۲۱ سلیمانیه در خیابان نبرد تهران بود.
— اسرائیل به فارسی (@IsraelPersian) March 5, 2026
ما شرایطی را برای مردم شجاع ایران فراهم میکنیم تا سرنوشت خود را در دست بگیرند. pic.twitter.com/VSm6YVvIwZ
In all, the majority of strikes Bellingcat analysed focused on police stations (30 incidents) and command centers or headquarters (29 incidents). Locations also include sites related to Basij, a plainclothes paramilitary organisation (9) affiliated with the IRGC that were “involved in the deadly crackdown” of protests in January 2026, others are associated with special forces (3) and traffic (2) or diplomatic (2) police compounds.
Due to commercial satellite companies limiting access to imagery over Iran and neighbouring countries we relied on Sentinel-2 imagery data to help verify the incidents, as well as videos and photos, some of which were also verified by independent geolocators and contributors to the Geoconfirmed volunteer community and confirmed by Bellingcat researchers.
Location data was partly determined using open source mapping data either from Wikimapia, OpenStreetMap or Google Maps. When video footage or photos were available for incidents reportedly targeting police stations, the location was verified with geolocation and satellite imagery analysis using either Planet Labs medium resolution PlanetScope data (restricted to imagery collected by March 9) or low resolution Sentinel-2 data.
Some locations were discovered utilising location data taken from OpenStreetMap using Overpass Turbo and comparing that with available Sentinel-2 data throughout Iran.
Map showing geolocated incidents in Iran. Click the markers to view the coordinates, sources, and verification notes. Map: Bellingcat/Miguel Ramalho
Israel has released multiple videos showing the targeting of bases and checkpoints belonging to the Basij. In mid-March, the IDF announced the killing of the paramilitary group’s commander, Gholamreza Soleimani.
Targeting the Basij is part of Israel’s and the US’ agenda “to degrade the regime’s repressive capacity,” Ali Vaez, the director of International Crisis Group Iran Project, told Bellingcat. Police stations are “not involved in repression in the way that crowd control police or Basij centers are”, so targeting them “appears more aimed at preventing the Islamic Republic from being able to maintain control internally,” he said.
Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
Vaez told Bellingcat that, when considered alongside the broader range of targets, including industrial factories, the widespread targeting of police stations is part of a strategy “to make Iran ungovernable for the existing regime or whatever comes after”.
Vaez was skeptical about the short term effects: “It’s a problem of scale. Iran is such a large country, even if you are able to completely destroy, not just degrade, the capacity of the regime in policing, oppressing, etc – it really requires not just maybe weeks but maybe months if not years.”
As of April 7, the Iranian Human Rights Activists News Agency estimates there’ve been more than 1,700 civilian fatalities during the war.
Several police stations are situated in densely populated urban areas such as Tehran. Stations are used by civilians for various reasons including renewing driving licences, so if these buildings are targeted “during working hours and not in the middle of the night then risk is higher for these people,” Vaez said.
Map showing geolocated incidents in Tehran. Click the markers to view the coordinates, sources, and verification notes. Map: Bellingcat/Miguel Ramalho
A recent joint Airwars, Center for Civilians in Conflict and Human Rights Activists in Iran report detailing the first month of civilian casualties included a section on the worsening situation for detainees in Iranian prisons — including police stations that have been targeted.
“I was detained in the holding cell of [Police Station 148] for ten days, along with four other activists. Now it looks like nothing is left of that station but ruins. I can’t even recognize where the detention area was. I keep wondering what happened to the people who were being held there during the attack. – Activist, told HRA upon seeing photos of the police station after recent US/Israeli airstrikes.”
Footage shared and geolocated by the BBC’s Shayan Sardarizadeh showed Police Station 148 damaged after an apparent strike in mid-March.
The main building of Tehran’s 148 police station and its courtyard, located on Enghelab Street, has been severely damaged in air strikes conducted on Friday.
— Shayan Sardarizadeh (@Shayan86) March 14, 2026
The adjacent Hamoon Theatre also sustained some damage.
Video: @Vahid
Location: 35.700812, 51.402163@GeoConfirmed pic.twitter.com/9sdOtHd2XN
One destroyed police station identified by Bellingcat in the city of Mahabad in northwestern Iran led to apparent damage to an Iranian Red Crescent Society building located next door. According to Iran’s Tasnim News agency (an IRGC-affiliated media outlet sanctioned by the EU, the US and Canada), one Red Crescent employee was injured in the attack.
The police station adjacent to the Red Crescent building isn’t identified on any mapping services, though there are reports “Police Station 11” was targeted the same day.
Israel has also targeted checkpoints operated by Basij members.
Bellingcat examined two cases showing Israeli strikes on checkpoints while civilians were passing. In one video, a strike hits a checkpoint as five motorbikes and a vehicle go by.
In another IDF video, a yellow bus is immediately adjacent to the checkpoint when it is hit. It is unclear how many people were on the bus at the time of the strike or if anyone was injured.
According to the Open Source Munitions Portal (OSMP), Israeli drones commonly employ the Mikholit bomb. A variant of this bomb has 890 grams of explosives, an amount that creates hazardous fragmentation up to 104 meters away.
“I have been watching the reporting on these Basij strikes and the use of the Mikholit in particular in open urban areas. It is IDF standard—using precision munitions and even sometimes “low collateral” munitions but in a reckless manner that still puts the civilian population at risk,” Wes J. Bryant, a defence and national security analyst formerly with the Pentagon’s Civilian Protection Center of Excellence told Bellingcat.
International Humanitarian Law defines civilians as “persons who are not members of the armed forces”. Police officers fall under that definition, according to Adil Haque, Professor of Law at Rutgers University and Executive Editor at Just Security. “As a rule, police are civilians and may not be attacked unless they take a direct part in hostilities,” Haque told Bellingcat. National security analyst Bryant agreed, adding that targeting police “does not stand up to legal scrutiny”.
Subscribe to our newsletter for first access to our published content and events that our staff and contributors are involved with, including interviews and training workshops.
In an email to Bellingcat, the IDF noted “that the police form part of Iran’s internal security apparatus, which also forms part of Iran’s armed forces, under Iran’s own domestic legislation. In every strike, the IDF takes feasible precautions in order to mitigate incidental harm to civilians and civilian objects to the extent possible under the circumstances.”
Police are indeed “part of the country’s armed forces. By that logic, anything with a flag on it is a legitimate target,” Ali Vaez, the director of International Crisis Group Iran Project, said.
Although Basij is a paramilitary group, any strikes against it would require precautions to minimise harm to civilians, Haque told Bellingcat. “Since the hostilities almost entirely involve aerial bombardment, the concrete and direct military advantage anticipated from strikes on Basij members who qualify as combatants is extremely low, so significant harm to nearby civilians would be disproportionate and illegal,” he said.
When asked about potential civilian casualties in the checkpoint strikes, the IDF told Bellingcat that since the Basij are subordinate to the IRGC and are therefore part of the armed forces, they are regarded as lawful military targets. Regarding the checkpoint strikes specifically, they stated “precision munitions and surveillance means were used in the strikes, as part of the precautions taken under the circumstances to mitigate expected incidental harm”.
Bellingcat reached out to US Central Command (CENTCOM) to ask if the US had any role in the police station strikes identified but received no official comment at the time of publication.
The data collected so far for these sites can be found here.
Miguel Ramalho and Felix Matteo Lommerse contributed to this report.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.
The post “Make Iran Ungovernable” – Tracking Efforts To Destroy Iran’s Police Infrastructure appeared first on bellingcat.
Bluesky experienced a sophisticated DDoS attack that disrupted its services for about 24 hours, starting on April 15.
Bluesky is a decentralized, open-source microblogging social media platform similar to X (formerly Twitter). It allows users to post short messages, images, and videos (up to 300 characters) while providing more control over algorithms, data, and moderation.
The attack disrupted feeds, notifications, threads, and search, causing intermittent outages. A pro-Iran hacker group, called 313 Team (aka “Islamic Cyber Resistance in Iraq”), claimed responsibility, highlighting growing threats against social media platforms and the impact of coordinated disruption campaigns.
“Our team received a report of intermittent app outages at about 11:40pm PDT on April 15, 2026. They worked through the night to mitigate a sophisticated Distributed Denial-of-Service (DDoS) attack, which intensified throughout the day.” Bluesky announced. “We have not seen any evidence of unauthorized access to private user data.”
The company found no signs of data breaches and confirmed it limited the impact of the attack and avoided prolonged outages.
313 Team is a pro-Iran hacktivist group tied to politically driven cyber activity like DDoS attacks, defacements, phishing, and data-leak claims. It targets public services, government and symbolic platforms to create disruption and amplify geopolitical tensions. Analysts link it to the broader Iran-aligned ecosystem, sometimes close to state interests. However, the group often exaggerates its impact, so claims should be treated with caution.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Islamic Cyber Resistance in Iraq)
On April 7, 2026, U.S. agencies, including FBI, CISA, and NSA, warned of Iran-linked APTs exploiting internet-exposed Rockwell Automation PLCs.
Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.
The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urged organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.
Organizations are advised to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support.
Censys researchers identified 5,219 exposed devices globally, 74.6% in the U.S., many on cellular networks. Analysis of indicators suggests multiple IPs tied to a single compromised engineering workstation, expanding the known attack surface beyond initial disclosures.
“Censys identifies 5,219 internet-exposed hosts globally responding to EtherNet/IP (port 44818) and self-identifying as Rockwell Automation/Allen-Bradley devices.” reads the report published by Censys. “Geographic distribution is heavily skewed toward the United States, which accounts for 74.6% of global exposure — consistent with Rockwell’s dominant market position in North American industrial automation.”
The researchers pointed out that the exposure of Rockwell Automation PLCs extends beyond the U.S., with notable concentrations in Spain, Taiwan, and Italy, while Iceland shows disproportionate exposure. According to Censys, many devices are connected via cellular networks, with providers like Verizon and AT&T accounting for a large share. This indicates field-deployed systems (e.g., utilities and substations) relying on cellular or even satellite links like Starlink, making monitoring and patching difficult.
Most exposed devices belong to MicroLogix and CompactLogix families, often running outdated firmware.
“EtherNet/IP identity responses expose device-level product strings, enabling granular fingerprinting of PLC model and firmware revision without authentication.” continyes the report. “The top 15 product strings are dominated by two families: MicroLogix 1400 (catalog prefix 1766-) and CompactLogix (1769-, 5069-), with one Micro820 (2080-) entry.”
Since device details can be identified remotely without authentication, attackers can easily scan, identify, and prioritize vulnerable systems, increasing risks for sectors like energy and water infrastructure.
Censys found that 5,219 exposed Rockwell Automation PLC hosts often run extra services beyond EtherNet/IP, increasing risk. Key exposures include VNC for remote HMI access, Telnet (cleartext legacy access), Modbus for OT communication, and Red Lion Crimson in mixed-vendor setups. These services expand attack paths and raise the risk to industrial systems.
The report also provides Indicators of Compromise (IOCs) and technical details about the operator infrastructure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Rockwell PLCs)
U.S. agencies, including the FBI and CISA, warn that Iran-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs used in critical infrastructure. The agencies published a joint advisory involving multiple federal organizations.
“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.” reads the joint advisory. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.”
Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.
The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urge organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.
Organizations are advised to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support.
“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations.” conctinues the alert. “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.
During a campaign starting in November 2023, IRGC-linked hackers known as CyberAv3ngers targeted U.S. PLCs and HMIs, disrupting operations. Also tracked under multiple names, the group compromised at least 75 devices, including Unitronics PLCs used across sectors like water and wastewater systems.
“During a similar campaign beginning in November 2023, the IRGC CEC-affiliated cyber threat actors known as “CyberAv3ngers” targeted U.S.-based PLCs and HMIs, causing disruptive effects. Private industry and open sources also refer to this group as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including WWS”
According to the joint advisory, Iran-linked actors gained initial access to internet-facing Rockwell/Allen-Bradley PLCs using overseas IPs and leased infrastructure, leveraging tools like Studio 5000 Logix Designer. They targeted devices such as CompactLogix and Micro850. For command and control, attackers used ports including 44818, 2222, 102, 22, and 502, and deployed SSH tools like Dropbear for remote access. Activity suggests possible targeting of other vendors, including Siemens PLCs. The attacks enabled the extraction of project files and manipulation of data on HMI and SCADA systems, causing disruption.
Government experts recommend disconnecting PLCs from the internet or protecting them with a firewall, monitoring OT ports for suspicious traffic, scanning logs for indicators of compromise, enabling multifactor authentication, updating firmware, disabling unused services or default keys, and continuously monitoring network activity.
In Mid-March, EU sanctioned Chinese and Iranian firms and individuals for cyberattacks targeting critical infrastructure and over 65,000 devices across member states.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Iran)
Access to open source visuals of the current Iran conflict, which has spread to many parts of the Middle East, continues to be sporadic. Videos and photos from within Iran trickle out on social media as the Iranian internet blackout hinders the flow of digital communication.
In past conflicts, satellite imagery has provided a vital overview of potential damage to both military and civilian infrastructure, especially when there are digital black spots or obstacles to on-the-ground reporting. But imagery from commercial providers is becoming increasingly restricted, leaving even those who have access to the most expensive imagery in the dark.
Shortly after the war in Gaza began in 2023, Bellingcat introduced a free tool authored by University College London lecturer and Bellingcat contributor, Ollie Ballinger, that was able to estimate the number of damaged buildings in a given area. This helped monitor and map the scale of destruction across the territory as Israel’s military operation progressed.
Bellingcat is now introducing an updated version of the open source tool — called the Iran Conflict Damage Proxy Map — focused on destruction in Iran and the wider Gulf region.
It can be accessed here.
The tool works by conducting a statistical test on Synthetic Aperture Radar (SAR) imagery captured by the Sentinel-1 satellite which is part of the Copernicus mission developed and operated by the European Space Agency. SAR sends pulses of microwaves at the earth’s surface and uses their echo to capture textural information about what it detects.
The SAR data for the geographic area covered by the tool is put through the Pixel-Wise T-Test (PWTT) damage detection algorithm, which was also developed by Ollie Ballinger. It takes a reference period of one year’s worth of SAR imagery before the onset of the war and calculates a “normal” range within which 99% of the observations fall. It then conducts the same process for imagery in an inference period following the onset of the war, and compares it to the reference period. The core idea is that if a building has become damaged since the beginning of the war, then the “echo” (called backscatter) from that pixel will be consistently outside of the normal range of values for that particular area. Investigators can then further probe potential damage around this highlighted area.
The plot below shows how the process was applied to Gaza and several Syrian, Iraqi and Ukrainian cities. The bars represent the weekly total number of clashes in each place, sourced from the Armed Conflict Location Event (ACLED) dataset. The pre-war reference periods are shaded in blue, spanning one year before the onset of each conflict. The one month inference periods after the respective conflicts began are shaded in orange. The blue and orange areas are what the tool compares.
The plot below shows an area with a number of warehouses in Tehran’s southwest. Some of the buildings show clear damage in optical Sentinel-2 imagery (something that has to be accessed outside of the tool via the Copernicus Browser).
Clicking on the map within the tool generates a chart displaying that pixel’s historical backscatter; the red dotted lines denote a range within which 99% of the pre-war backscatter values fall. In this example, we can see that from March 14 onwards, the backscatter values over this warehouse begin to consistently fall outside of their historical normal range. This could signal that damage has been detected in the area.
Two important aspects of this workflow are that it utilises free and fully open access satellite data, as opposed to commercial satellite services; the second is that it overcomes some key limitations of AI in this domain, the most serious of which is called overfitting. This is where a model trained in one area is deployed in a new unseen area, and fails to generalise. Because we’re only ever comparing each pixel against its own historical baseline, we don’t run into that problem.
The PWTT has been published in a scientific journal after two years of review. Its accuracy was assessed using an original dataset of over two million building footprints labeled by the United Nations, spanning 30 cities across Gaza, Ukraine, Sudan, Syria, and Iraq. Despite being simple and lightweight, the algorithm has been recorded achieving building-level accuracy statistics (AUC=0.87 in the full sample) rivaling state of the art methods that use deep learning and high resolution imagery. The plot below compares building-level predictions from the PWTT against the UN damage annotations in Hostomel, Ukraine. True positives (PWTT and United Nations agree on damage) are shown in red, true negatives are shown in green, false positives in orange, and false negatives in purple. The graphic shows the accuracy of the tool, while also emphasising that further checks on what it highlights should be conducted to draw full conclusions.
It is important to note that just because the tool may show a high probability of a building or buildings being damaged or destroyed, that doesn’t make it definite.
It is best to check with any other available imagery — either open source photos and videos that’ve been geolocated by a group such as Geoconfirmed or Sentinel-2 as well as other commercial satellite imagery if it’s up-to-date for the area. At time of publication, Sentinel-2 satellite imagery still offers coverage over the area that the tool focuses on. Other commercial satellite imagery providers have limited their coverage.
What the tool excels at is highlighting and narrowing down areas so that further corroboration or further confirmation can be sought.
Using the Iran Conflict Damage Proxy Map, we can spot some of the larger areas of potential damage or destruction that have occurred since the Iran war started.
Starting from a zoomed-out view of Tehran, there are a few spots that appear with large clusters of high damage probability. Cross-referencing these locations with open source map data from platforms like OpenStreetMap or Wikimapia, we can start finding sites that would make for likely targets – such as military sites.
One example of a potentially damaged site visible in the tool is the Valiasr Barracks in central Tehran, which was struck in the first week of the war. By going to the Copernicus Browser and reviewing the area with optical Sentinel-2 imagery, we can see clear indications of damage at the barracks.
IRGC Valiasr Barracks in Tehran:
A large Islamic Revolutionary Guard Corps (IRGC) compound near Isfahan is another example of military infrastructure that is readily visible in both the Iran Conflict Damage Proxy Map as well as Sentinel-2 imagery.
IRGC Ashura Garrison in Isfahan:
Air bases have also been a frequent target for U.S.-Israeli strikes in Iran. The Fath Air Base just outside of Tehran, near the city of Karaj, shows the signature of potential damage when using the tool. Checking Sentinel-2 imagery shows damage to multiple large buildings on the northern side of the base.
Fath Air Base in Karaj:
The U.S. has stated that destroying Iran’s “defense industrial base” is also a goal, which makes large areas like the Khojir missile production complex east of Tehran a good location to search with this tool. The tool suggests large clusters of damage on both the eastern and western sides of the complex — near areas where solid propellant is reportedly produced and where other fuel components are reportedly made.
Khojir Missile Production Complex outside of Tehran:
While useful for providing a sense of damaged areas in Iran, the Iran Conflict Damage Proxy Map can also be used to see damage outside of Iran, particularly at sites in the region which Iran has been targeting with drones and missiles.
In the below example at Al Udeid Air Base in Qatar, which hosts U.S. Central Command’s Combined Air Operations Center, there is a notable indication of damage over a warehouse-like building at 25.115647, 51.333125. Checking the same location in Sentinel-2 imagery shows that there does appear to be damage at that warehouse — represented by a large blackened area on the white roof. According to Qatar’s Ministry of Defense, at least one Iranian ballistic missile struck the base in early March.
Al Udeid Air Base in Qatar:
Civilian sites struck by Iranian drones or missiles are also visible in the tool — though the damage has to be fairly large in order to be picked up. Something like damage to the sides of high rise buildings from an Iranian drone attack doesn’t readily appear in the tool. Sites that do appear are places like oil refineries, such as a fuel tank at Fujairah port in the United Arab Emirates.
Fuel tanks at Fujairah Port, UAE:
It’s important to keep in mind that the data for the Iran Conflict Damage Proxy Map is updated approximately one or two times per week as new satellite data is collected by the Sentinel-1 satellite, so it’s not meant to be a representation of real-time damage to buildings.
Still, it can be useful for researchers to quickly gain an overview of damage throughout Iran and the Gulf where suspected strikes may have taken place and when there is no other open source information available.
You can access the Iran Conflict Damage Proxy Map here.
Similar tools using the same methodology to assess damage in Ukraine following Russia’s full-scale invasion and Turkey following the 2023 earthquake can be found here. The Gaza Damage Proxy Map can be found here.
Bellingcat’s Logan Williams contributed to this report.
This article was updated on April 7, 2026, to note that Sentinel-1 and Sentinel-2 are part of the Copernicus mission developed and operated by the European Space Agency.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.
The post When Satellite Imagery Goes Dark: New Tool Shows Damage in Iran and the Gulf appeared first on bellingcat.
Bellingcat has identified several high-profile incidents where authorities in the United Arab Emirates have downplayed damage, mischaracterised interceptions and in some instances not acknowledged successful Iranian drone strikes on the country.
A review of official statements shows that the public account does not always align with what can be observed through open sources. This comes as the UAE faces sustained aerial attacks on civilian and economic infrastructure, challenging its image as a secure global hub for business and tourism. Hours after the United States and Israel launched coordinated attacks on Iran on Feb. 28, the Islamic Republic responded by launching an attack against US-allies in the region including the UAE.
In the wake of the attacks, the UAE’s attorney general warned that publication of images or videos of strikes was illegal. People were also encouraged to report anyone sharing photos or videos of the strikes to authorities.
The country’s attorney general has ordered the arrest of 35 people and said they would face an expedited trial for “publishing video clips on social media platforms containing misleading, fabricated content and content that harmed defence measures and glorified acts of military aggression against UAE.” Separately police in Abu Dhabi reported they had arrested just over 100 people on suspicion of filming incidents related to Iran’s attacks on the UAE and sharing misleading information online.
Bellingcat contacted the Dubai Media Office, the Fujairah Media Office as well as the UAE’s Ministry of Defence to understand how statements are put out and how distinctions are made between successful drone strikes and damage caused by debris. We did not receive a response by the time of publication.
During the first days of the conflict several videos were posted on social media, primarily on X, TikTok and Telegram showing footage of Iranian attacks and interceptions across the UAE.
Around the same time the Dubai Media Office, the X account of the Government of Dubai’s press office, warned followers that legal action would be taken against those sharing “unverified material”.
The X account of the Dubai Media Office has more than 2.3 million followers making it one of the largest state-run accounts in the country.
“The public and media are urged to rely solely on official sources for accurate information and refrain from sharing unverified material,” the account posted.
Dubai Police issued similar warnings on social media, stating that sharing content that contradicts official announcements could lead to imprisonment of at least two years and fines of no less than 200,000 dirhams (approximately $55,000).
Despite authorities urging the public to rely on official sources only, Bellingcat found that some of the videos posted online as well as satellite imagery from the region contradicts a number of official accounts of high-profile attacks. For this piece we have only included links to videos that have already been widely published in mainstream news outlets, posted by professional journalists, or have been widely viewed on social media.
On March 3, a video filmed from a vessel appears to show a drone striking the port of Fujairah, one of the UAE’s most strategically important energy hubs. The port handles roughly 1.7 million barrels of oil per day and is among the world’s largest.
The drone appears to approach its target intact, with no visible sign of interception, Sam Lair, a researcher at James Martin Center for Nonproliferation Studies, told Bellingcat.
Moments after it descends behind storage tanks, an explosion is heard and a large plume of smoke rises from the site.
On the same day, the Fujairah Media Office stated that a fire resulted from debris following a successful interception, adding that the fire had been brought under control. Satellite images captured on March 4 and 5 show thick black smoke rising from the site. NASA FIRMS data also detected fires on March 3, March 4 and March 5. By March 7, satellite imagery shows at least three storage tanks fully destroyed (25.184565, 56.345481).
Detained in Dubai, a group that provides legal advice to people detained in the UAE, said that a Vietnamese national who filmed the strike on Fujairah port had been detained by authorities after posting the footage online.
Authorities made a similar report on March 1, stating that a fire at one of the berths of Jebel Ali Port was caused by debris from an aerial interception. Satellite imagery from the same day shows fires at two separate locations – approximately 3 km apart – within the port. One appears to be a central facility associated with fuel handling operations, connected via pipelines to surrounding storage tanks (25.00704, 55.07499). The other is a large structure (24.97953, 55.05204) in the military area of the port, which is one of the US Navy’s busiest ports in the Middle East. The New York Times previously identified an Iranian strike as the cause of the fire at the site.
Damage at Dubai’s Burj Al Arab Hotel was attributed by the Dubai Media Office to “shrapnel” from an intercepted drone and described as a “limited” fire. However, footage shows the fire extended to approximately 30 metres in height, covering approximately eight floors of the building, suggesting a far more significant incident than officially described.
Lair told Bellingcat that the damage appeared more consistent with a direct impact. He added that if the damage had resulted from an interception it would have occurred irresponsibly close to the building.
On Feb. 28, the Fairmont hotel in Dubai’s Palm Jumeirah area was struck by a drone, as shown in footage verified by Bellingcat.
However the Dubai Media office did not confirm a strike took place, instead they stated only that an “incident occurred in a building in the Palm Jumeirah area,” and urged the public not to share footage.
One video of the fire was shared by a Dubai-based Bloomberg journalist. In the replies to the journalist’s post, multiple users tagged the Dubai Police, a pattern seen across posts documenting the strikes, in an apparent effort to flag violations of the cyber-crime laws to authorities.
The aftermath of the strike was also captured by a content-creator who has since left the UAE.
Radha Stirling, founder of Detained in Dubai, told Bellingcat at least five people have been confirmed by the British embassy to have been charged and detained under the UAE’s cybercrime law in connection with documenting this strike. According to Stirling, authorities have sought access to individuals’ phones following incidents to determine whether they filmed or shared footage.
“Even just taking a photo is illegal, it’s illegal to share content that the government deems negative, even in a private message,” Stirling said.
On March 7, the Dubai Media Office announced the temporary suspension of operations at Dubai International Airport, stating only that a situation was being handled under safety protocols.
Footage that emerged online around the same time, and was verified by Bellingcat, shows a drone strike next to an airport terminal building (25.24165, 55.37498).
Stirling told Bellingcat that she has been in contact with a cabin crew member who was detained after sending an image to colleagues of Dubai airport after an explosion.
On March 1, a drone struck a residential apartment on the 19th floor of the Warda complex in Dubai (25.004320, 55.293164). Two videos filmed from different angles show the drone hitting the building directly, with no visible sign of interception. In one clip, filmed inside the apartment, a British resident says: “We’ve just been hit by a drone… I didn’t even finish my cup of tea.”
The footage shows relatively limited damage and no explosion, indicating the drone did not detonate. However, the incident appears to show a direct hit by an Iranian drone.
In contrast, statements published the same day by the Dubai Media Office describe air defence activity and attribute sounds heard across the emirate to successful interception operations. Bellingcat was unable to find any acknowledgement of a direct hit in UAE media.
These cases point to a gap between official accounts and observable evidence, raising questions about how incidents are being presented to the public.
At the same time, pro-government messaging has proliferated online. A number of near-identical videos posted by influencers promoting the UAE’s safety and leadership appeared, often using the format: “You live in Dubai, aren’t you scared?” followed by images of UAE leaders and the response: “No, because I know who protects us.”
Analysis by the BBC found that some of these videos were uploaded within seconds of each other, suggesting coordinated activity.
Stirling told Bellingcat that influencers in the UAE, who require licences to operate, are often paid to promote official narratives. “They are seen as an asset,” she said, describing them as “almost an extension of the government.”
As of April 1, UAE media reported that a total of 12 people had been killed and 190 injured by strikes since the beginning of the war.
“People are dying. It’s not as safe as the government is reporting. It’s not as safe as influencers are reporting. It’s like a dream narrative that you wish was true.” Stirling said.
Bellingcat also identified a number of incidents in which authorities reported deaths or injuries caused by “debris” following “successful interceptions”. In these cases, however, we were unable to identify supporting photo, video, or other independently verifiable evidence to corroborate the official account.
Notably, fewer videos of such incidents appear to have emerged online in recent weeks, likely as public awareness of detentions under the cyber-criminality law has increased.
Jonathan Dagher, head of the Middle East desk at Reporters Without Borders told Bellingcat that the UAE government was using the Iran war to further restrict independent reporting in the country.
“When the conflict began, the government stepped up this repression, explicitly prohibiting the public (including journalists) from publishing photos or information related to the strikes, and encouraging the public to report on such incidents.”
He added that legitimate concerns about national security should not infringe on the public’s right to information.
“Broad and loosely worded bans on covering events, in the name of security, violate this right and expose journalists to arrest and violence.”
Bellingcat contacted the Dubai Media Office, the Fujairah Media Office as well as the UAE’s Ministry of Defence to understand how statements are put out and how distinctions are made between successful drone strikes and damage caused by debris. We did not receive a response by the time of publication.
Lana Nusseibeh, a representative of the UAE’s Foreign Ministry previously told the BBC:
“In order for everyone to feel safe it’s important at this time that the information is credible and the sources are reliable. That is the basis of the legislation that has come into play in this State, which is obviously a tense time.”
She added that her advice for residents, citizens, tourists and journalists in the UAE was to: “Follow the guidelines. The guidelines are there for your safety and for your protection.”
Merel Zoet contributed to this report.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.
The post The War You’re Not Allowed to See: How the UAE Rewrites the Story of Iranian Strikes appeared first on bellingcat.
Iran has threatened multiple US tech giants in the Middle East, escalating tensions and raising fears of AI-driven warfare turning physical.
The post Iran Threatens to Attack Apple, Google, and Other US Tech Firms in Middle East appeared first on TechRepublic.
Iran-linked hacking group Handala claims it breached FBI Director Kash Patel’s personal Gmail account and shared alleged data, including photos and files. The FBI confirmed it is aware of the incident and has taken steps to mitigate risks, stressing that the exposed material is old and does not involve any government or classified information.
“The FBI is aware of malicious actors targeting Director Patel’s personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity,” reads a statement issued by an FBI spokesman. “The information in question is historical in nature and involves no government information.”
Handala hacking group: "Soon you will realize that the FBI's security was nothing more than a joke." pic.twitter.com/PsG01nENLf
— Anonymous (@YourAnonCentral) March 27, 2026
Analysis of leaked data confirms that several emails attributed to Kash Patel’s Gmail account are authentic. Some emails were also sent from his former Justice Department account in 2014 and appear genuine.
TechCrunch verified that some leaked emails attributed to Kash Patel’s Gmail account are authentic by analyzing message headers, which confirm the sender and help detect spoofed emails.
The exposed files largely date back to around 2019.
The FBI is offering up to $10 million for information on the Handala hackers.
Since the U.S.-Israeli war with Iran began in February, the Iran-linked group Handala has intensified its cyberattacks. It claimed responsibility for a destructive breach at medical tech firm Stryker that targeted its internal Microsoft environment and remotely wiped tens of thousands of employee devices without using malware.
The group claimed it wiped more than 200,000 servers, mobile devices, and other systems, forcing the company to shut down offices across 79 countries. The hacktivists also claimed they exfiltrated about 50TB of corporate data from the company’s infrastructure.
Handala appears as a pro-Palestinian hacktivist group but is widely seen as a front for Iran-backed Void Manticore, as reported by SecurityWeek. Known for phishing, data theft, extortion, and destructive wiper attacks, they also engage in info operations and psychological warfare. Since the Iran conflict began, they’ve targeted Israeli military servers, intelligence officers, and companies, stealing or wiping data.
The Justice Department accused Iran’s Ministry of Intelligence and Security (MOIS) of operating the Handala group.
Ironically, the FBI director recently said that “Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents,” “We took down four of their operation’s pillars and we’re not done. This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them.”
However, he was reportedly unable to protect his own email account.
At this stage, it remains unclear how the FBI Director’s email account was compromised, and whether it was protected by at least two-factor authentication. It is also not known if Google had previously issued any warnings to government officials about potential state-sponsored attacks, as it has done in past cases.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FBI director)
Bellingcat has geolocated and verified two new videos showing the deadly strikes that hit an Iranian Revolutionary Guard Corps (IRGC) compound as well as an adjacent school in the city of Minab in late February.
The new videos were released by Iran’s Ministry of Foreign Affairs and show multiple missiles hitting the complex.
One of the new videos shows the area around the school being struck while the other shows a nearby IRGC clinic and two buildings within the IRGC facility being hit by Tomahawk missiles.
Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
Visual and solar analysis of the videos appears to show there was a time gap between when each was filmed, suggesting that there were at least two waves of strikes carried out in the area.
Applying the same solar analysis techniques to social media footage that showed the school after it had been hit indicates the school was impacted during the first wave of strikes.
Previous investigations by Bellingcat and other news organisations showed a US Tomahawk missile struck the IRGC facility on Feb. 28.
The US is the only party to the conflict to possess Tomahawk missiles.
Media reports, including from the New York Times and Reuters, have since detailed that a preliminary investigation by the US military concluded it was likely a US strike that hit the Shajarah Tayyebeh elementary school.
According to Iranian media, at least 175 people were killed in the attack, including children.
The first video (video one) is filmed from just over 2.5 kilometres (1.5 miles) away from the IRGC base and shows at least 10 missiles impacting the area over a period of 50 seconds.
The first explosion is visible five seconds into the video. The area around where the school was located is struck at 14 seconds. This is the fourth explosion visible in the footage.
Another structure that was damaged in the strikes is situated approximately 100 metres away from the school in the same general area. It was therefore not possible to determine which exact structure was hit from this footage alone.
The second new video (video two) was filmed approximately two kilometres southeast of the school, and is of a higher quality than video one. This video shows three Tomahawk missiles in the moments before impact.
Video two includes annotations and pauses when each Tomahawk appears on screen.
A frame-by-frame analysis also shows what appear to be two minor visual glitches where some frames are transposed and annotations were added, highlighting when missiles can be seen.
The second impact seen in video two is the same as seen in footage released by Iranian media in early March, and previously reported on by Bellingcat and others, only from a different perspective.
Video two also only shows the southern part of the base, with its northern section not visible. The school is located on the northern edge of the base and is therefore not visible in video two.
Bellingcat asked the Iranian Ministry of Foreign Affairs why only part of the strike, as seen in video one, was released and if there was a longer version that may show further impacts. We did not receive a response before publication.
Bellingcat also asked the US Department of Defense whether it had any further information on the strike since its reported preliminary findings. It referred us to CENTCOM, which said: “We have nothing for you on this. The investigation is still ongoing.”
Bellingcat was able to geolocate and verify video one by tracing sightlines on satellite imagery to determine the camera’s location and identify objects such as buildings, trees and a water tower within the IRGC facility.
According to this analysis, video one was most likely filmed from an electric substation southeast of the school.
Once all key elements were identified and geolocated, we analysed each explosion that can be seen in the footage.
Fourteen seconds into video one, the fourth impact appears to hit the area immediately around the school, which was approximately 200 meters behind a water tower.
While the school was walled off and outside the IRGC facility, the water tower and another building (situated between the school and the water tower) are located within it.
Due to the relatively small distance between the school and the other IRGC building (roughly 100m), it was not possible to determine what structure was hit at the moment of the strike visible in video one.
More information, such as obtaining the entire strike video sequence, would be needed to fully determine which structure was hit in this footage. However, social media footage captured at the scene does suggest that the school was hit around this time.
For video two, we stitched together a rough panorama of what could be seen in the footage.
This made it possible to match up multiple buildings visible southeast of the IRGC base and school, while also building rough sightlines to show which part of the base was being filmed.
Bellingcat was able to narrow down the areas hit by the three missiles seen in video two by comparing it with the point of view of a short video released in early March, showing a Tomahawk hitting the complex, as well as with what could be seen in video one. Post-strike satellite imagery also helped confirm the buildings that were hit in the footage.
We were thus able to determine that video two shows an IRGC clinic and two buildings within the IRGC compound being hit.
The Iranian Ministry of Foreign Affairs has claimed that two waves of strikes occurred.
Initial analysis did suggest that video one and two appeared to be filmed at different times as the strikes visible in each clip cannot be synced up.
Solar data also gives clues as to the time each was taken, suggesting that there was a time gap of at least an hour between the strikes seen in the two videos.
According to the New York Times, the strikes were first reported on social media just after 11:30 am.
Solar data, derived by the direction of shadows visible in video one and simulated via the SunCalc platform, appears to indicate it was filmed between 10:30 and 11:30am.
Analysing the shadows seen in the earlier March video using the same method, appears to show that it was filmed between 13:30 and 14:30.
This would seem to indicate that video two and the earlier March video were likely filmed after video one.
Solar data from a video posted to Telegram showing the smouldering school, and damage to the nearby IRGC building about 100m away, shows that it was recorded around the time of the first video.
This, therefore, appears to confirm that the school was impacted before the wave of attacks seen in video two.
Iranian media previously released images of munition remnants they claim they recovered from the school.
Bellingcat was not able to verify where the remnants were originally found, but was able to identify them as Tomahawk missile remnants. The New York Times also confirmed this identification by matching the contract number on a remnant to a contract for the Tomahawk missile.
Bellingcat’s Carlos Gonzales, Jake Godin and Trevor Ball contributed research to this article.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.
The post Two Waves of Bombing: New Videos Reveal Further Details About Iran School Strike appeared first on bellingcat.
Entrar