How geopolitical instability is reshaping cyber resilience strategies

Wars are no longer fought solely on the ground. Increasingly, they are unfolding silently across banking systems, airports, hospitals, telecom networks, government infrastructure, and supply chains.

As geopolitical tensions escalate globally, cyberattacks are becoming more coordinated, disruptive, and difficult to contain. What was once viewed as a technical risk is now emerging as a strategic business and national security challenge – particularly in regions accelerating digital transformation at scale.

For economies across the Middle East, where governments and enterprises are investing heavily in smart infrastructure, connected services, aviation, energy, and digital public platforms, the stakes are even higher. Every new layer of connectivity creates opportunity, but also vulnerability.

“Wars today are fought online just as much as they are fought offline,” says Toufic Derbass, Managing Director for the Middle East, Turkiye and Africa at Kaspersky.

That shift is fundamentally reshaping the cyberthreat landscape. From advanced persistent threat (APT) groups and state-aligned actors to hacktivists and organized cybercrime networks, attackers are becoming more sophisticated – and increasingly interconnected in the way they operate.

As a result, cyber resilience is no longer simply about preventing attacks. It is about ensuring operational continuity, maintaining trust, and building the ability to anticipate threats before they escalate into disruption.

THE CYBER PLAYBOOK IS CHANGING

Periods of geopolitical instability have historically triggered spikes in cyber activity, but the nature of attacks has evolved significantly in recent years.

According to Derbass, organizations are now facing a shift from traditional cyber espionage toward more disruptive operations capable of impacting physical infrastructure, critical services, and economic stability.

“Previously, we saw APT activity focused on spying. Today, we see them launching more disruptive attacks,” he says. 

Earlier this year, Kaspersky researchers discovered a wiping campaign targeting the energy and utilities. The novel file wiper dubbed Lotus Wiper is designed to remove data and files, rendering them impossible to recover after an attack.

Hacktivist groups, once largely associated with DDoS attacks and digital protests, are also becoming more aggressive. Organizations are increasingly encountering “hack-and-leak” operations, destructive malware, and attacks targeting operational systems.

At the same time, the rise of interconnected digital infrastructure has dramatically widened the attack surface. Sectors such as government, healthcare, aviation, telecoms, banking, defense, and energy are particularly exposed because of their role in national resilience and economic continuity. According to Derbass, these are “mature” sectors. 

“We’ve seen cases where CCTV cameras are being hacked to track or even launch physical attacks,” Derbass says.

The growing convergence between cyber and physical risk is changing how organizations approach cybersecurity strategy altogether.

WHY ATTRIBUTION HAS BECOME CRITICAL

One of the biggest challenges organizations face today is identifying who is behind an attack – and understanding their intent.

Nation-state operators, hacktivists, and cybercrime groups often operate with different motivations, capabilities, and objectives. But the lines separating them are increasingly blurring.

“Yes, we believe so,” says Derbass when asked whether distinctions between these actors are dissolving. “We see a lot of similarities in the attacks, and this is where an important aspect of what we do comes to the fore, and it is attribution.”

According to Derbass, attribution allows researchers to determine who is carrying out an attack, why they are doing so, and how quickly organizations need to respond.

That visibility can be the difference between containing an isolated incident and missing a broader coordinated threat.

Derbass points to a recent case in which Kaspersky researchers identified an APT group quietly operating within an organization’s systems before a separate hacktivist group launched a disruptive attack.

“If we didn’t have the proper attribution, we would have thought it was the same incident and identified that there are two different actors,” he explains. “If you solve one, it doesn’t mean you have solved the other.”

Kaspersky currently tracks more than 900 APT groups and operations globally, including over 25 groups specifically targeting the Middle East. Through its Global Research and Analysis Team (GReAT), researchers monitor evolving attacker behavior, tactics, infrastructure, and campaigns in real time.

MOVING FROM REACTIVE TO PROACTIVE DEFENSE

For many organizations, cybersecurity still revolves around responding after an incident has already occurred. But in a threat landscape evolving in real time, reactive security models are becoming increasingly unsustainable.

“Problem can happen somewhere, but it doesn’t mean it happens everywhere,” says Derbass. “We can detect the first attack and share the information before it spreads.”

Threat intelligence is becoming central to that proactive approach.

By processing telemetry from millions of endpoints globally, cybersecurity researchers can identify malicious activity early, analyze behavioral patterns, and distribute threat intelligence across networks before attacks escalate.

Kaspersky says it currently detects more than 500,000 new malicious files every day. Once identified, threat signatures and indicators of compromise can be shared in real time across customer systems, security operations centers, firewalls, SIEM platforms, and extended detection and response (XDR) environments.

“If we wait until the problem happens, take action, then the ransomware actor is already there, has already stolen the data…Hence the importance of a proactive approach,” Derbass says.

This ability to move from reactive response toward predictive defense is becoming increasingly important for organizations managing critical infrastructure and sensitive operations.

AI IS RESHAPING BOTH SIDES OF CYBERSECURITY

As the volume and complexity of cyberthreats continue to increase, artificial intelligence is becoming a critical component of cybersecurity operations.

Kaspersky says it has more than two decades of experience integrating AI and machine learning into its technologies, backed by more than 100 AI-related patents primarily focused on detection capabilities.

Today, 26% of the company’s monitoring alerts are processed and resolved through proprietary AI systems, helping reduce analyst workload and accelerate response times.

But while AI is strengthening cyber defense, it is also lowering the barrier for attackers.

“We’ve already heard how cyber criminals are using it as much as we use it today, to create realistic phishing pages, realistic phishing emails, and even using it to write new malware codes,” says Derbass. 

Cybercriminals are also exploiting the hype surrounding AI to lure victims into downloading malicious software. Kaspersky research revealed that from January to the beginning of May 2026, Kaspersky solutions detected more than 92,000 attacks involving malware and potentially unwanted applications disguised as popular AI agents and AI services worldwide.

This dynamic is accelerating the cyber arms race, forcing organizations to adapt faster while balancing automation with human expertise.

Kaspersky’s cybersecurity ecosystem includes specialized research teams focused on APT activity, industrial cybersecurity, crimeware groups, and dark web monitoring. The goal, according to Derbass, is not simply to collect data, but to filter out noise and deliver intelligence that organizations can act on immediately.

“We avoid the noise, we avoid the false positives, and we link it to actionable insight,” he says.

SUPPLY CHAINS HAVE BECOME THE ACHILLES’ HEEL

Despite significant investments in cybersecurity, even highly mature sectors continue to face major blind spots.

According to Kaspersky telemetry, almost 19,500 malicious packages were found in open-source projects by the end of 2025, representing a 37% increase compared to the end of 2024.

Increasingly, those vulnerabilities exist within the broader digital ecosystem rather than the organization itself.

“What we are seeing as a common blind spot for these industries is supply-chain attacks,” says Derbass.

Banks, healthcare providers, aviation companies, governments, and infrastructure operators may invest heavily in securing their own systems. Still, attackers are increasingly exploiting weaker third-party vendors, contractors, suppliers, and connected platforms to gain indirect access.

As digital transformation accelerates across the region, organizations are opening more systems to external integrations, cloud environments, APIs, procurement platforms, and interconnected infrastructure.

“Connectivity means productivity, competitiveness, and efficiency,” says Derbass. “But it also means vulnerability.”

Operational technology environments are particularly exposed. Historically isolated systems used across industries such as oil and gas, utilities, manufacturing, and transportation are now increasingly connected to broader enterprise infrastructure, expanding opportunities for cyber intrusion.

For critical sectors across the Middle East — particularly energy, telecoms, infrastructure, defense, aviation, and financial services — supply-chain resilience is becoming just as important as internal cybersecurity capabilities.

CYBER RESILIENCE IS NOW A LEADERSHIP PRIORITY

As cyberthreats become more complex and persistent, organizations are under growing pressure to strengthen resilience fast enough to keep pace.

According to Derbass, many are still struggling to explain that organizations are not moving fast enough.

The challenge is compounded by talent shortages, evolving attack methodologies, and the rapid proliferation of emerging technologies. At the same time, organizations face mounting financial, operational, and reputational risks if they fail to adapt.

“Once an organization is hacked, it becomes public knowledge,” Derbass says. “The damage is financial, operational, and reputational.”

In increasingly interconnected economies, the impact of a single breach can quickly extend far beyond one organization – affecting suppliers, customers, infrastructure, and essential public services.

For governments and enterprises alike, cyber resilience is no longer simply a technology issue. It has become a strategic imperative tied directly to economic continuity, national stability, and long-term competitiveness.

And in an era defined by geopolitical uncertainty, organizations that can anticipate threats – rather than simply react to them – may ultimately be the ones best positioned to withstand the next wave of disruption.