Iranian Data Strikes Shake Global Digital Infrastructure

Before sunrise on Sunday 1 March, Iranian Shahed drones directly struck two Amazon Web Services data centres in the United Arab Emirates. That same morning, debris from a nearby strike damaged a third AWS data centre in Bahrain. Impacts to the facilities created significant disruption to financial, enterprise and consumer digital services in the UAE and the wider region. In the wake of the strikes, calls to treat data centres as strategic assets and critical infrastructure have grown louder.

Data centres and the digital services operating on them are critical to the economy and society, but also to defence. As we have written previously, Ukraine’s Delta battlefield management system is hosted on the public cloud, the US’s Maven Smart System (created by Palantir) is hosted by AWS, and Israel has leveraged cloud-hosted AI capabilities in its war on Gaza. Where data centres are dual-use – hosting both civilian and military workloads – targeting them to disrupt military capabilities can make strategic sense.

Nevertheless, this is the first time that kinetic capabilities have been used against public cloud infrastructure. And where Iran has stepped, others will likely follow. It is therefore necessary to better understand why Iran may have targeted these facilities and what are the possible strategic impacts.

Explaining Iranian Targeting

It is highly likely that Iran deliberately targeted data centres in the UAE. Iran has struck a number of targets in the Gulf since hostilities began with a relatively high degree of precision, while the drones used in the strike are very capable of hitting a large target like a data centre. Indeed, following the attacks, Tasnim – an Iranian news agency – published a list of ‘legitimate targets’ as defined by the Iranian Revolutionary Guard (IRGC), these included the offices and infrastructures of American technology companies such as AWS, Google, Microsoft, IBM, Oracle and Nvidia. The IRGC also told state media that attacks were intended to identify what role these facilities have in supporting enemy military and intelligence capabilities. Whether or not the decision to strike was made by the remaining Iranian leadership or by a more junior commander operating in a decentralised manner is largely irrelevant to the strategic considerations of striking US companies’ data centres.

Your authors identify three plausible rationales for deliberately targeting these locations.

First, striking data centres imposes costs. Gulf countries have invested heavily to encourage American technology companies to expand locally, aiming to diversify away from petrochemicals. Cheap land and energy have attracted computing and AI companies: AWS, Google, Microsoft, Nvidia, Oracle and others all own, operate, rent or partner with local companies to run facilities in the Gulf. Drone strikes damage Gulf states’ carefully-cultivated reputation as a neutral, peaceful place for investment, thereby disincentivising these and other companies from operating in the region, undercutting billions of dollars in investment.

Arguably, the same effect could be generated through targeting any commercial data centre where a foreign company is involved. For example, Alibaba and other Chinese companies have a smaller, but growing, presence in the region. However, targeting a US tech company comes with the added benefit that these companies drive overall growth in the US stock market, imposing further costs on President Trump’s economic agenda.

Such strikes on data centres therefore align with Iran’s objective of re-establishing deterrence through asymmetric methods: imposing reputational and physical pain on Gulf allies of the US, depleting precious air defence stockpiles, and imposing economic costs on its enemies (which is mainly through closing the Strait of Hormuz).

Second, targeting data centres can impact and provide information on critical capabilities. Cloud companies provide services to governments, including the military as well as critical national infrastructures. Both AWS and Google have had long-term contracts with the Israeli Defence Force and the US Department of War’s $9 billion Joint Warfighting Cloud Capability contract includes each of company as well as Microsoft and Oracle.

It is highly unlikely Iran knew if either Israel or the US used the targeted data centres for military workloads. Therefore, Iran would have had low confidence in the strikes ability to degrade military capabilities, with the attacks mostly serving as a message to all supporters of US military capabilities. Were the strikes to have created observable impacts on Israeli and US military assets this would have been welcome, but there was not likely an assumption that it was guaranteed.

Finally, the attacks caused disruption. As remarked above, digital services including payment, banking and consumer products were disrupted. Normal people and businesses could not operate as they usually would. This has a psychological impact that brings home the reality of the conflict. Through the strikes, Iran further demonstrated the tangible threat it posed.

These explanations are not mutually exclusive, nor are they necessarily exhaustive. Iran may have intended to layer effects through the strikes to achieve multiple outcomes or simply to signal its own capabilities. Getting to grips with these and other motivations will be crucial to developing effective countermeasures and deterrence against future strikes.

How Could this Change the Strategic Environment

Based on the information presently available, some have argued that these strikes are unlawful under international law. A military owned/operated data centre is a lawful target, but one that is owned/operated by a hyperscaler for civilian workloads is civilian infrastructure and therefore protected under the principle of distinction. Yet militaries’ use of public cloud infrastructure muddies the water. Where infrastructure is dual-use, it can legally be targeted providing it meets certain criteria. In this scenario, distinction is difficult because militaries cannot reliably or effectively determine whether hyperscale infrastructure is being used by the enemy and to what extent. Hyperscale providers do not provide lists of their clients nor where they choose to host data and workloads. Moreover, their service is sold on its availability, meaning that workloads can (more or less) seamlessly migrate across regions and physical infrastructure.

To meet legal requirements, the military benefit of striking a dual-use data centre would have also to exceed the civilian harm – thereby meeting proportionality. Even assuming civilians are not caught in the strike, civilian harm may still arise due to the potential outages, loss of data, and impact on other critical infrastructure. Were these data centres hosting US or Israeli military workloads, targeting would not necessarily merit the harm to civilians and civilian infrastructures. While not justifying Iran’s actions, it does bear mentioning that the US and Israeli attacks have targeted Iranian civilian infrastructure, including physical and cyber attacks on their digital infrastructure.

Another reflection on Iran’s strikes is its challenge to arguments for cloud sovereignty based on localisation. In reaction to service interruption, AWS recommended its customers relocate workloads to other data centre regions located outside the conflict area. In this way, hyperscale cloud argues it can provide resilience that is not achievable through relying on data centres within a single national territory. Ukraine’s experience of expanding digital public services throughout Russian kinetic attacks further demonstrates this point, as does Estonia’s data embassy.

Nevertheless, the specific targeting of US technology companies introduces a problem. If these companies’ data centres are targets, does that change the risk calculus of using them to promote national resilience? Furthermore, if the integrity of national critical services is dependent on their ability to migrate globally, are our legal regimes sufficiently flexible to accommodate this? Or are governments prepared for other countries’ to be relying on data centres in their territory that are owned and operated by foreign companies? These and other questions are being addressed in RUSI’s ongoing work on cloud sovereignty.

Governments must also contend with the uncomfortable reality that their national resilience mapping has not kept pace with the speed of cloud adoption. Most states lack the granular understanding of which critical services depend on which hyperscale infrastructure, and where that infrastructure physically resides. This is not simply a technical failure; it is a governance one. Compounded dependence and delegated control and visibility pose distinct challenges to managing potential risks with existing policy tools, which are more focused on end products and services than on their shared architecture and underlying infrastructure. Developing that visibility must now be treated as a strategic priority, alongside harder questions about whether and how governments should mandate physical protection for data centres on their territory that are owned and operated by foreign companies – and what obligations, if any, those companies bear in return.

The strikes should nonetheless prompt careful rather than hasty conclusions. The strategic drivers behind the Gulf's rapid data centre expansion – cheap energy, sovereign wealth investment and the region's position between East and West – have not evaporated. Regulations in the European Union, UK and the US already treat data centres as critical or essential infrastructure, and pressure on other governments to follow suit will only intensify. What is clear is that the events of 1 March have added significant momentum to a debate that was already gaining force: whether cloud infrastructure can continue to be treated as a commercial utility, or whether it must be governed as a contested and consequential strategic asset, at the intersection of economic power and conflict.

© RUSI, 2026.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.