AI in Cyber Warfare: How AI and Cybersecurity are Shaping Modern Conflicts

Executive Summary: Recent conflicts – between Iran and the US, Israel and Hamas (with Iran’s involvement), Russia and Ukraine, and India and Pakistan – have demonstrated how artificial intelligence (AI) is rapidly transforming cyber warfare. State and proxy actors have deployed a mix of traditional malware (wipers, ransomware, botnets) and advanced techniques (AI-driven phishing, disinformation, automated targeting). For example, Iranian hacktivists (the “Handala Hack” group) wiped data from a US medical company and UK NHS supplier【30†L271-L279】, and IRGC drones struck Amazon cloud data centers in early 2026【35†L273-L281】. Israel’s cyber forces used AI-assisted analysis to identify targets in Gaza【54†L499-L503】, while Iranian propaganda employed deepfake anchors on Israeli TV【27†L227-L236】. In Ukraine, Russian APTs repeatedly targeted critical infrastructure (e.g. satellite comms, power grids)【31†L270-L279】, even as Ukraine leveraged volunteer “IT Army” DDoS assaults【31†L323-L332】 and partnerships with tech firms (Microsoft, Cisco, Palantir) to build a “data-driven, AI-enabled war” machine【35†L291-L300】. In South Asia, cross-border skirmishes in 2025 saw millions of automated attacks – Pakistan’s cyber command disrupted Indian power grids and websites【20†L338-L344】, and Indian hackers retaliated by leaking Pakistani tax data【20†L338-L344】. Across all cases, militaries and governments are integrating AI into both offense and defense: US commanders acknowledge using “advanced AI tools” to process battlefield data【56†L461-L469】; adversaries exploit AI for large-scale phishing and deepfakes【52†L364-L366】【52†L399-L405】. Supply chains and civilian infrastructure have become explicit targets (e.g. cloud data centers, healthcare)【35†L273-L281】【30†L271-L279】. Legal norms lag behind technology: global discussions on regulating “lethal autonomous weapons” and AI in conflict are urgent but unsettled【42†L223-L231】【56†L461-L469】. We provide detailed case studies, compare incidents and AI techniques, and conclude with implications and strategic recommendations for India and CLAWS, such as boosting AI-powered cyber defenses, public–private partnerships, and active participation in international cyber norms.

Introduction

Modern armed conflicts increasingly include a cyber dimension. Nations and non-state groups use computer networks to gather intelligence, disrupt opponents, and shape information environments. At the same time, new AI methods (machine learning, deep learning, anomaly detection, automated response) are becoming deeply embedded in cybersecurity. AI enables defenders to analyze vast log datasets and spot intrusions, while attackers leverage AI to scale attacks and evade detection【52†L364-L366】【52†L416-L424】.

This report examines four case studies – Iran–USA, Israel–Hamas/Israel, Russia–Ukraine, and India–Pakistan – to illustrate how AI and cyber capabilities are intertwining in warfare. We detail the timeline of major cyber incidents in each conflict (who attacked whom, using what tools, and why), describe how AI techniques are used offensively and defensively, assess impacts on supply chains and critical infrastructure, and discuss the legal, ethical, and policy challenges. Finally, we offer strategic recommendations for India and the Centre for Land Warfare Studies (CLAWS), drawing on primary reports, academic analyses, and think-tank findings.

AI & Cybersecurity Techniques

Advances in AI have created powerful new tools for both attackers and defenders. Key techniques include:

• //Machine Learning (ML) / Deep Learning: Supervised ML classifiers and neural networks are used to detect malware or intrusions by learning patterns of normal vs. malicious behavior. For example, defenders train ML models on large datasets of network logs to spot anomalies【52†L416-L424】. Deep learning models (e.g. convolutional or recurrent neural nets) can process unstructured data (like images or raw code) for malware analysis. As Trends Research notes, AI-driven models “automatically identify system vulnerabilities, conduct exploitation, and propagate” malware with minimal human input【52†L387-L390】.
• //Anomaly Detection: Unsupervised AI techniques (e.g. autoencoders, clustering) flag unusual events in networks or endpoints. These systems learn a baseline of normal traffic and raise alerts on deviations. Such AI-based detectors are far more effective than static rule-based tools at catching new threats【52†L416-L424】. For example, AI anomaly detectors can spot subtle signs of a new ransomware intrusion before it encrypts files.
• //Threat Intelligence & Data Analytics: AI helps sift and correlate intelligence feeds (Indicators of Compromise, threat reports) to prioritize actionable threats. Natural language processing (NLP) can scan social media or dark web forums for chatter about new exploits or ransomware. ML-driven analytics also cluster massive volumes of network telemetry to highlight emerging patterns. In effect, AI augments human analysts by rapidly triaging which IPs, domains, or files merit investigation.
• //Automated Response (SOAR): Security Orchestration, Automation and Response (SOAR) platforms incorporate AI to act instantly on detected threats. For instance, when a malicious IP is identified, an AI system can block it at the firewall, isolate a compromised server, or roll out patches across hundreds of endpoints – all within seconds【52†L424-L428】. This speed far outstrips manual response and can contain damage before it spreads.
• //Adversarial Machine Learning: Offensive actors can also target AI systems themselves. NIST and others document categories of adversarial ML attacks: poisoning (inserting bad data to corrupt model training), evasion (crafting inputs that fool a model), and model-theft/privacy attacks【47†L139-L148】. For example, an attacker might craft packets that look benign to a deep-learning detector, or slowly poison a spam filter so it learns to ignore certain malware signatures. These adversarial methods represent a growing concern for AI-based defenses.

In summary, AI offers a double-edged sword in cybersecurity: defenders gain superhuman analytics and speed, but attackers gain powerful automation. The net effect is an ongoing arms race. As Trends Research concludes, new AI tools “lower the bar” for attackers – automating phishing, social-media manipulation, and data harvesting – making operations “faster, cheaper, and more potent”【52†L364-L366】. Simultaneously, state-of-the-art anomaly detectors and AI-led response can neutralize many threats before they cause major damage【52†L416-L424】【52†L424-L428】.

Case Study: Iran–USA Cyber Operations (2024–2026)

The 2024–2026 Iran–USA “sabre-rattling” conflict has played out partly in cyberspace. Both Iranian and American (and allied) cyber units have probed and hit each other’s infrastructure. Key incidents include:

• //IRGC Spear-phishing (June 2024): Iran’s Islamic Revolutionary Guard Corps (IRGC) hackers targeted US election-related accounts. US intelligence reported that an IRGC-linked actor compromised an email account of a US political figure in June 2024 and used it to send spear-phishing emails【15†L1578-L1583】. This reflects Iran’s strategy of targeting influence networks and communications.
• //‘Handala Hack’ Medical Wiper (Jan 2026): In January 2026, a pro-Iran hacktivist group calling itself Handala Hack claimed a destructive cyberattack on Western health infrastructure【30†L271-L279】. Reportedly, they wiped the servers of Stryker (a US medical equipment firm) and its UK supplier, disrupting medical supply chains. The choice of health-sector targets sent a political message of retaliation, even though analysts caution this had “symbolic value” more than military impact【30†L278-L288】. The attackers used destructive malware to erase data (similar to Iran’s earlier Shamoon campaigns).
• //Cloud Data Center Attacks (March 2026): In the Gulf conflict of early 2026, Iranian drones struck commercial cloud data centers. UAE and Bahrain hosted Amazon Web Services (AWS) data centers that were “directly hit” by Iranian drones【35†L273-L281】. A later strike hit a Tehran data center serving the IRGC, disrupting banking and military payrolls. These incidents mark a new front: the cloud. Iran publicized a “target list” of 29 data facilities (AWS, Microsoft, IBM, Google, etc.)【35†L283-L291】 as “legitimate” due to their ties to Israel. This underscores that supply-chain and civilian tech resources are now considered viable targets in war.
• //Other Disruptions: Iran also used cyber means in a decentralized “hybrid campaign.” Pro-Iran hacktivists reportedly launched widespread DDoS and defacements against US, UK, and allied sites as part of psychological operations【30†L271-L279】. Reconnaissance has also been noted: Iranian actors were found embedded in US and Israeli networks and even hijacked security cameras for surveillance【30†L327-L331】.

A summary timeline (see table and mermaid diagram below) captures the sequence. The objectives of Iran’s cyber operations have largely been disruption and signaling, rather than achieving specific battlefield kills. As one analyst notes, Iran has a “premium on the symbolic value” of its cyberattacks【30†L278-L288】. In contrast, US and allied cyber moves have focused on intelligence and counterstrikes.

Role of AI: In the Iran–USA context, AI has played a supporting role. The US military openly acknowledges using AI for intelligence analysis: Admiral Brad Cooper (leading US forces in the Iran war) said “a variety of advanced AI tools” were employed to sift massive data feeds, allowing U.S. commanders to make “smarter decisions faster than the enemy can react”【56†L461-L469】. Notably, Cooper emphasized that humans still make final targeting decisions. On the Iranian side, there are no public reports of Iran using AI to direct cyberattacks, though Iranian engineers have been building basic AI capabilities domestically. However, Iran has leveraged AI in information operations (e.g. using generative models for propaganda, see next section).

Defense & Response: U.S. cyber defense has relied on traditional hardening and intelligence sharing with private tech firms. For example, open-source reporting notes intensive coordination between US agencies and cloud providers to reroute or back up data after the AWS strikes【35†L291-L300】. India and its tech industry can learn from this: Ukrainian-style partnerships with companies (Microsoft, SpaceX, etc.) greatly aided resilience【35†L291-L300】.

Assumptions & Unknowns: Much of Iran’s cyber operations are opaque. We assume the Handala Hack was state-inspired, but private hacktivists often cloak state actions. Similarly, while drones physically hit data centers, the coordination between kinetic and cyber components is still under investigation. We note that intelligence and open reports suggest Iran’s cyber “battle” is secondary to its kinetic and diplomatic campaigns【30†L278-L288】.

Case Study: Israel–Hamas Cyber Conflict (Oct 2023–Present)

The October 2023 Gaza war immediately triggered an intense wave of cyber incidents between Israel, Hamas, and allied actors (notably Iran). Key events:

• //Rocket War & DDoS (Oct 7–Oct 10, 2023): Within minutes of Hamas’s Oct 7 rocket barrage, pro-Palestinian hacktivists (e.g. AnonGhost) launched distributed-denial-of-service (DDoS) attacks against Israeli emergency-response websites【26†L77-L86】. Peak traffic on these Israeli sites surged to ~1 million requests per second shortly after the attacks began. Over the next days, multiple waves of DDoS continued, targeting media, banking, and government portals【26†L145-L156】. For example, Israeli newspaper sites and telecom services saw sustained outages【26†L147-L156】. This physical-cyber coordination (rockets plus botnets) was one of the largest such events in recent memory.
• //Alert App Exploit (Oct 10, 2023): Hackers discovered a vulnerability in the “Red Alert” mobile app (used by citizens to warn of rocket attacks). They manipulated the app’s system to send thousands of fake rocket and even “nuclear bomb” alerts to Israeli devices【26†L100-L109】. This caused widespread panic until officials confirmed them as fraudulent. The exploit demonstrated how even civilian emergency infrastructure can be weaponized.
• //Website Defacements (Oct–Nov 2023): Hacktivists defaced dozens of Israeli websites (government, military, commercial) with anti-Israel slogans, including “Death to All Jews” posters【26†L123-L131】. Banks and online services also suffered DDoS disruptions late October【26†L147-L156】. Over this period, Israeli cybersecurity teams (with cloud service help) managed to mitigate many attacks.
• //Iranian Operations (Dec 2023): Iran directly engaged in the conflict’s cyber dimension. In early December, Iranian state-affiliated hackers broadcast a fake TV news segment: an AI-generated anchor on Islamic Republic News Agency (IRNA) announced false reports of Israeli attacks【27†L227-L236】. This was one of the first notable uses of AI-deepfake video in the conflict. Separately, an IRGC cyber unit (the Shahid Kaveh Group) deployed customized ransomware to compromise security cameras at the Nevatim Air Force Base (supposedly called “Soldiers of Solomon”), though the ransomer was later debunked as a hoax by researchers【27†L296-L304】. Iranian proxies also targeted other Middle East sites (e.g. Albania’s government portals) with DDoS and defacements【27†L227-L236】.
• //Israeli Counterstrikes: Israeli cyber operations reportedly hit Iranian targets. Hacktivist group “Predatory Sparrow” (linked to Israeli intelligence) claimed multiple strikes in June 2025, including wiping data at Iran’s Bank Sepah and stealing $90M in cryptocurrency from Iran’s Nobitex exchange【49†L285-L294】. On the same nights, Iranian state media broadcasters and allied media were hijacked to display anti-regime messages during airstrikes【49†L298-L304】. These represent Israel’s preference for precision cyberattacks on hard targets (financial systems, military comms) rather than broad DDoS campaigns.

AI Involvement: AI was prominent in this conflict’s cyber domain. Israeli officials and press confirm AI-assisted targeting: a _New York Times_ report revealed that Israel used machine-learning tools to analyze battlefield data and shortlist potential strike targets in Gaza【54†L499-L503】. The IDF publicly downplayed this as only “tools for analysts,” but it shows the trend of militaries using AI as a decision aid. On the Iranian/Hamas side, AI’s main role was in disinformation: the fake news anchor incident was an AI-generated deepfake designed to sow confusion【27†L227-L236】. Hackers also experimented with falsified missile alerts (the “nuke app” exploit) and perhaps automated bots for DDoS. However, there is no indication that Hamas itself deployed advanced AI tools; most attacks came from informal hacktivist networks (who may have used basic scripts and cloud servers to amplify traffic).

Indicators & Tools: Known tools in this phase include the AnonGhost botnet (DDoS), the Red Alert server exploit, custom malware for camera ransomware (though that case proved to be largely ineffective), and possibly modular spyware for phishing. Cybersecurity firms tracked malware signatures (e.g. PoisonIvy, Winspy) on some defacements. On the defensive side, companies like Cloudflare and Microsoft mobilized to absorb traffic surges and takedown phishing sites. Notably, Microsoft’s threat team detected and removed dozens of malicious mobile apps masquerading as rocket-alert software during the war【26†L109-L117】.

Strategic Impact: The cyber war in Gaza had mixed tangible effects. The panic from the fake alerts and service disruptions strained Israeli civil resilience, but power and water infrastructure remained largely intact. Israel’s cyber superiority (bolstered by rapid defensive recovery and targeted strikes) limited Iranian/Hamas impact. Still, civilian infrastructure (apps, media, banking) proved vulnerable to modern attacks, underscoring new frontiers of “cyber-left of launch.”

Lessons and Recommendations: India should note that even smartphone apps and media can be weaponized. Governments must harden public alert systems and educate citizens (the Red Alert hack shows the risk of trusting third-party apps). Investing in AI-based anomaly detection (as Israel did with cloud providers) helped mitigate DDoS spikes. Indian defense planners may also consider how Israel applied AI for targeting【54†L499-L503】 and ensure robust human oversight. At a policy level, the blur between civilian tech and combat (e.g. fake news anchor on TV) suggests international norms may need updating for cognitive and info warfare.

Case Study: Russia–Ukraine Cyber War (2022–Present)

Since Russia’s full-scale invasion in Feb 2022, cyberspace has been a persistent battleground on the Eastern front. Over a decade of pre-war cyber tension (e.g. BlackEnergy grid attacks) set the stage. Key incidents include:

• //Satellite & Communications Sabotage (Feb 2022): One of the first major strikes was on Feb 24, 2022: Russian GRU unit Sandworm deployed “AcidRain” wiper against Viasat’s KA-SAT satellite modems, crippling tens of thousands of terminals in Ukraine (which many businesses and military units relied on)【31†L270-L277】. This left Ukrainian troops without comms during the initial invasion. Simultaneously, phishing campaigns targeted Ukrainian military and government email.
• //Government and Bank Hacks: Within days, several Ukrainian government websites (e.g. cabinet portals) were defaced with fake surrender messages, and major banks were hit by wipers (such as HermeticWiper and WhisperKill), briefly disrupting online banking. Many of these attacks contained code words (e.g. “UAC-0005”) that helped attribution to Russian units.
• //Infrastructure Attacks (2022–2023): Throughout 2022 and 2023, Russian state-sponsored APTs launched disruptive malware against Ukrainian power grids and water supplies. Notably, “CaddyWiper” hit a hydroelectric dam in April 2022. Large-scale DDoS campaigns struck media sites and online retailers in Ukraine. Meanwhile, ransomware gangs (some with suspected Russian ties) hit hospitals and companies. Ukrainian rail networks and Kyiv’s communication lines also suffered coordinated outages, synchronized with missile barrages.
• //Volunteer Cyber Offensive: Ukraine’s government formally endorsed a volunteer “IT Army” of cybersecurity volunteers. By mid-2022 this loose coalition of hacker groups and open-call recruits had launched massive DDoS attacks on Russian financial systems – at one point generating what was then the largest known DDoS in history against Russian banks【31†L323-L332】. They also defaced Russian state media outlets and government sites. These actions illustrate how even unsophisticated actors (relying on publicly available tools) can inflict strategic pressure via the internet.
• //Continued Escalation: As the war dragged on, both sides ran information operations (fake news, disinfo bots) globally. Cybercriminals took advantage: e.g., Conti ransomware group sided with Russia in 2022 and leaked data from Western companies refusing to work in Russia. Conversely, pro-Ukraine hackers targeted Western defense contractors suspected of aiding Russia.

Role of AI: Ukraine has explicitly made cyber a warfare domain, institutionalizing a cyber force and partnering with tech companies【31†L270-L279】【35†L291-L300】. For example, Ukraine’s military is using data analytics and AI: it adopted Palantir software and SpaceX’s Starlink to maintain battlefield communications【35†L291-L300】. In a sense, Ukraine “fights a data-driven, AI-enabled war” by using advanced analytics for decision support【35†L291-L300】. On the Russian side, there is less public evidence of Russia deploying AI cyber-weapons. Russian intelligence likely uses AI to process signals and satellite imagery, but in the cyber-attacks themselves (wipers, malware) AI does not appear to be a game-changer. Instead, the conflict has largely seen legacy techniques (phishing, malware, DDoS) on an unprecedented scale. That said, Russia’s misinformation campaigns have employed automated bots and possibly AI-generated propaganda, similar to past disinfo efforts.

Capabilities & Limitations: Russia’s cyber forces (notably GRU APT28/FancyBear, APT29/CozyBear, Sandworm, and the FSB’s main academic groups) are among the most advanced in the world. They’ve shown persistence in embedding inside Ukrainian networks and have repeated success in disruption【16†L1123-L1130】. However, Ukraine’s defenses (aided by Western tech support) have improved over time. By 2024, despite a surge in attempted attacks, the number of successful “high-impact” breaches fell【31†L270-L279】. Ukraine’s establishment of a formal Cyber Force (bill passed Oct 2025【31†L270-L279】) aims to unify offensive and defensive capabilities. Crucially, public-private cooperation (e.g. Microsoft, Cisco, Palantir, Clearview AI, SpaceX) has shored up Ukrainian resilience【35†L291-L300】.

Supply-Chain & Infrastructure Impacts: In this war, critical infrastructure has been a major target. Ukraine’s power grid, communication networks, and financial systems have been hit repeatedly. The US-based satellite hack (Viasat) shows how civilian supply-chains (commercial satellites) can be weaponized to impact military operations. Similarly, NotPetya (2017, attributed to Russia) showed how a compromised software update can ripple across global companies. India should note that attacks may come via third-party tech: in 2020, a severe hack of India’s power sector was traced to compromised Cisco devices. Defensive advice: monitor supply-chain security and enforce zero-trust models.

Legal/Ethical Issues: The Russia–Ukraine case has partly defined emerging norms. Most agree that cyberattacks on purely civilian infrastructure (power, hospitals) violate the principle of distinction and could be unlawful under international humanitarian law. Western analysts have publicly condemned Russia’s attacks on Ukraine’s grid as “warfare” on civilians【31†L270-L277】. However, attribution is hard: Ukraine has accused hackers inside foreign companies of spying, raising complex legal questions. On the policy side, Ukraine’s creation of an official Cyber Force (legislated in 2025【31†L270-L279】) acknowledges that cyber aggression may trigger collective defense obligations. The conflict has underscored the need for clear definitions: is a debilitating cyberattack an “armed attack” under the UN Charter? This issue remains unsettled globally.

Case Study: India–Pakistan Cyber Confrontation (2025)

Recent India–Pakistan tensions (notably the May 2025 border skirmish, “Operation Sindoor”) featured a notable cyber dimension:

• //Cyber Escalation (May 2025): As conventional hostilities flared, Pakistani media reported that the Pakistan military’s cyber command had “disrupted parts of India’s communications networks,” including power transmission lines and government websites【20†L338-L344】. At nearly the same time, Indian cyber volunteers leaked compromised data from Pakistan’s Federal Board of Revenue (tax authority) and struck other Pakistani sites【20†L338-L344】【21†L96-L104】. According to open sources, India experienced roughly 1.5 million attempted cyberattacks following the April 2025 clash【21†L77-L85】.
• //APT Involvement: Pakistan’s primary state-aligned cyber unit (APT36, known as “Transparent Tribe”) reportedly led phishing campaigns against Indian military and nuclear targets【21†L77-L85】. Many of these attempts were detected and blocked by India’s cyber defenses, though Pakistani sources claimed minor outages in some areas. Pro-India hacktivist groups (often non-state volunteers) responded by hacking Pakistani government systems – including the oil company OGDCL, the finance ministry’s FBR, Habib Bank, and even thousands of Pakistani CCTV cameras【21†L96-L104】.
• //Notable Tools & Indicators: A malware analysis of the 2025 skirmish (dubbed Operation Sindoor 2.0) found that APT36 used a Crimson RAT backdoor delivered via spearphishing emails【23†L36-L42】. This RAT took screenshots and exfiltrated files from targeted government and military networks. No novel “zero-days” were used; rather, existing vulnerabilities and social engineering were exploited. The Indian hacktivists often used simple DDoS botnets and online leaks (like Tumblr paste sites) to dump data.
• //Propaganda & AI: One striking episode was a deepfake video of Prime Minister Modi circulating on social media, allegedly orchestrated by Pakistani elements【21†L119-L130】. This suggests use of generative AI for influence operations. Other disinformation (e.g. false missile attack alerts) also played a role on both sides, though detailed intelligence on these is limited.

AI & Technical Observations: The India–Pakistan cyber exchanges have so far been characterized by conventional hacking and hacktivism, with only limited use of AI. The prominent AI-related incident was the deepfake PM video【21†L119-L130】, showing that even regional conflicts are seeing generative AI misused for propaganda. Both sides also used automated tools (DDoS amplifiers, reconnaissance scanners). Notably, one recent study of Operation Sindoor found no evidence of AI or novel malware – it was a standard RAT/phishing attack by an APT【23†L36-L42】. However, the scale (millions of scanned IPs, automated social media bots, realtime defacement) demonstrates how easily open-source tools and basic ML scripts can amplify low-tech operations. Defensively, India’s CERT and military cyber cells have been inundated, and have relied on AI-enhanced analytics for filtering hundreds of thousands of alerts daily (CERT-In handles ~2 million incidents per year【21†L77-L85】).

Consequences: These skirmishes show that a “full spectrum” battle now includes the net. Attacks on power grids and data infrastructure carry serious risks of civilian harm or escalation. At least one analysis called for confidence-building: a cyber hotline or agreed communication channel, to prevent misattribution and uncontrolled escalation【20†L371-L379】. As the author suggests, both India and Pakistan should refrain from supplying offensive cyber tools to proxies or hacktivists, and instead consider mutual norms of restraint【20†L373-L379】. For India, the challenge is to integrate AI-driven threat intelligence (for example, machine-learning platforms that correlate Indo-Pak incident data) into defense planning, while continuing to invest in offensive cyber capabilities where needed.

Comparative Analysis: Incidents and AI Techniques

The table below summarizes major cyber incidents and AI usage in each conflict, highlighting capabilities and limitations:

- Conflict - Major Cyber Incidents/Tools (Year) - AI/ML Usage (Offense & Defense) - Capabilities & Limitations -

- ----------------- - --------------------------------------------------------------------- - ------------------------------------------------------------------ - ----------------------------------------------- -

- Iran–USA (2024–26) - Handala Hack: Wiper on US medical systems【30†L271-L279】; AWS Drone Strikes: Drones hit cloud data centers【35†L273-L281】; IRGC spearphish US target emails【15†L1578-L1583】. - US military uses AI for intel analysis and targeting【56†L461-L469】; Iranian side mainly used AI in propaganda (fake news anchor)【27†L227-L236】. - US has advanced cyber defenses and AI analytic tools; Iran focuses on asymmetric, disruptive hacks. Civilian infra (health, cloud) proved vulnerable; legal gray area about targeting non-combatants. -

- Israel–Hamas/Israel (2023) - Hamas War DDoS: Israeli alert apps and media sites attacked【26†L77-L86】【26†L147-L156】; Red Alert Exploit: Fake nuclear alerts via app breach【26†L100-L109】; Fake News Anchor: Iran’s AI deepfake broadcast【27†L227-L236】; Predatory Sparrow: Israel’s hacktivists attacked Iran’s banks/media【49†L285-L294】. - Israel admitted using AI for strike planning【54†L499-L503】; Iran/Hamas employed AI for disinfo (deepfake). Both sides deployed ML-enhanced analytics for SOC monitoring. - Israel’s cyber defenses (Cloudflare, MS) absorbed massive DDoS. Offense leveraged AI-driven intel; Hamas/Iran exploited civilian tech. Ethical issues: disinfo and false alerts blur lines of combat. -

- Russia–Ukraine (2022–25) - Viasat Hack: Russian wiper on satellite modems【31†L270-L277】; Bank/Card Hacks: Wipers (Hermetic, WhisperKill) on Ukrainian banks; Grid Attacks: Industroyer/Caddy on power and water; IT Army DDoS: Ukrainians DDoS Russian banks【31†L323-L332】. - Ukraine integrates AI tech in defense: Palantir, Clearview, starlink as part of “AI-enabled war”【35†L291-L300】. Russia likely uses AI for reconnaissance but attacks were largely conventional. - Both sides have potent cyber arsenals. Ukraine’s alliance with tech firms boosts its defenses. Russian ops have high stealth but sometimes collateral damage (e.g. NotPetya). Attribution and legal response (sanctions) are active. -

- India–Pakistan (2025) - Operation Sindoor: Pakistan’s APT36 used Crimson RAT for Indian govt phishing; pro-India hacktivists leaked Pakistani tax data and hit infrastructure【20†L338-L344】【21†L96-L104】; deepfake of PM Modi circulated【21†L119-L130】. - Limited AI: deepfake video by Pakistan-linked actors【21†L119-L130】, automated scanning by both sides. India’s CERT uses ML tools to filter millions of alerts. - Mostly low-tech hacking and info ops. Attack volumes spiked but damage limited. Highlights need for vigilance on critical grids and public awareness (e.g. fake-alert defense). Calls for cyber confidence-building (hotline) exist【20†L371-L379】. -

AI in Offense and Defense

Across these case studies, clear patterns emerge about AI’s role:

• //Offensive Use of AI: Attackers leverage AI to scale and automate. As one analyst notes, emerging AI tools “lower the bar” for attackers by automating phishing, credential harvesting, and social media manipulation【52†L364-L366】. In practice, state-sponsored hackers may feed network scans or payloads into machine-learning systems to find the easiest exploit paths. AI-driven malware (still largely experimental) could autonomously select targets or adapt to antivirus defenses【52†L387-L390】. Even without ground-breaking AI, most adversaries use AI-enabled infrastructure: botnets with adaptive algorithms (e.g. rotating command servers), or generative models for disinformation (fake news anchor【27†L227-L236】, PM deepfake【21†L119-L130】). Both Hamas- and Pakistan-aligned actors demonstrated that even basic automation can mount vast DDoS attacks on short notice【26†L77-L86】【20†L338-L344】.
• //Defensive Use of AI: Conversely, modern cyber defenses are increasingly AI-centric. Nations deploy machine-learning models trained on historical breach data to detect intrusions: for example, Ukraine’s security teams rely on AI analytics (with vendors like Microsoft and Cisco) to sift through logs and block attacks【35†L291-L300】【52†L416-L424】. Automated defense systems (“AI in the loop”) can isolate an infected segment or patch a vulnerability in seconds【52†L424-L428】. These capabilities were on display when Israeli agencies quickly mitigated massive DDoS floods【26†L147-L156】, or when U.S. cyber commands coordinated with cloud companies to relocate data after Iranian drone strikes【35†L291-L300】. The net effect is that highly resourceful defenders can blunt many high-end attacks.
• //Adversarial Dynamics: Importantly, as AI arms race escalates, each side’s AI investments fuel the other’s incentives. For “hard targets” (military command, nuclear facilities), both offense and defense now use advanced AI. This could lead to a cyber-deterrence stalemate: as Chatham House observes, over the long run “advanced defensive systems neutralize many automated threats, but sophisticated offensive techniques continually probe novel vulnerabilities”【52†L441-L449】. However, civilian and softer infrastructure lack such defenses, so AI’s net effect is to amplify asymmetric attacks on non-state systems【52†L364-L366】【52†L451-L456】. The Ukraine and Israel conflicts show this: attackers often focus on banks, media, and utilities where civilian defenses are weaker.
• //Limitations of AI: We must stress that while AI boosts capabilities, it also has limits. Machine learning models require training data and can be fooled by adversarial inputs【47†L139-L148】【56†L461-L469】. For example, an AI system might misinterpret a minor variance in code as benign, or struggle with new malware strains. Humans still must oversee critical kill-chains: US commanders emphasize “humans will always make final decisions on what to shoot”【56†L461-L469】. On defense, AI is only as good as the data – if an attacker radically changes tactics, a trained model might miss it.

Supply-Chain and Critical Infrastructure Vulnerabilities

A striking theme is the targeting of supply chain and civilian infrastructure:

• //Cloud & Data Centers: The Gulf war showed that adversaries now consider commercial cloud services fair game【35†L273-L281】. Iran’s drone strikes on AWS centers and public threat listing of tech giants indicate a shift: not just local grid substations, but global data hubs are strategic assets. A disrupted data center can paralyze banking or emergency services across a region. For India, this highlights the need to cooperate with cloud providers (like India’s plans for “submarine cables” and local data localization) and perhaps invest in alternative national data centers that can be shielded.
• //Industrial Control Systems (ICS): History underscores that power, water, and transport control networks are prime targets. Russia’s attacks on Ukraine’s grid and Iran’s 2012 Stuxnet (on Natanz uranium plants) are cautionary examples. Supply-chain malware (e.g. SolarWinds in the US, compromised network switches in India in 2020) further illustrate that off-the-shelf software can become a vector. Defending these requires specialized AI-driven monitoring of ICS traffic patterns and strict vetting of suppliers.
• //Critical Online Services: Banks, stock exchanges, and emergency alerts have also been attacked. India has witnessed periodic DDoS and misinformation campaigns targeting its online financial systems. Learning from Israel, India should ensure that mass-notification apps (like air raid or disaster alert apps) are secure by design and cannot be hijacked to spread panic.
• //Global Tech Partnerships: Notably, conflicts show that aligning with global tech firms can enhance resilience. Ukraine’s partnership with Microsoft and SpaceX (providing Starlink to restore internet) is a prime example【35†L291-L300】. India could pursue similar arrangements, embedding defense requirements in partnerships (e.g. local R&D hubs of tech giants to support disaster response).

Legal, Ethical and Policy Implications

The blurring of cyberwar and AI raises complex legal and moral questions:

• //International Law: Under existing international humanitarian law (IHL), cyberattacks that amount to “use of force” could be treated like armed attacks. Attacks on purely civilian targets (e.g. hospitals, data centers without military purpose) are likely unlawful. However, attributing intent is hard. For instance, Iran’s targeting of AWS (a US company) raises debate: is an attack on an American firm’s infrastructure an attack on the US? The Wassenaar Arrangement and UN Charter have little explicit guidance on cyber. The recent UN resolution (Dec 2025) on “AI in the military domain” urges discussion but is non-binding【56†L583-L588】.
• //Autonomous Weapons: At a global level, there are ongoing talks about Lethal Autonomous Weapons Systems (LAWS). The CCW Group in Geneva is debating whether to ban “fully autonomous” weapons that select and engage targets without human control【42†L223-L231】. Many states (including Russia, US, China) argue existing IHL suffices, but others warn of an accountability gap. Disarmament officials have noted that “AI-assisted semi-autonomous weapons” have already been used in Ukraine and Gaza【42†L223-L231】. While this report focuses on cyber, the same principles apply: any AI-based targeting must remain under meaningful human control to comply with IHL.
• //Ethical Issues: Automated cyber attacks (e.g. self-spreading ransomware or AI-bot hijacks) can escalate without human intent. For instance, AI malware could misidentify a “target” and spread uncontrollably, causing collateral harm. Also, misuse of deepfakes in warfare violates norms of truth and could endanger civilians (false-flag announcements). Ethically, states grapple with where to draw the line: Russia’s blanket blackout of Ukrainian media by DDoS is arguably immoral by peacetime standards, even if done in war. Democratic societies face additional pressure to set rules: as one expert noted, militaries need to codify procedures for AI use to avoid “AI-supported targeting” errors【54†L534-L540】.
• //Attribution & Escalation: Lack of clear attribution rules is a policy gap. India and others need to decide how to respond to non-state actors that may be proxies. Pakistan’s use of hacktivists or Iranian use of proxy groups demonstrates the proxy war risk. The Stimson Center recommends confidence-building: India and Pakistan should publicly reject cyberattacks as state policy and perhaps establish a cyber “no first use” pledge or hotline【20†L371-L379】. Such measures, along with committing not to export cyber-weapons, would help stabilize the Indo-Pak cyber front.

Strategic Recommendations for India and CLAWS

Based on these analyses, we suggest several strategic priorities:

• //Invest in AI-enabled Cyber Defense: India must continue building an advanced cybersecurity posture. This includes developing domestic AI tools for anomaly detection, SOC automation, and threat hunting. Public-private initiatives (analogous to US–Ukraine partnerships) should be fostered: for example, encouraging Indian tech companies to create shared cyber-intelligence platforms. NCC (cadet) and military training programs should include AI/cyber modules to raise awareness. CLAWS can contribute by analyzing threats and guiding doctrine: e.g. publishing a whitepaper on AI in cyber defense for India.
• //Strengthen Critical Infrastructure Resilience: Government should mandate AI monitoring in key sectors (power, telecom, finance) and simulate scenarios (e.g. deepfake propaganda campaigns or data-center attacks). Collaboration with private sector (banking consortiums, cloud providers) can ensure rapid incident response plans. Given the AWS data-center strikes, India should map its cloud dependencies and work with providers on hardened sites. Investment in indigenous cloud and encryption (part of “TechSangam” and Digital India programs) will reduce over-reliance on foreign infrastructure.
• //Enhance Offensive Cyber Capabilities: Just as adversaries use AI offensively, India should develop its own cyber warfare tools. A national Cyber Force (as announced in 2019) should incorporate AI R&D – for example, tools to automate reconnaissance of adversary networks or to generate decoy network traffic (defensive honeypots). CLAWS and other think tanks can support this by studying APT tactics and recommending targeted capabilities. Export controls on cyber tools should be tightened, ensuring India does not inadvertently fuel proxy conflict.
• //Lead in Norms and Diplomacy: India should take an active role in shaping international cyber norms. The new UN resolution on military AI and CCW talks on autonomous weapons are prime forums. CLAWS scholars can advise policymakers to push for clear rules (e.g. requiring human-in-the-loop for lethal cyber systems, akin to Reuters recommendations【42†L223-L231】). India could propose region-specific dialogues (e.g. a “SAARC cyber pact”) to build trust, taking cues from suggestions of cyber hotlines【20†L371-L379】. Engagement with QUAD and ASEAN on cyber confidence-building would also advance India’s interests.
• //Public Awareness and Education: Finally, civilian awareness of cyber-AI threats is crucial. The Red Alert incident shows the danger of social panic, and the Modi deepfake highlights susceptibility to disinformation. National programs (through MeitY or defense outreach) should educate citizens on verifying alerts, securing IoT devices, and spotting AI-generated fakes. India’s NCC cadets, who understand technology and discipline, could be mobilized to teach such skills, aligning with the author’s personal NCC experience.

Assumptions & Gaps: Where reliable data is missing, we have stated assumptions. For example, exact malware attribution or APT capabilities are often classified; we rely on open reporting and analyst consensus. Data on private-sector losses or real-time campaign metrics is sparse. Future research (perhaps by CLAWS) should monitor these conflicts closely and update guidance as more information (e.g. declassified IOC lists) becomes available.

Conclusion: AI and cyber warfare are now inseparable from modern conflict. The cases of Iran–USA, Israel–Hamas, Russia–Ukraine, and India–Pakistan illustrate that adversaries will exploit any digital vulnerability – from cloud servers to social media – often using AI to automate and amplify attacks【52†L364-L366】【56†L461-L469】. However, defenders also wield AI to analyze threats and harden systems. For India, staying ahead means both developing AI-assisted defenses and contributing to global rules that prevent uncontrollable escalation. As one international expert warns, without careful controls “there are no front lines anymore” – data centers, networks, and even algorithms themselves can become battlegrounds【35†L317-L324】. India’s strategic thinkers and military (including CLAWS) must therefore treat AI and cyber as core elements of national security strategy, investing in talent and collaboration today to safeguard against tomorrow’s conflicts.

References: (Inline citations above correspond to the numbered source in text; additional background is drawn from the cited reports and analyses.)

Suggested Tags: #Cybersecurity #AI #CyberWarfare #NationalSecurity #CLAWS #India #ConflictStudies

Author Bio: Nikhil Kumar is an M.Tech candidate in Artificial Intelligence with hands-on experience (e.g. a webshell defense project) and a cadet in the NCC (National Cadet Corps). His academic and service background informs his research on emerging defense technologies and cyber-conflict.