UAE Cybersecurity Report: Resilient Yet Challenged: How the UAE Navigates the Digital Battlefield

As threats grow more sophisticated, the United Arab Emirates stands at the forefront of global cyber defenses. By wielding cutting-edge AI technologies and strategic frameworks, the UAE confronts a volatile landscape of AI-powered attacks and ransomware, turning challenges into opportunities for technological resilience.

By: Mirza Bahić

The United Arab Emirates has positioned itself as a global leader in cybersecurity, a status reaffirmed by its top ranking in the “Pioneering Model” category of the Global Cybersecurity Index (GCI) in 2024. This recognition is a testament to the country’s proactive cybersecurity strategies, strong public-private partnerships, and robust policies aimed at protecting digital infrastructure. However, the digital threat landscape continues evolving, presenting new challenges for organizations and government entities.

Growing digital footprint makes the UAE an attractive target

The latest State of the UAE Cybersecurity Report 2025 provides a comprehensive analysis of the nation’s digital landscape, revealing approximately 223,800 digital assets distributed across the country. Dubai hosts the largest share, accounting for 65 percent of all digital assets, while Abu Dhabi follows with 13 percent. Fujairah holds 11 percent, Sharjah 7 percent, Ajman 3 percent, and Ras Al Khaimah 1 percent. This vast and growing digital footprint has made the country an attractive target for cybercriminals, both state-sponsored and financially motivated, who continue to evolve their attack methodologies.

AI-Powered Cyber Threats Are a New Frontier of Cybercrime

Among the most alarming findings in the report is the rise in AI-powered cyber threats. Malicious actors have begun leveraging artificial intelligence for more sophisticated phishing attacks, AI-generated malware, and deepfake-based fraud. Phishing campaigns have become increasingly convincing, with AI tools crafting personalized and context-aware emails that evade traditional detection mechanisms, significantly increasing their success rate.

UAE-based financial institutions and multinational corporations reported a sharp rise in spear-phishing campaigns targeting high-profile executives, leading to increased credential theft and unauthorized access to sensitive systems.

A particularly notable incident involved a deepfake audio attack that successfully impersonated a UAE corporate executive, tricking employees into transferring funds to fraudulent accounts. Iranian hackers have also engaged in disinformation campaigns by broadcasting fake news on UAE television streams using deepfake technology, further undermining trust in media.

AI-driven reconnaissance tools have enabled state-sponsored groups to map vulnerabilities in the UAE’s critical infrastructure with unprecedented precision, significantly increasing the risk of cyber espionage. State-sponsored actors are also integrating AI into their attack frameworks to automate reconnaissance, exploit identification, and lateral movement within networks. In one case, an APT group used AI-driven tools to map vulnerabilities in the UAE’s critical infrastructure, targeting OT environments and posing heightened risks to national security and economic stability. AI-generated polymorphic malware was deployed in an attack against a UAE-based energy firm, allowing adversaries to bypass traditional security measures by rewriting their code in real time to evade detection.

From Safe AI Framework to the Crystal Ball

In response to these AI-driven threats, the UAE has adopted several proactive measures. The government has integrated AI-based cybersecurity solutions into its National Cybersecurity Strategy to enhance national cyber resilience. Public awareness campaigns have been launched to educate businesses and the public about AI-related cyber risks, such as phishing scams and deepfakes. Additionally, the UAE has developed the Crystal Ball platform, a next-generation AI information-sharing tool for over 68 nations, aimed at fostering collaboration in combating cyber threats. The platform promotes global intelligence sharing, attribution of cyber incidents, and effective deterrence of cybercriminals.

Recognizing the dual-use nature of AI, both as a tool for cyberattack and defense, the UAE is also focused on bolstering its cybersecurity defenses by adopting frameworks like the CPX Safe AI Framework, which provides organizations with a comprehensive guide for implementing AI responsibly.

Growing digital footprint has made the country an attractive target for cybercriminals

The framework is structured around three key elements that ensure AI systems are deployed effectively and securely. First, it emphasizes the importance of aligning AI strategies with organizational goals, ensuring that AI initiatives are integrated with broader business objectives. It also stresses securing leadership support and establishing accountability to prioritize human welfare and ethical compliance throughout the AI lifecycle.

The framework also focuses on model development and deployment, encouraging organizations to conduct thorough impact assessments and establish clear policies for data usage, ownership, and storage. It advocates for responsible training of AI models, setting standards for human oversight, and implementing comprehensive testing and incident response strategies to ensure that AI systems function ethically and with transparency.

Lastly, the framework prioritizes security and privacy, advising organizations to adopt robust controls and conduct vulnerability assessments on AI systems. By using zero-trust principles, organizations can secure AI infrastructure and maintain a secure runtime environment. This part of the framework also addresses the importance of compliance with privacy regulations and safeguarding user data, ensuring that AI technologies do not become conduits for malicious activities.

By embracing these principles, the Safe AI Framework provides organizations with the tools to harness the power of AI while maintaining a responsible approach to its use. As AI continues to evolve, this framework represents a proactive step towards guiding businesses in securing their AI-driven initiatives, preventing abuse, and fostering trust among stakeholders and regulators.

Cyberattacks Inflict Massive Financial Losses

The financial consequences of cyberattacks in the UAE have been severe. The average cost of a data breach in the Middle East, including the UAE, reached $8.75 million, making it the second-highest globally. The financial burden is further exacerbated by understaffed security teams that experience higher losses due to delayed responses. Conversely, organizations that extensively use AI in security operations have been able to reduce their breach costs, showcasing the potential of automation in mitigating cyber threats.

Data destruction attacks on the rise

Ransomware remains a significant and growing threat in the UAE. The number of active ransomware groups has increased by 58 percent in 2024, further complicating the country’s cybersecurity landscape. Newcomers such as DarkVault, Qilin, RansomEXX, and KillSec have emerged, joining the ranks of more established ransomware groups. LockBit3, which dominated ransomware activity in 2023 with 31 percent of attacks, saw its share drop to 16 percent in 2024. Meanwhile, RansomHub accounted for 13 percent of ransomware incidents, indicating its rising influence in the UAE’s cyber landscape.

UAE-based financial institutions and multinational corporations reported a sharp rise in spear-phishing campaigns

Several ransomware groups that were active in 2023, including Clop, Alphv, Dragonforce, among others, have disappeared from UAE-focused cyber activities in 2024. The ransomware-as-a-service (RaaS) model has expanded in the UAE, supported by a network of underground affiliates who help cybercriminals deploy ransomware more effectively.

In addition to ransomware threats, data destruction attacks have increased by 22 percent, signaling a shift toward cyber disruption rather than purely financial extortion. This growing trend suggests that attackers are now motivated by more than just financial gain, as they seek to cause lasting damage to organizations and infrastructure.

DDoS Attack Trends

The UAE has witnessed a dramatic decline in Distributed Denial of Service (DDoS) attacks, with incidents dropping from 58,538 attacks in 2023 to just 2,301 in 2024, marking a 96.09 percent reduction. However, while local attacks have decreased significantly, global DDoS attack volume has increased by 0.8 percent. The maximum bandwidth of DDoS attacks in the UAE has fallen, dropping from 266.9 Gbps to 85.92 Gbps, a decline of 67.7 percent.

The average cost of a data breach in the Middle East, including the UAE, reached $8.75 million, making it the second-highest globally.

Hacktivist groups targeted UAE-based entities with DDoS attacks early in 2024, but this activity declined in the fourth quarter due to a combination of law enforcement crackdowns and stricter social media regulations.

Infostealers for Sale at US$10

The research shows a growing prevalence of infostealer malware in the UAE, with RedLine Stealer emerging as the most dominant threat, responsible for 69.9% of infections. This malware was found on the highest number of compromised systems in the region, posing a significant risk to security. On Windows-based personal devices, these infections occur when victims sync their Google Password Manager in the Chrome browser between their corporate and personal systems. Inexpensive malware-as-a-service (MaaS) infostealers, which are sold on Dark Web forums for as little as US$10, are commonly used by cybercriminals to steal and resell credentials.

The UAE has developed the Crystal Ball platform, a next-generation AI information-sharing tool for over 68 nations

The research found that 54,655 compromised passwords were between 1 to 8 characters long, 107,478 were between 9 to 12 characters, and 75,976 exceeded 12 characters in length. In total, 238,109 unique passwords were leaked by infostealers, and 77.04% of them met the National Institute of Standards and Technology (NIST) password length guidelines, with at least 12 characters.

Despite this, the exposure of these passwords highlights an important issue: long passwords alone are insufficient if they are compromised through malware attacks.

Phishing Tactics and Targets in 2024

Phishing email campaigns surged in 2024, with Microsoft 365 impersonation scams being among the most effective. Cybercriminals also targeted UAE telecom companies like Etisalat, Aramex, and DEWA, tricking employees and customers into divulging sensitive credentials.

In the first half of 2024, the CPX Threat Hunting team uncovered activities related to the MINIBUS and MINBIKE backdoors, attributed to an Iranian threat actor. The campaign utilized spear-phishing emails with fake job offer links to deliver the malicious payload. These attacks employed DLL search order hijacking for persistence and leveraged Azure infrastructure for command-and-control (C2) communications. Threat actors strategically placed malicious DLLs in benign application folders, including Microsoft Office, VMware VGAuth, OneDrive, and Splunk Universal Forwarder, to avoid detection.

In one case, an APT group used AI-driven tools to map vulnerabilities in the UAE’s critical infrastructure

The team also observed an uptick in phishing campaigns targeting multiple organizations in the UAE. Phishing, a simple yet highly effective strategy, relies on human interaction to deceive victims, making it more challenging to defend against than traditional malware or exploit-based attacks. Many of the observed campaigns involved spear-phishing links impersonating Microsoft 365, which were used to steal credentials and gain unauthorized access to email and VPN services. Once inside, attackers sought to abuse and exfiltrate critical data.

Additionally, the team tracked a surge in payment card phishing campaigns impersonating prominent UAE organizations such as Etisalat, DEWA, Aramex UAE, and DHL. In May 2024, threat actors were found sending phishing emails with ZIP attachments containing an executable file that installed LockBit Black ransomware.

Exploitation of Vulnerabilities and Patch Delays

Other organizations in the UAE continue to struggle with patching critical vulnerabilities in a timely manner, leaving them susceptible to cyberattacks.

In 2024, OpenSSH vulnerabilities continued to pose a significant challenge for cybersecurity professionals, with several high-severity flaws identified. Among these, CVE-2023-38408, the most widespread vulnerability, involves Forwarded SSH-Agent Remote Code Execution, carrying a critical CVSS score of 9.8. With 33.3% of devices affected, it allows attackers to remotely execute malicious code, presenting a serious threat to network security.

Inexpensive malware-as-a-service (MaaS) infostealers, which are sold on Dark Web forums for as little as US$10, are commonly used by cybercriminals

Another notable vulnerability dubbed “regreSSHion,” allows Unauthenticated Code Execution on glibc-based Linux systems. With a CVSS score of 8.1 and affecting 16.7% of systems, this flaw highlights the importance of robust authentication protocols. These vulnerabilities demonstrate the need for organizations to address not just remote code execution but also threats that could disrupt network availability.

Sectoral Impact

The most targeted industries included government entities, which experienced 34.9 percent of cyber incidents, followed by the finance sector at 21.3 percent, energy at 14.1 percent, defense at 6.6 percent, and healthcare at 6.7 percent. Notably, 77 percent of incidents were classified as critical, high, or medium severity, posing substantial risks to business continuity and operations.

Cybercriminals also targeted UAE telecom companies like Etisalat, Aramex, and DEWA, tricking employees and customers into divulging sensitive credentials.

Overall, cybersecurity incidents were largely driven by misconfiguration, tuning, and change requests, which accounted for 32% of all reported cases. Improper usage and unlawful activity followed closely at 19%, while scans, probes, and attempted unauthorized access made up 15%. Additionally, email fraud, phishing, and spoofing incidents represented 12% of the total, underscoring the ongoing need for continuous user education and robust email security measures.

Malicious code, including viruses, worms, and Trojan horses, was involved in 9% of incidents, highlighting the importance of advanced malware detection and response systems. Unauthorized access also accounted for 9% of incidents, signaling potential weaknesses in access control mechanisms, which could be mitigated by strengthening these controls and implementing multi-factor authentication.

Finally, web application attacks, though less frequent, represented 4% of the incidents, indicating either the effectiveness of current security measures or a strategic shift by attackers to exploit more vulnerable targets.

Shifting Attack Vectors and Growing Risks

In 2024, a significant shift was observed in the initial attack vectors used by threat actors targeting organizations in the UAE. As described, phishing incidents remained steady, but the category of “unknown (possibly phishing)” highlighted the continued relevance and potential overlap of phishing with other attack methods.

Another persistent threat was web server compromises, which accounted for 11% of the total incidents, emphasizing the need for organizations to strengthen security measures around web servers to prevent exploitation.

Malware delivery methods also showed a shift, with a decrease in direct installs and an increase in web application attack delivery methods. The percentage of malware directly installed on a victim’s machine dropped from 36% in 2023 to 11% in 2024, suggesting that attackers are increasingly favoring indirect methods. Web application attacks, which accounted for 11% of malware delivery in 2024, highlight a growing focus on exploiting vulnerabilities in web applications to distribute malware. These trends underscore the evolving nature of cyber threats and the critical importance of adapting security strategies to address emerging risks.

Strengthening Cyber Defenses Through AI and Collaboration

In the report, cybersecurity experts recommend increased investment in AI research to develop advanced threat detection models that can keep pace with the evolving cyber threat landscape. Real-time AI-powered monitoring is essential for detecting and mitigating cyberattacks before they cause significant damage. Strengthening international partnerships should enhance cyber intelligence-sharing and response capabilities.

The expansion of the initiative such as the Crystal Ball, which facilitates AI-driven cyber intelligence sharing, will play a crucial role in enhancing national security. Additionally, organizations must implement faster patching policies to reduce vulnerability windows and introduce comprehensive employee training programs to combat AI-enhanced phishing and deepfake social engineering attacks.

As cyber threats continue to evolve with increasing complexity, the UAE must maintain its proactive approach to cybersecurity. The integration of AI-powered security solutions, enhanced intelligence sharing, and faster response mechanisms will be crucial in ensuring national cyber resilience. By fostering public-private collaboration, investing in cutting-edge cybersecurity measures, and prioritizing rapid threat response, the UAE is well-positioned to remain a global leader in cybersecurity and digital safety.

Exploitation of Public-facing Applications

The report also describes the exploitation of both N-day and Zero-day vulnerabilities in public-facing applications as a source of risk in the UAE. These attacks are typically opportunistic, launching immediately after the disclosure of proof-of-concept (PoC) exploit code. A large portion of these scanning activities has been traced back to IP addresses associated with Linode, LLC, a cloud hosting provider. At present, no specific threat actor has been linked to the vulnerability scans. In April 2024, CPX identified multiple exploit attempts targeting the OS Command Injection Vulnerability CVE-2024-3400 in GlobalProtect, with attempts to deploy RedTail Cryptominers.

The increase in exploitation of these vulnerabilities affects various industries, particularly the government and healthcare sectors. Zero-day vulnerabilities are those unknown to the vendor, meaning no patch, mitigation, or fix is available, while N-day vulnerabilities are known but unpatched flaws, with the average mean time to patch (MTTP) ranging from 60 to 150 days.