Middle East AWS attack highlights data center vulnerabilities

AWS data centers hit in the Middle East

But there’s a new twist to this decades-old conflict. Three Amazon Web Services (AWS) data centers located in the United Arab Emirates (UAE) and Bahrain were caught in the crossfire. AWS confirmed that the facilities were hit by drone strikes, resulting in structural damage, power failures, fire and water damage from fire suppression. Nearly 60 AWS online services went down. The company advised customers with workloads running in the Middle East to migrate their data to alternate AWS regions, warning that this could be a “prolonged event.”

It is believed to be the first time American big tech companies have become military targets. The attack makes it clear that data centers have become part of critical national infrastructure.

“They are strategically important to operations of financial systems, government services, healthcare, communications, logistics," said Jack Alexander, senior threat intelligence analyst at Quorum Cyber. "Everything we do in this day and age goes through data centers, goes through hyperscalers, so they need to be seen as critical national infrastructure and protected as such,”

Going forward organizations will need disaster recovery plans in place that identify single points of failure and include redundancy so the data can be moved elsewhere if a data center is disabled, Alexander said. Consulting companies with internal intelligence departments can offer key information to organizations interested in a geographical area.

“Use those means to identify the geophysical risks around the world and then structure your strategic dependencies accordingly,” he said.

The physical reality of “the cloud”

The AWS data center attacks are a reminder that digital systems ultimately rely on real-world physical infrastructure, said Tae Oh, founder of Spacecoin.

Cloud regions, data centers, fiber routes and undersea cables all sit inside environments that can be disrupted by conflict, geopolitical tension or government intervention.

"When those systems are damaged or restricted, the connectivity that businesses depend on can degrade or disappear much faster than most continuity plans anticipate,” Oh said.

Multiple cloud regions of backup data centers rely on the same terrestrial networks and gateways, he said. Real continuity requires independent connectivity layers that operate outside a single provider, country or routing system.

“Open, decentralized internet infrastructure – particularly networks that can operate from space rather than relying solely on ground routes – can provide that additional layer of resilience when terrestrial systems become pressure points,” Oh said.

The risks of locating data centers in volatile regions

The UAE is attractive to US hyperscalers interested in building powerful data centers to feed their AI initiatives. Many companies, including Google, Microsoft and Oracle operate data centers in the region, although Amazon is the only one to report damage so far.

The UAE has become one of the most important infrastructure hubs in the Middle East and the country has invested heavily in physical security around data centers and connectivity, said Syed Asif Ali, founder of Point Media.

Beyond physical protection, data centers depend on a strong infrastructure, connectivity, geopolitics, supply chains and regulatory environments. As a result, companies are adopting multi-region architectures where critical workloads can shift between geographic regions if necessary, Asif Ali said.

“In the cloud era, resilience comes from geographic flexibility as much as physical security,” he said.

But the physical threat still exists.

Iranian Revolutionary Guard-affiliated news claimed that Iran targeted Amazon and Microsoft facilities, the Financial Tines reported. Iran justifies the data center attacks because of Project Nimbus, a $1.2 billion contract that Amazon and Google jointly hold to provide cloud services to the Israeli government and military.

It’s not the first time private industry has been made a target in armed conflict, according to Mahmoud Abuwasel, partner at Wasel & Wasel.

The Cuba Submarine Telegraph Company, a British-owned private company located in Cuba, had its telegraph lines attacked by Americans during the Spanish-American War. The U.S. said the action was justified because the company was transferring military data on behalf of the Cuban government. The company later sued the United States government and a special tribunal agreed with America that the act was justified.

“This has happened before. That’s why it’s important to look at those precedents and reflect on them in the modern situations,” Abuwasel said.

Large investments are continually being made in data centers as the AI push and the need for data hosting grows. As these needs enter the state apparatus even more, data centers will become more sensitive and more prone to attack, Abuwasel said.

What hyperscalers should do next

Enterprises working in the region should focus on architectural resilience rather than just physical protection, Asif Ali said.

Organizations choosing to operate in geopolitically sensitive regions should prioritize multi-region deployments, workload portability and failover strategies that allow critical services to move across geographic zones without disruption, he said.

They should also consider how much risk is concentrated because disruption to large volumes of infrastructure in a single region can have a ripple effect across multiple organizations, Asif Ali said.

The most resilient organizations design their systems assuming disruptions will eventually happen.

Data governance and regulatory dynamics also come into play, requiring organizations to consider where data is stored, how quickly it can be relocated and how operations continue if a specific region becomes inaccessible.

“The most resilient organizations design their systems assuming disruptions will eventually happen,” he said.

What this means for enterprise business continuity

The situation in the Middle East will force many organizations to rethink their disaster recovery plans to include situations that aren’t currently addressed.

“Now, all of a sudden, we have a challenge that ‘if there is an attack, or some sort of disruption, how can we safely, securely and in compliance move that data from one region to another,’” said Kevin Miller, CTO at IFS North America.

The challenge increases when working in countries that mandate data sovereignty.

“The reality is that sometimes we don’t know where our data is and a lot of these tier one providers, these hyperscalers, are balancing those data loads sometimes across different geographic regions," Miller said. "But there will be a lot of questions asked about where the data resides.”

The best prevention comes from modeling what can happen and AI provides an advantage, he said. Much like mapping alternative suppliers or routes, an organization can use AI to determine how to get data out of a physical location it lost access to and back into the data owner’s hands.

“We have to now start looking many layers deeper than we traditionally have in terms of what is the best disaster recovery plan,” Miller said.

There will be an increase in the need to have physical access or solid alternatives as to where data can go, as well as increased attention in terms of which countries are safe to migrate that path.

There should be legislation around regulations that protect organizations from legal risks and compliance deficiencies if they want to move data from a compromised data center into another one, Miller said.

Future disaster recovery and contingency plans may include some type of additional sharing or mutual aid between data centers similar to the utility companies, he said.

Julie Hanson is a freelance writer who has reported on local news across Massachusetts and New Hampshire.