AI Infrastructure as a Strategic Target in Modern Cyber Conflict

The Situation

On February 28, 2026, US and Israeli forces launched coordinated strikes against Iran, marking a significant escalation in an already volatile regional threat environment. As observed in previous instances of kinetic conflict in the region, the geopolitical escalation has had an immediate and measurable effect on the cyber threat landscape. Iranian state-sponsored groups including APT34, APT33, MuddyWater, and APT35 have historically demonstrated a pattern of pre-positioning inside target networks well in advance of geopolitical flashpoints, with threat intelligence confirming active footholds inside Western defense, financial, and technology sector networks prior to the current escalation.

This activity does not exist in isolation. The broader Middle East and North Africa region presents a layered threat actor landscape, encompassing Hamas-affiliated groups such as MOLERATS and Gaza Cybergang, Hezbollah-linked operators with growing persistent access capabilities, Houthi-aligned actors with Iranian operational backing, and Russian and Chinese APT groups with their own strategic interests in monitoring and potentially influencing the outcome of the conflict. Each of these actors has demonstrated, to varying degrees, the doctrine and technical capability to conduct long-dwell, low-visibility operations inside critical technology infrastructure.

For organizations operating in or adjacent to sectors of strategic interest to these actors, this threat environment warrants a reassessment of attack surfaces that may not yet have received adequate security attention, including the AI development infrastructure this report addresses.

What Your Organization May Not Realize It Is Exposing

Most security programs have invested heavily in protecting what AI systems produce: the models, the outputs, the decisions. Far less attention has been paid to the platforms responsible for building those systems.

MLOps platforms, the operational backbone that manages how your AI models are trained, how your datasets are stored, and how your machine learning pipelines run, are currently one of the least secured categories of enterprise infrastructure. CloudSEK's research identified over 100 exposed credential sets and more than 80 publicly accessible MLOps deployments in just 48 hours of scanning. These were not sophisticated breaches. Many required no exploitation whatsoever. Credentials were sitting in public GitHub repositories. Dashboards were open to the internet with no authentication. In several cases, anyone could register an account and walk directly into a fully functional machine learning environment.

What an attacker finds inside is not a limited application. It is the control plane for your entire AI operation: training datasets, trained models, pipeline configurations, experiment histories, and critically, the cloud storage credentials that connect to your broader AWS, Google Cloud, or Azure infrastructure.

A single exposed MLOps credential is not a data breach. It is a persistent vantage point into everything your AI systems know, learn from, and produce.

Why This Is Different From Every Other Security Problem You Have Faced

The attacks this research documents do not look like attacks. There is no malware. There is no exploit. There is no ransom note. An adversary operating inside an MLOps environment uses the same interfaces your engineers use every day. Downloading a model looks identical whether it is your data scientist or a nation-state actor. Executing a training pipeline generates the same logs regardless of who submitted it. Accessing a dataset leaves the same footprint as legitimate research activity.

This creates a category of threat that traditional security tooling is not designed to detect, and that most incident response playbooks do not account for.

More significantly, the most damaging form of this attack may never be detected at all. An adversary with write access to a training pipeline does not need to steal your model. They can quietly manipulate it. Subtle changes to training data, labeling processes, or model artifacts propagate through your retraining cycles invisibly. The result is an AI system that behaves differently in ways that may take months to manifest, and that will almost certainly never be attributed to an external actor. Your surveillance model starts misclassifying. Your anomaly detection system stops flagging a specific pattern. Your automated decision pipeline starts weighting signals differently. From the inside, it looks like model drift. From the outside, it was sabotage.

The Business and Strategic Risk

For organizations whose AI systems support operational decision-making, financial risk modeling, threat detection, or any form of automated analysis, this risk is immediate and material.

For organizations operating in or adjacent to defense, intelligence, critical infrastructure, or government contracting, the risk is elevated further. Iranian APT groups have already demonstrated pre-positioning inside US aerospace and defense suppliers, financial institutions, and technology contractors. The attack surface they are most likely to exploit next is the one that is currently least defended: the infrastructure that builds and maintains AI capabilities.

The strategic calculus is straightforward. An adversary that cannot match your AI capability through their own development can instead target the pipeline that produces it. Stealing the model tells them how you think. Manipulating the pipeline changes how you think. The second option is significantly more valuable and significantly harder to detect.

What Leadership Should Be Asking

The questions your security leadership should be able to answer today are not about model security. They are about infrastructure security.

Are your MLOps platforms accessible from the public internet? If yes, with what authentication controls? Are any credentials associated with your machine learning pipelines present in internal or external code repositories? Do your cloud storage integrations use static keys or short-lived, role-based credentials? Is access to your training datasets and model artifacts logged and monitored with the same rigor as access to your production systems? When did you last audit the credentials embedded in your CI/CD pipelines and training environment configuration files?

If your security team cannot answer these questions with confidence, your AI infrastructure should be considered at risk.

The Bottom Line

Prompt injection, jailbreaks, and adversarial model attacks represent legitimate and well-documented risks that the security community continues to actively research and address. However, they represent one layer of a significantly broader attack surface. As AI systems become embedded in critical operations across defense, intelligence, and enterprise environments, the infrastructure responsible for building and maintaining those systems demands equal scrutiny. This research demonstrates that MLOps platforms, currently one of the least secured categories of enterprise infrastructure, present a structurally significant and largely unaddressed attack surface that is directly accessible today through basic credential exposure and misconfiguration, without exploiting a single software vulnerability.

Securing your AI capability requires securing the platforms and credentials behind them. The models your organization depends on are only as trustworthy as the pipelines that produced them. Right now, for many organizations, those pipelines are exposed.

This research has demonstrated that the access conditions for this class of attack already exist at scale. Exposed credentials, unauthenticated dashboards, and misconfigured deployments are not hypothetical risks. They are present today, discoverable by anyone with basic scanning capability, and structurally aligned with the supply chain focused doctrine that the most capable threat actors in this geopolitical moment have repeatedly demonstrated. Whether those actors have yet turned their attention to MLOps infrastructure specifically is an open question. That the conditions for them to do so are already in place is not.

Full Research Paper

For the full technical research including attack scenarios, platform-specific findings, and remediation guidance, refer to the complete CloudSEK report: AI Infrastructure as a Strategic Target in Modern Cyber Conflict.

[Click Here To Download Full Research Paper]

‍