30% of Global Internet Over Hormuz: 17 Cables, 53 Cyber Groups, Iran Leverage

The United States and Israel have been striking Iran since February 28, 2026. They have hit military installations, nuclear facilities, IRGC command centres, and energy infrastructure. What they have not — and cannot — hit is the geography.

Iran sits on top of the Strait of Hormuz. Through that 33-kilometre-wide passage run 17 undersea cables carrying approximately 30% of global internet traffic. No airstrike changes that. No sanctions change that. The cables are there because the geography is there, and the geography is not going anywhere.

This is not a statement about the war's outcome. It is a statement about structural leverage — the kind that exists regardless of who is winning militarily at any given moment. Iran has three distinct levers over global internet infrastructure that the current conflict has exposed more clearly than any peacetime analysis ever could.

Lever One: The Physical Chokepoint

The Strait of Hormuz is 33 kilometres wide at its narrowest point. The navigable shipping channel is narrower still — roughly 3.2 kilometres in each direction. Through this passage moves:

• 21% of global oil supply — approximately 17-18 million barrels per day
• 20% of global LNG — liquefied natural gas from Qatar, the world's largest exporter
• Data traffic from 17 undersea cable systems serving Europe-Asia connectivity

The cables are not redundant in any meaningful sense. When the Houthi attacks disabled cables in the Red Sea in late 2025, global internet traffic rerouted — but the rerouting consumed spare capacity and increased latency significantly for Europe-Asia traffic. The Hormuz cables serve different routes and different endpoints. There is no straightforward reroute if they go down.

As of March 2026, something unprecedented has happened: both the Red Sea and the Strait of Hormuz are simultaneously degraded. The Red Sea saw Houthi cable attacks. Hormuz has seen the IRGC declare the strait closed to hostile vessels. Cable repair ships — the specialised vessels that fix undersea damage — cannot operate in active war zones. Meta paused work on 2Africa Pearls, one of the most ambitious cable systems ever built, because its construction vessels cannot safely operate in the Gulf. Existing cable damage from late 2025 remains unrepaired.

Iran does not need to physically cut any cables to exercise this leverage. The threat of cutting them — combined with the inability to repair existing damage — is sufficient to affect global routing, capacity, and latency for the entire duration of the conflict.

The Dual Chokepoint Map

Before this conflict, the standard analysis identified the Strait of Hormuz as an oil chokepoint and the Suez Canal / Red Sea corridor as a shipping chokepoint. They were treated as separate risks. The 2026 conflict exposed that they are the same risk viewed from different angles.

Traffic between Europe and Asia — internet data, ships, energy — has three paths:

1. Through the Suez Canal and Red Sea — degraded since late 2025 by Houthi attacks
2. Around the Cape of Good Hope — adds 10-14 days to shipping, cannot carry cables
3. Through the Hormuz Strait into the Indian Ocean — the only viable alternative for Gulf cables

When both the Red Sea corridor and Hormuz are simultaneously threatened, there is no third option. Existing cables must carry more traffic. New cables cannot be built or repaired. Latency increases. Capacity decreases. The entire architecture of global internet connectivity that was built assuming Middle East stability is exposed as fragile.

Lever Two: 53 Active Cyber Groups

Military analysts focus on Iranian state cyber capabilities — the named APT groups under IRGC and MOIS control. APT33, APT34, APT35 (Charming Kitten), APT42, Cotton Sandstorm, MuddyWater, Wezrat. These groups have been operating for years and have demonstrated capability against critical infrastructure: the 2012 Shamoon wiper that destroyed 30,000 Saudi Aramco workstations, the 2021 Oldsmar water treatment facility compromise, the 2023-2025 operations against US financial institutions.

What the 2026 conflict has revealed is scale that most analysts underestimated. Security researchers tracking the conflict have documented over 60 active threat groups operating in the conflict — 53 of them pro-Iranian. This is not 53 state-run APT groups. It is a combination of state APTs, IRGC-affiliated groups, hacktivist collectives, cybercriminal groups operating under state direction, and diaspora-linked groups operating independently but aligned with Iranian interests.

This is what Iran's "mosaic defense doctrine" looks like in the cyber domain: decentralised, distributed, and resilient to decapitation. US and Israeli airstrikes have degraded some of Iran's high-end APT infrastructure. They have not degraded the hacktivist tier. They have not degraded diaspora-linked groups operating from Europe and North America. They have not degraded state-affiliated groups running infrastructure from third countries.

Current active operations documented by Palo Alto Unit 42 as of March 26, 2026:

• Operation Olalampo (MuddyWater): Targeting META region governments and enterprise infrastructure through compromised European VPS infrastructure. Domain registrations using cryptocurrency for payment obfuscation.
• APT42 credential harvesting: Social engineering campaigns against Western defence contractors and academic researchers with Iran expertise. Targeting people, not systems.
• Prince of Persia group: Re-activated after December 2025 dormancy. Targeting government entities in India, Canada, Turkey, Iraq, and Europe. Cross-regional reach that extends well beyond the immediate conflict geography.
• Cotton Sandstorm / Neptunium: Influence operations and infrastructure disruption against US energy firms. Documented active since the war began February 28.

The combined effect: Iran's cyber capability is not a single target that can be struck from the air. It is distributed across IRGC facilities, MOIS infrastructure, third-country servers, diaspora networks, and criminal partners. Degrading the state apex — which airstrikes can do — does not degrade the distributed tier.

Lever Three: The National Intranet

Iran spent 15 years and an estimated $1 billion building the National Information Network (SHOMA — the Persian acronym) — a domestic internet infrastructure that can operate independently of the global internet. China assisted in its construction, providing the filtering and monitoring technology that forms its backbone.

SHOMA gives Iran something almost no other country has: the ability to selectively disconnect from the global internet without losing domestic communications, government services, banking, or internal data flows. Iran has tested and used this capability multiple times. In January 2026, a complete internet blackout was implemented during domestic protests — Iran acknowledged it was costing $35.7 million per day in economic damage, and chose to absorb that cost rather than allow unfiltered communications during the unrest.

This is asymmetric leverage in reverse. The global internet cannot function without Middle East cables. Iran can function without the global internet. The dependency is one-directional.

For the 2026 conflict, this means: Iran's internal coordination — military, government, and IRGC — does not depend on international connectivity. US-led disruption of Iran's external internet access, if attempted, does not degrade Iran's domestic operations. Meanwhile, any disruption to Hormuz-routed cables degrades the global internet, not Iran's.

What Military Strikes Cannot Change

The structural analysis is straightforward: the three levers Iran holds over global internet infrastructure are geographic (Hormuz cable routes), distributed (53+ active cyber groups), and architectural (SHOMA domestic independence). Airstrikes can destroy buildings. They cannot move the Strait of Hormuz. They cannot simultaneously kill 53 distributed cyber groups. They cannot destroy a domestic intranet built specifically to survive external attack.

This does not mean Iran is winning the war. Military outcomes depend on many factors beyond infrastructure leverage. What it means is that the infrastructure leverage is durable in ways that military outcomes are not.

The US and Israel can degrade Iran's conventional military capability. They can destroy IRGC command centres, air defence systems, and nuclear facilities. What they cannot do is alter the fact that 30% of global internet traffic routes through geography Iran controls, that 53 active cyber groups aligned with Iran continue to operate from distributed infrastructure, and that Iran's domestic operations are deliberately insulated from external disruption.

The Developer and Enterprise Impact Right Now

For engineers and infrastructure teams, the conflict's practical implications are not abstract:

Cloud region latency is elevated. AWS, Google, and Microsoft all operate cloud regions in the UAE, Bahrain, and Saudi Arabia. Traffic between these regions and European or Asian endpoints routes through Hormuz-adjacent cable systems. Latency increases of 15-40ms are documented for some routes. Applications with tight latency SLAs built against Gulf cloud regions need to instrument this.

Cable repair is suspended indefinitely. Pre-conflict capacity planning assumed cables would be maintained on the standard 6-18 month repair cycle. That maintenance is not happening. Any existing cable degradation compounds over time. Build your capacity planning around reduced throughput, not nominal throughput.

Iranian APT targeting of Western tech infrastructure is documented and active. Unit 42's March 26 threat brief specifically names cloud and telecommunications infrastructure as priority targets for Iranian-aligned groups. Security teams running internet-facing infrastructure should be operating at elevated alert posture — patching known vulnerabilities including DarkSword-class iOS exploits, reviewing network segmentation, and running incident response rehearsals.

Energy costs for Asian semiconductor fabs remain elevated. SK Hynix's $8B ASML order was placed against the assumption that Hormuz energy flows would normalise. Ras Laffan's force majeure on 20% of global LNG means that assumption is wrong until a ceasefire is signed and verified. AI infrastructure capex projections that assumed stable energy costs need to be revisited.

Key Takeaways

• Iran controls the geography that carries 30% of global internet traffic — 17 undersea cables through the Strait of Hormuz, and no airstrike changes the geography
• Both Hormuz and the Red Sea are simultaneously degraded for the first time in history — there is no viable reroute for cable traffic
• Cable repair is suspended — pre-war damage in the Red Sea remains unrepaired; Meta paused 2Africa Pearls construction in the Gulf
• 53 of 60+ active conflict cyber groups are pro-Iranian — a distributed capability that airstrikes cannot decapitate
• Iran's SHOMA domestic intranet operates independently of the global internet — Iran can disconnect from the world without losing internal operations
• The leverage is structural, not military — geography, distributed cyber capability, and domestic network independence are durable regardless of kinetic outcomes
• Developer impact is real and now: elevated cloud latency, suspended cable maintenance, active APT targeting of tech infrastructure, and elevated semiconductor energy costs