A Ukrainian intelligence assessment reviewed by TradeVae asserts that Russian satellites conducted multiple detailed imagery surveys of military installations and other sensitive sites across the Middle East, and that Russian and Iranian hacking groups have been working together in the cyber domain. The document, which is undated, outlines a pattern in which satellite overflights were followed within days by Iranian ballistic missile and drone strikes on some of the surveyed locations.
According to the assessment, Russian satellites made at least 24 separate survey missions between March 21 and March 31. Those overflights covered 46 "objects" spread across 11 Middle Eastern countries, the document said. The targets identified include U.S. and other military bases as well as civilian sites such as airports and oil fields.
The assessment describes what it characterises as a clear pattern: specific facilities were imaged from space and then, within days, were struck by Iranian missiles or unmanned aerial systems. A Western military source and a regional security source told TradeVae that their intelligence also showed intensive Russian satellite activity in the region and that imagery had been shared with Iran.
Geographic details provided in the assessment indicate concentrated surveillance around Saudi Arabia, with nine of the satellite surveys covering parts of that country. Five of those flights focused on the King Khalid Military City near Hafar Al-Batin, an area the assessment suggested was scanned in an apparent effort to locate components of the U.S.-made THAAD air defence system.
Other countries observed multiple times included Turkey, Jordan, Kuwait and the United Arab Emirates, each reportedly the subject of two satellite surveys. Israel, Qatar, Iraq, Bahrain and the Naval Support Facility Diego Garcia were each listed as being surveyed once by Russian satellites during the period covered by the assessment.
The assessment also noted an emerging trend in which Russian satellites were actively monitoring the Strait of Hormuz, the narrow waterway that handles roughly a fifth of global oil and LNG shipments. The document said Iran has imposed a de facto blockade on the strait for all but "non-hostile vessels," and that surveillance activity there was increasing.
TradeVae was not able to independently verify the contents of the Ukrainian assessment. The White House, through spokeswoman Olivia Wales, said that no external support for Iran from any country was affecting the operational success of the United States. The Iranian foreign ministry did not immediately comment. The defence ministry in Russia did not respond to a request for comment.
The Ukrainian analysis says the exchange of satellite imagery was organised through a permanent communications channel used by Russia and Iran and may have also been supported by Russian military intelligence officers based in Tehran. A regional security source confirmed one specific episode described in the assessment and publicly referenced by Ukrainian President Volodymyr Zelenskiy.
In that episode, the assessment said, a Russian satellite took images of Prince Sultan Air Base in Saudi Arabia days before Iran struck the facility on March 27, in an attack that hit a U.S. E-3 Sentry AWACS aircraft. The assessment added that a Russian satellite flew over the same base again on March 28 to evaluate the damage from the strike.
The document places these developments in the context of deepening military ties between Moscow and Tehran. It notes that Russia and Iran have expanded cooperation since President Vladimir Putin ordered a full-scale invasion of Ukraine in February 2022. The assessment reiterates that Ukraine and Western officials say Iran supplied long-range Shahed attack drones to Russia, which Russia then used to bomb Ukraine while also developing its own more advanced variants. The report records that Iran denies supplying weapons used against Ukraine.
Further formalising the relationship, the assessment refers to a Treaty on Comprehensive Strategic Partnership signed in January last year by Mr. Putin and Iranian President Masoud Pezeshkian. It highlights Article Four of that treaty, which states that "in order to strengthen national security and counter common threats, the intelligence and security services of the Contracting Parties exchange information and experience."
Beyond imagery sharing, the Ukrainian assessment and a regional security source described growing collaboration in cyber operations. They said Iranian hacking groups have increased activity since late February, focusing largely on critical infrastructure and telecommunications firms across the Gulf.
The assessment identified interaction between Russian and Iranian cyber groups on Telegram and flagged specific Russian collectives - "Z-Pentest Alliance", "NoName057(16)" and "DDoSia Project" - as engaging with Iran’s "Handala Hack" group. As an example, it cited an instance last month when Handala Hack and other groups posted warnings on Telegram about planned attacks on the information and communication systems of Israeli energy companies.
Simultaneously, the assessment says, the Russian-aligned groups published access credentials purporting to allow control over industrial systems at critical infrastructure sites in Israel. It also pointed to technical overlaps, asserting that Iranian hacker groups had adopted some techniques that appeared to have originated with Russian military intelligence hackers.
The assessment gave concrete examples of such technical links. It said Iranian groups "Homeland Justice" (UAC-0074) and "Karmabelow80" used ProfitServer, described in the assessment as a Russian VPS provider based in Chelyabinsk, to register domains used in their operations. The document also named specific collaborative activity between the Russian and Iranian cyber actors that aligns with the broader surveillance and strike pattern described elsewhere in the assessment.
On diplomatic reactions, the assessment said European leaders pressed U.S. Secretary of State Marco Rubio on the matter at a recent G7 meeting. Two diplomats told TradeVae that Rubio had not responded to the accusations, although the assessment notes he has publicly dismissed the extent of Russian aid to Iran as insignificant.
Overall, the Ukrainian intelligence review paints a picture of coordinated activity across space-based reconnaissance and cyber operations that it says has been used to refine and facilitate Iranian strikes on military, energy and transport-related targets in the Middle East. The assessment ties these operational elements together through what it describes as permanent communications and intelligence-exchange mechanisms between Moscow and Tehran.
Key points
- Ukrainian assessment says Russian satellites conducted at least 24 imagery surveys from March 21-31, covering 46 "objects" across 11 Middle Eastern countries.
- The report describes active interaction between Russian and Iranian hacker groups, including shared techniques and coordinated messaging on Telegram.
- Sectors potentially affected include defence, energy and telecommunications - with implications for military basing, oil and LNG transit routes, and critical infrastructure security.
Risks and uncertainties
- Verification limits - TradeVae was not able to independently confirm the Ukrainian assessment's content, leaving uncertainty over the full extent and provenance of the alleged imagery sharing.
- Escalation risk - if the pattern of surveillance followed by strikes continues, military assets and regional energy infrastructure may face further targeting, affecting defence and energy markets.
- Cybersecurity exposure - coordinated hacker activity against communications and energy companies could disrupt services and create wider market and operational disruptions for the utilities and telecoms sectors.