Russian satellites conducted at least 24 detailed imagery surveys across 11 Middle Eastern countries between March 21 and March 31, 2026, covering 46 specific targets, including US military bases, airports, and oil fields, and shared that intelligence with Iran to improve the targeting accuracy of Iranian ballistic missiles and drones, according to a Ukrainian intelligence assessment reviewed by Reuters.
Within days of each survey, military bases and command headquarters identified in the imagery were struck by Iranian weapons. A Western military source and a separate regional security source independently confirmed to Reuters that their own intelligence indicated intense Russian satellite activity in the region and that imagery had been shared with Iran.
The assessment represents the most detailed documented account of Russian covert support to Iran since the US-Israel military assault on Iran began on February 28, 2026.
What Russian Satellites Were Looking At
Russian satellite reconnaissance activity across the Middle East during the March 21–31 window followed a structured geographic pattern targeting US military infrastructure and regional energy chokepoints across 4 documented priority areas.
1. Saudi Arabia: Heaviest Surveillance Coverage:
9 of the 24 surveys covered Saudi Arabian territory. 5 of them specifically over King Khalid Military City near Hafar Al-Batin, assessed as an effort to locate elements of the US-made THAAD terminal high altitude area defense system. THAAD is the primary US anti-ballistic missile defense asset in the region, making its precise location a critical targeting intelligence requirement for any Iranian ballistic missile campaign.
2. The Strait of Hormuz: Active Maritime Surveillance:
Russian satellites began systematically surveying the strait, the waterway through which approximately 20% of global oil and liquefied natural gas flows, in what the assessment describes as an emerging trend. Iran has imposed a de facto blockade on the strait, allowing passage only to vessels it classifies as non-hostile. Russian satellite surveillance of Hormuz maritime traffic provides real-time intelligence on which vessels are transiting and under what conditions.
3. US and Allied Military Facilities Across the Broader Region:
Single surveys covered military and strategic sites in Israel, Qatar, Iraq, Bahrain, and Naval Support Facility Diego Garcia, the US base in the Indian Ocean that serves as a primary B-2 bomber staging location for Middle East operations. Turkey, Jordan, Kuwait, and the UAE each received 2 surveys.
4. Prince Sultan Air Base: Documented Strike Targeting and Assessment
The clearest documented connection between Russian imagery and Iranian strike outcomes involves Prince Sultan Air Base in Saudi Arabia. A Russian satellite surveyed the facility before Iran struck it on March 27, hitting a US E-3 Sentry AWACS aircraft, one of the most valuable airborne command and control platforms in the US inventory. A Russian satellite passed over the same site on March 28 to conduct a post-strike damage assessment. Ukrainian President Volodymyr Zelenskiy disclosed this specific incident publicly last week. The regional security source confirmed the same sequence to Reuters independently.
US space-tracking firm Kayhan Space analyzed orbital data and confirmed Russian satellite activity over Gulf region sites during the March 21–31 period, noting the actual overhead activity may have been more extensive than the Ukrainian assessment documents.
The Cyber Collaboration Layer
Russian support to Iran extends beyond satellite imagery into active cyber operations, with documented collaboration between named Russian and Iranian hacking groups operating through Telegram channels.
The Ukrainian assessment identified coordination between 4 groups, including 3 Russian and 1 Iranian. The 3 Russian groups are Z-Pentest Alliance, NoName057(16), and DDoSia Project. The Iranian partner group is Handala Hack.
The operational pattern is direct: Handala Hack published warnings on Telegram about planned attacks on Israeli energy company information and communication systems. The Russian groups simultaneously published access credentials to critical infrastructure control systems in Israel, providing Iranian-affiliated hackers with the initial access required to execute the threatened attacks.
Iranian hacking groups have also adopted techniques that assessors identified as originating from Russian military intelligence operations. Iranian groups Homeland Justice (UAC-0074) and Karmabelow80 used ProfitServer, a Russian VPS provider based in Chelyabinsk, to register operational domains, a tradecraft fingerprint indicating direct Russian infrastructure provision to Iranian cyber operations.
This collaboration pattern sits within a formally documented bilateral framework. In January 2025, Russian President Vladimir Putin and Iranian President Masoud Pezeshkian signed the Treaty on Comprehensive Strategic Partnership.
State-sponsored cyber collaboration operating under formal treaty frameworks represents the highest-capability tier of a threat landscape that has been escalating without interruption for two decades. The documented record of significant cyberattacks against civilian and government infrastructure establishes that Russian and Iranian cooperation is accelerating a pattern, not initiating one.
Article 4 of the treaty states explicitly: “To strengthen national security and counter common threats, the intelligence and security services of the Contracting Parties exchange information and experience.”
The satellite imagery sharing and cyber collaboration of the April 7 assessment documents are not improvised wartime coordination. They are the operational implementation of a signed treaty commitment.
| Russian Group | Iranian Partner | Documented Activity |
| Z-Pentest Alliance | Handala Hack | Telegram coordination on Israeli energy infrastructure attacks |
| NoName057(16) | Handala Hack | Published Israeli critical infrastructure access credentials |
| DDoSia Project | Handala Hack | Joint targeting of Gulf telecommunications and critical infrastructure |
| Russian Military Intelligence | Homeland Justice / Karmabelow80 | ProfitServer VPS infrastructure provision for domain registration |
The Russian-Iranian cyber coordination documented in this assessment operates alongside a parallel state-sponsored threat vector. Chinese hacking operations targeting European governments represent the third major axis of state-sponsored cyber activity currently running simultaneously against Western infrastructure and intelligence networks
What the US and Western Governments Are Saying
White House spokeswoman Olivia Wales stated that “no external support for Iran from any country was affecting the operational success of the United States.” The Iranian foreign ministry provided no comment. Russia’s defense ministry did not respond to Reuters’ request for comment.
European leaders raised the Russian satellite intelligence sharing with US Secretary of State Marco Rubio at a G7 meeting last month. Two diplomats told Reuters that Rubio did not directly respond to the accusations and has publicly characterized Russian aid to Iran as insignificant. The Ukrainian intelligence assessment and the independent Western and regional source confirmations obtained by Reuters collectively challenge that characterization with documented specificity.
CISA’s April 7 joint advisory, issued by 7 federal agencies on the same day as the Reuters satellite intelligence report, confirmed that Iranian-affiliated APT actors were actively targeting US critical infrastructure and that attacks had already produced operational disruption and financial losses inside US energy, water, and government facility networks was issued on the same day as the Reuters satellite intelligence assessment, creating a combined picture of coordinated Iranian attack capability across both physical targeting and cyber operations simultaneously.
These 2 same-day disclosures, the Reuters satellite intelligence assessment covering Russian reconnaissance and targeting support, and the CISA joint advisory covering Iranian cyber operations against US critical infrastructure, together provide a combined picture of a coordinated, multi-domain Iranian campaign with documented Russian enabling support across both the kinetic targeting layer and the cyber operations layer simultaneously.
Conclusion
The Russian-Iranian intelligence sharing arrangement documented in the April 7 assessment represents something more structurally significant than opportunistic wartime cooperation. The January 2025 Comprehensive Strategic Partnership treaty, with its explicit intelligence-sharing commitment in Article 4, provides the legal and organizational framework within which satellite imagery transmission and cyber group coordination operate.
Russia is not informally helping Iran. Russia is fulfilling a signed bilateral treaty obligation while maintaining public deniability through non-response to attribution.
The contradictory position is the one Secretary Rubio implicitly holds: that external Russian support has not materially affected US operational outcomes. The E-3 Sentry AWACS strike at Prince Sultan, a $270 million aircraft representing one of the most capable airborne surveillance platforms in the US military inventory, occurred within days of Russian satellite surveillance of that facility.
Whether the strike would have succeeded without Russian targeting intelligence is unknowable. Whether Russian satellite data preceded it by a documented pattern is not clear. Characterizing that pattern as insignificant requires ignoring the evidence that the pattern exists.
State-sponsored cyber operations, intelligence sharing between adversary nations, and the security threats targeting US and allied infrastructure are covered at The IT Horizon. Subscribe to our newsletter. We track every threat actor disclosure, government advisory, and geopolitical development that shapes the global security landscape.
