On 28th February, Israeli and US airstrikes on Iran triggered the start of the 2026 Iran War. Like all modern-day conflicts, the war is being fought on multiple fronts. The traditional, kinetic forms of warfare are now joined by cyber. And although action has been limited thus far – at least publicly – USA, Israel and Iran are three very capable and threatening cyber powers.
As the conflict intensifies, it is likely that cyberattacks will become more frequent, more damaging and more overt. Especially if Iran lifts its internet blackout, which will enable its cyber groups to operate more easily while also opening the door to attacks. As the war progresses, its probable that investment in cyber will increase as both sides look to cause damage and delay putting boots on the ground for as long as possible.
There have been early glimpses into both sides’ cyber credentials. Iranian-linked cybercrime group, Handala, has claimed responsibility for a highly destructive attack on US medical device manufacturer, Stryker, on 11th March. Thousands of Windows-based devices across the entire organisation were wiped, including laptops, tablets and mobile phones, more than 50TB of data was seized and Stryker has been completely paralysed. Reports also show that Iran has previously hacked into Israeli CCTV systems to gain real-time damage assessments for physical attacks.
On the other side, neither the US nor Israel have been shy about displaying their cyber capabilities, with the US boasting of its cyber tactics during the recent raid on Venezuela. For its part, Israel has reportedly broken into Iran’s news websites and consumer apps to display messages stating “it’s time for reckoning”, and also breached camera systems as part of its long-standing plot to launch physical attacks on Iran’s leadership. Major attacks such as 2010’s Stuxnet will no doubt act as a blueprint as the two powers look to derail Iran’s infrastructure in support of their kinetic warfare campaign.
For the cybersecurity profession – and wider society – cyber risk has increased drastically. Even the most well-resourced and best funded companies are unlikely to have the capability to repel a sophisticated attack from a determined nation state adversary.
Despite this, there are already lessons to be learned from the Stryker attack. Although exact details of the breach remain unclear, early intel suggests that the point of entry and attack technique weren’t particularly novel or advanced. There seemed to be no coordinated plan behind the attack and Handala’s previous campaigns show that social engineering and phishing are its modus operandi for gaining access to victims. It is suspected that this was also the case with Stryker, while its data theft and destructive malware deployment techniques are also nothing new.
This sends a clear message to cybersecurity professionals. While a lot of attention will be on preparing for, disrupting and preventing sophisticated zero days and more advanced attacks, traditional defences will be just as vital and cannot be ignored. Cyber hygiene, staff training, getting the basics right and delivering consistent, reliable resilience remain an effective and vital line of defence.
Very few adversaries are capable of launching the kind of never-before-seen campaigns that organisations would be unable to defend against. Instead, cybercrime groups – particularly state sponsored ones that aren’t part of official operations – are likely to rely on tried and tested techniques, and capitalise on the distraction and disruption caused by the war. So, the profession must adopt a “build a fortress” mentality, ensuring that even minor, seemingly innocuous or outdated vulnerabilities are addressed, as determined cybercriminals will exploit even the smallest crack.
We hope that a peaceful resolution can be found as soon as possible. Until that happens, the cybersecurity profession must remain on high alert, ensuring that no stone is left unturned.
