Iran Cyber Escalation: Cyberattacks Spike 245% as Digital Warfare Intensifies

The kinetic war with Iran has a digital twin — and it’s growing faster than the physical conflict. According to new data from Akamai published on March 16, 2026, cyberattacks have surged 245% since the U.S. and Israeli military strikes against Iran began in late February. The campaign spans credential harvesting, automated reconnaissance, DDoS preparation, and destructive wiper attacks against critical infrastructure, with banking and financial services absorbing the heaviest fire.

This isn’t theoretical. Medical technology giant Stryker Corporation — a $20 billion company operating across 79 countries — has been fighting to restore operations since March 11 after the Iran-linked Handala group wiped over 200,000 devices in a single night. Meanwhile, the European Union has imposed fresh sanctions against Chinese and Iranian firms for cyberattacks targeting member states.

The cyber front of this conflict is now impossible to ignore.

The Numbers: What Akamai Found

Akamai’s analysis of global internet traffic since February 28 reveals a dramatic escalation across every category of malicious activity:

  • Botnet-driven discovery traffic: Up 70%
  • Automated reconnaissance traffic: Up 65%
  • Infrastructure scanning of exposed services: Up 52%
  • Credential harvesting attempts: Up 45%
  • Pre-DDoS reconnaissance: Up 38%

Sector Breakdown

The banking and fintech sector has been the primary target, absorbing 40% of all malicious traffic since the conflict began. The full breakdown:

SectorShare of Malicious Traffic
Banking & Fintech40%
E-Commerce25%
Video Games15%
Technology10%
Media & Streaming7%
Other3%

One unnamed U.S. financial services company blocked 13 million packets originating from Iranian IP space over a 90-day period, with a single flood exceeding 2 million packets on February 9 — before the military strikes even began, suggesting pre-positioning for the conflict.

The Geography of Attack Traffic

Perhaps most revealing is where the attack traffic originates. Iran itself accounts for only 14% of source IPs. The majority comes from:

  • Russia: 35% of source IPs
  • China: 28% of source IPs
  • Iran: 14% of source IPs

Akamai notes that this doesn’t necessarily mean Russian and Chinese threat actors are driving the attacks. Both nations have long tolerated cybercrime infrastructure operating within their borders — provided the targets are foreign. Iranian and pro-Iranian hacktivists are using proxy services in Russia and China as launchpads for “billions of designed-for-abuse connection attempts.”

Palo Alto Networks’ Unit 42 has independently tracked an uptick in pro-Russian hacktivist activity that Moore described as “effectively expanding the Middle East’s attack surface, and potentially exposing regional infrastructure to high-disruption tactics historically used by these groups against NATO and European interests.”

The Stryker Attack: 200,000 Devices Wiped Overnight

The most dramatic single attack of the cyber escalation struck on March 11, 2026, when the Iran-linked hacktivist group Handala claimed responsibility for a devastating wiper attack against Stryker Corporation.

Timeline

  • March 11: Stryker discloses a cyberattack disrupting global internal networks and Microsoft systems
  • Same day: Handala claims responsibility, posting the group’s logo on compromised Stryker login pages
  • March 11-17: Stryker’s operations are severely disrupted — order processing, manufacturing, and shipments halted
  • March 17: Stryker announces the attack has been “contained” to its internal Microsoft environment and confirms internet-connected medical products are “safe to use”

Impact

The scope was staggering:

  • 200,000+ devices wiped across 79 countries
  • Manufacturing stopped at multiple facilities
  • Stryker stock dropped 9% in the days following the attack
  • Thousands of employees locked out of corporate systems
  • Order processing, manufacturing, and shipments halted for nearly a week

Who Is Handala?

Handala is an Iranian hacktivist group believed to be a front for the Ministry of Intelligence and Security (MOIS). The group takes its name from a famous Palestinian political cartoon character, signaling its ideological alignment. Security researchers believe Handala operates with state backing, blending hacktivist rhetoric with the technical sophistication and destructive intent of a government intelligence operation.

The Stryker attack demonstrates a shift in Iranian cyber strategy: rather than targeting military or government infrastructure directly, these groups are hitting the economic base — critical companies in healthcare, finance, and technology — to maximize disruption and economic damage.

EU Sanctions: Naming Names

On March 16, 2026, the European Union imposed sanctions against three companies for conducting cyberattacks against EU member states:

  • Integrity Technology Group (China) — Previously linked to the Flax Typhoon botnet campaign, which compromised an estimated 65,000 devices
  • Anxun Information Technology (China) — Also known as i-SOON, exposed in a 2024 leak that revealed commercial hacking-for-hire services used by Chinese government agencies
  • Emennet Pasargad (Iran) — Linked to influence operations targeting the 2024 U.S. presidential election and cyber operations against EU interests

The sanctions include asset freezes and travel bans. The EU described the actions as necessary to deter “malicious cyber activities that threaten the security and stability of the European Union and its member states.”

This marks one of the first times the EU has simultaneously sanctioned both Chinese and Iranian cyber entities in a single action, reflecting the convergence of threats in the current geopolitical environment.

What This Means for Organizations

The 245% spike in cyberattacks isn’t evenly distributed. The banking and financial sector is bearing the heaviest load, but the Stryker attack demonstrates that any large organization with global operations is a potential target.

Immediate Recommendations

  1. Implement geographic blocking for traffic from regions where your organization has no legitimate users or business. Akamai specifically recommends this for financial services, utilities, and healthcare organizations.

  2. Accelerate credential rotation across all systems, particularly those with internet-facing authentication. The 45% spike in credential harvesting attempts means existing credentials are being targeted at unprecedented scale.

  3. Enhance DDoS preparedness. The 38% increase in pre-DDoS reconnaissance suggests large-scale attacks are being planned. Ensure your DDoS mitigation is active and tested, not just purchased.

  4. Audit your Microsoft environment. The Stryker attack targeted Microsoft systems specifically. Review Active Directory security, conditional access policies, and privileged access management.

  5. Monitor for wiper malware indicators. Iranian threat actors have a history of deploying destructive malware (Shamoon, ZeroCleare, and now whatever Handala used against Stryker). Ensure endpoint detection is tuned for destructive behaviors, not just data exfiltration.

  6. Review incident response plans with the assumption that a state-backed adversary may target your organization. The speed and scale of the Stryker attack — 200,000 devices in hours — demands rapid response capabilities.

The Bigger Picture

Geopolitical conflicts now routinely spill into cyberspace, and the Iran war is no exception. The difference this time is the scale and the industrial nature of the attacks. This isn’t a handful of hacktivists defacing websites — it’s coordinated, automated, and aimed at economic disruption.

Organizations that haven’t updated their threat models to account for nation-state and hacktivist cyber activity in the context of armed conflict are already behind. The 245% spike is a warning — and based on Akamai’s assessment, the attacks will only intensify as long as the kinetic conflict continues.

Sources

  • Akamai, “Fortify Network Security Against Emerging Geopolitical Cyberthreats,” March 16, 2026
  • Reuters, “Stryker says cyberattack on its network contained,” March 17, 2026
  • TechCrunch, “Stryker says it’s restoring systems after pro-Iran hackers wiped thousands of employee devices,” March 17, 2026
  • Reuters, “EU sanctions Chinese and Iranian companies for cyberattacks,” March 16, 2026
  • The Register, “Cybercrime up 245% since the start of the Iran war,” March 16, 2026
  • Arctic Wolf, “Stryker Systems Disrupted in Cyber Attack; Handala Group Claims Responsibility,” March 13, 2026
  • Help Net Security, “EU sanctions Chinese company behind 65,000-device hack,” March 17, 2026