On the morning of February 28, 2026, the United States and Israel launched Operation Epic Fury and Operation Roaring Lion — a coordinated military offensive that has, by most accounts, devastated Iran’s conventional military capabilities. Ballistic missile arsenals destroyed. Navy crippled. Nuclear facilities struck. IRGC command structures decapitated. Even Iran’s internet connectivity dropped to between 1-4% of normal capacity in the hours after the first strikes.

Three weeks later, the kinetic war appears to be achieving its stated objectives. But a growing chorus of cybersecurity analysts, intelligence researchers, and threat assessment firms are sounding an alarm that the very success of this military campaign is creating the conditions for something the cybersecurity community should be deeply worried about: a long-term, sustained escalation of Iranian cyber operations targeting Western critical infrastructure, corporations, and civilians.

The logic is brutally simple. When you systematically destroy a nation’s missiles, navy, nuclear program, and proxy networks, you leave it with one remaining tool for projecting power internationally. Cyber operations are cheap, resilient to bombing, globally deployable, and — as the Stryker attack just demonstrated — capable of imposing real-world costs on American soil.

As Risky Business put it this week: “Cyber forces are the cockroaches of state power.”

The Stryker Attack: A Preview of What’s Coming

On March 11, 2026, the Iran-linked hacktivist group Handala — assessed by Palo Alto Networks’ Unit 42 as a persona operated by Void Manticore, an offensive cyber unit affiliated with Iran’s Ministry of Intelligence and Security (MOIS) — carried out what U.S. officials have described as likely the most significant wartime cyberattack against the United States in history.

The target was Stryker Corporation, a Fortune 500 medical device manufacturer based in Kalamazoo, Michigan, with $25 billion in annual sales and 56,000 employees across 61 countries.

The attackers didn’t deploy traditional ransomware. They used something more devastating: they compromised Stryker’s Microsoft Intune environment and issued remote wipe commands against the company’s managed devices. Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices across 79 countries. Stryker’s offices worldwide were forced to shut down. In Ireland, the company’s largest hub outside the U.S., more than 5,000 workers were sent home. Employees found the Handala logo displayed on their login pages.

According to BleepingComputer’s sources, the attackers compromised an administrator account, created a new Global Administrator account, and used Intune’s built-in wipe command to erase nearly 80,000 devices in the early morning hours. Stryker employees were told to urgently uninstall Intune from their devices. Some hospitals temporarily paused the transmission of patients’ vital-sign data through Stryker’s LifeNet service.

The attack was claimed as retaliation for a U.S. missile strike on February 28 that hit an Iranian school, killing at least 160-175 children. Handala called Stryker a “Zionist-rooted corporation” — likely a reference to Stryker’s 2019 acquisition of Israeli company OrthoSpace.

The real-world impact extended beyond Stryker’s offices. As one healthcare professional at a major U.S. university medical system told Krebs on Security: “This is a real-world supply chain attack. Pretty much every hospital in the U.S. that performs surgeries uses their supplies.”

CISA’s Emergency Intune Hardening Guidance

The Stryker attack prompted an immediate response from the Cybersecurity and Infrastructure Security Agency (CISA). On March 18 — the same day the attack’s full scope was becoming clear — CISA issued an urgent alert warning all U.S. organizations to harden their Microsoft Intune configurations.

The timing of the alert underscores the severity. CISA doesn’t issue emergency guidance for run-of-the-mill incidents. The alert explicitly named Stryker and the March 11 attack, and provided specific recommendations:

  • Implement least-privilege access for Intune admin roles using role-based access control (RBAC)
  • Enforce multi-factor authentication through Microsoft Entra ID, including Conditional Access and risk signals
  • Require multi-admin approval for sensitive actions such as device wipes, application updates, and RBAC modifications
  • Monitor for unauthorized Global Administrator account creation — the exact technique used in the Stryker attack

Microsoft published its own hardening guidance shortly after the attack, acknowledging the risk of endpoint management tools being weaponized against the organizations they’re supposed to protect.

The implications are enormous. Microsoft Intune is used by hundreds of thousands of organizations worldwide to manage devices, enforce security policies, and control application deployments. The Stryker attack demonstrated that a single compromised administrator account can turn this management tool into a global wipe button — erasing data from every managed device in an organization simultaneously.

As Denis Mandich, a former CIA official and co-founder of quantum cybersecurity firm Qrypt, told Nextgov: “Our core systems still rely on ‘God-like’ administrative keys that lack deep cryptographic validation. We are essentially giving attackers a single point of failure that allows one compromised credential to execute a global factory reset.”

The Strategic Logic: Why Cyber Is Iran’s Cheapest Weapon

To understand why the cybersecurity community should be bracing for a sustained Iranian cyber escalation, you need to understand the strategic calculus.

The White House’s stated goals for Operation Epic Fury are to “obliterate Iran’s ballistic missile arsenal and production capacity, annihilate its navy, sever its support for terrorist proxies, and ensure the world’s leading state sponsor of terrorism will never acquire a nuclear weapon.”

Assume these goals are substantially achieved. What does post-war Iran look like?

  • No functional ballistic missile program
  • No navy to speak of
  • Decimated proxy networks
  • No viable path to nuclear weapons
  • Severely degraded conventional military forces
  • Economic isolation and likely devastation

But Iran’s leadership — whoever reconstitutes it — will still want to project power, deter adversaries, and retaliate against perceived enemies. The question becomes: with what?

As Tom Uren and The Grugq discussed on the Risky Business podcast, destroying Iran’s other means of power projection effectively forces it to double down on cyber capabilities. The reasoning is compelling:

Cyber is cheap. Building and maintaining a cyber force costs a fraction of reconstituting nuclear facilities, ballistic missiles, or conventional military forces. For a cash-strapped post-war Iran, this is the most cost-effective path to asymmetric capability.

Cyber is resilient to bombing. You can destroy a missile factory with a cruise missile. You can level a nuclear enrichment facility. But you can’t bomb hackers out of existence — they need only a laptop, an internet connection, and expertise. Israel kinetically struck Iran’s IRGC cyber warfare headquarters in eastern Tehran early in the conflict, but as Risky Business noted, “it is hard to completely destroy capacity without somehow killing all of Iran’s hackers.”

Cyber provides global reach. Conventional military forces project power regionally. Cyber operations can strike organizations in Michigan, Ireland, or anywhere else in the world, instantaneously.

Cyber offers deniability. Operations can be conducted through proxies, hacktivist personas, and cut-outs that provide plausible distance from state direction.

Cyber causes real-world disruption at low escalatory risk. The Stryker attack disrupted surgical supply chains across the United States, but it didn’t cross the threshold that would trigger additional military retaliation. As Risky Business observed: “Even the most destructive attacks cause mischief and mayhem rather than raining death from above. In the context of a post-war Iran, however, that could be seen as a feature rather than a bug.”

There is even a proven model for this transition. North Korea has demonstrated that even the poorest of nations can develop formidable cyber capabilities relatively quickly when there’s political will. North Korea’s Lazarus Group generates billions in stolen cryptocurrency and conducts sophisticated espionage operations despite the country’s extreme economic isolation. A post-war Iran with a significantly larger talent pool and existing cyber infrastructure could scale far faster than North Korea did.

The Current Threat Landscape: 60+ Groups and Counting

Even with Iran’s internet connectivity devastated and key cyber commanders killed, the immediate threat has been substantial.

According to Palo Alto Networks’ Unit 42, within hours of Operation Epic Fury beginning, more than 60 pro-Iranian hacktivist groups mobilized. They formed a coalition called the Cyber Islamic Resistance and began coordinating operations through an “Electronic Operations Room” on Telegram.

The Soufan Center’s intelligence briefing noted that this rapid mobilization demonstrates the resilience of Iran’s mosaic defense doctrine — a deliberate decentralization strategy designed to ensure that cyber capabilities survive even when central command structures are destroyed. As cybersecurity firm BeyondTrust noted: “The most immediate risk comes not from the reconstituting IRGC command structure, which will require time to restore coherence, but from the pre-positioned proxy ecosystem that operates under delegated authority or independent ideological motivation.”

Key groups that have been active include:

State-Directed Groups

  • Handala / Void Manticore (MOIS): The most prominent and capable actor. Responsible for the Stryker wiper attack, claimed attacks on Hebrew University (40TB wiped), Israeli energy companies, and Jordanian fuel systems.
  • MuddyWater (MOIS): Acting as initial access brokers, targeting telecommunications, oil and gas, and government organizations — collecting credentials and passing them to other attackers.
  • CyberAv3ngers (IRGC): Logging into industrial control systems with default passwords and installing malware on systems controlling water treatment plants, power grids, and manufacturing lines.
  • APT33 (IRGC): Conducting password spray attacks against U.S. energy companies and attempting to install malware targeting safety systems.
  • APT34 / OilRig (MOIS): Espionage-focused operations against defense and energy sector personnel.

Hacktivist Proxies

  • Cyber Islamic Resistance: Umbrella collective coordinating multiple teams for DDoS, data-wiping, and website defacement operations. Claimed 600+ attacks in the first two weeks.
  • Dark Storm Team: Pro-Palestinian/Iranian group specializing in DDoS and ransomware, targeting Israeli banks and infrastructure.
  • FAD Team / Fatimiyoun Cyber Team: Focused on wiper malware and SCADA/PLC system access, claiming unauthorized access to industrial control systems in Israel.
  • 313 Team (Iraq): Pro-Iranian cell targeting Kuwaiti government websites and military infrastructure.
  • DieNet: Attacking airports in Bahrain, Saudi Arabia, and the UAE.

Opportunistic Allies

  • NoName057(16): Pro-Russian group conducting DDoS attacks on Israeli targets, exploiting the conflict to serve Russia’s own interests.
  • Z-Pentest (Russia): CrowdStrike detected this group disrupting U.S. networks in apparent support of Tehran, though it’s unclear whether this is coordinated or opportunistic.

According to SOCRadar, the Cyber Islamic Resistance claimed responsibility for over 600 distinct attacks in over 100 Telegram channels during the first two weeks of the war. While many of these claims remain unverified, the volume of activity is unprecedented.

CloudSek’s analysis warned that the hacktivist groups “are less disciplined than state-directed groups, potentially more reckless, and have no political constraint on civilian impact.” These actors are also the most likely to be using AI tools to compensate for technical depth they lack — an evolution that lowers the barrier to entry for destructive operations.

The US Offensive: Cyber as Part of the Playbook

The cyber dimension of this conflict isn’t one-sided. The United States has been conducting significant offensive cyber operations of its own.

General Dan Caine, America’s highest-ranked military officer, stated that U.S. Cyber Command was one of the “first movers” in Operation Epic Fury, disrupting Iranian communications and sensor networks, which left Iran “without the ability to see, coordinate, or respond effectively.”

Israeli intelligence also exploited access to Tehran’s traffic camera network to conduct pattern-of-life tracking of IRGC commanders and map the security posture around Supreme Leader Ali Khamenei’s compound, according to the Financial Times. The BadeSaba prayer application, used by millions of Iranians, was weaponized in a psychological operation — users received notifications saying “Help is on the way!” and “It’s time for reckoning.”

Israel also kinetically struck Iran’s IRGC cyber warfare headquarters in eastern Tehran, and strikes killed Seyed Yahya Hosseiny Panjaki, a deputy minister at Iran’s MOIS, and Mohammad Mehdi Farhadi Ramin, a man wanted by the FBI for alleged hacking crimes, according to Forbes.

These strikes have degraded Iran’s centralized cyber command. But as the title of that Forbes article suggests: the hacks continued. The decentralized proxy ecosystem continued to operate — and in some cases, the loss of central control may actually make operations more unpredictable and dangerous, as individual cells operate on their own initiative rather than following coordinated strategic direction.

China Is Watching

There’s a dimension of this conflict that extends well beyond Iran. As the Soufan Center noted, the People’s Republic of China is almost certainly treating this conflict as a real-time intelligence collection opportunity.

The Iran war provides Beijing with an unprecedented window into how U.S. and Israeli cyber capabilities perform in a real conflict scenario — precisely the kind of information China would need for its own contingency planning around Taiwan:

  • What long-term intelligence-gathering tactics does the U.S. use?
  • How are offensive cyber operations timed relative to kinetic strikes?
  • How do cyber operations and psychological operations work together?
  • What are the vulnerabilities in U.S. endpoint management systems?
  • How quickly can the U.S. defend against retaliatory cyber operations?

Every tactical detail China observes now becomes part of its playbook for a potential future conflict. The Iran war is, in a very real sense, a dress rehearsal that China is studying closely.

What Comes Next: The Long View

The short-term outlook for Iranian cyber operations is actually somewhat encouraging. Iran’s internet is largely down. Key cyber commanders have been killed. Central command structures are degraded. The most sophisticated state-directed operations require coordination that is currently difficult to achieve.

But the medium and long-term picture is far more concerning. As Risky Business concluded: “As headlines from the Iran war fade, the risk of damaging Iranian cyber attacks will rise.”

Here’s what organizations should be preparing for:

Phase 1: Current (Weeks 1-4)

Low-to-medium sophistication hacktivist operations. DDoS, website defacement, opportunistic hack-and-leak campaigns. The Stryker attack as an outlier demonstrating retained high-end capability. Significant but largely contained.

Phase 2: Reconstitution (Months 2-6)

As communications are restored and surviving leadership reconstitutes command structures, expect a return to more coordinated operations. State-directed APT groups will resume targeted espionage and pre-positioning operations against critical infrastructure. This phase will likely be less visible — focused on establishing footholds for future use rather than immediate disruption.

Phase 3: Escalation (Months 6-24)

As Iran’s conventional military options remain limited and reconstruction stalls, expect significant investment in cyber capabilities. Iran will study the North Korean model. Offensive cyber operations will become a primary tool for power projection, economic retaliation, and asymmetric deterrence. This is the phase that should concern CISOs the most — capable, motivated state-backed operators with nothing to lose and everything to prove.

Phase 4: The New Normal

Iran becomes a permanent, elevated cyber threat — not just to Israel and the Middle East, but to Western critical infrastructure, financial systems, healthcare, and energy. Cyber becomes Iran’s primary means of asymmetric response to perceived aggression, with operations calibrated to cause maximum disruption without triggering military escalation.

What Organizations Should Do Now

The CISA Intune hardening guidance is a good start, but the Iranian cyber threat demands a broader defensive posture:

1. Harden endpoint management systems immediately. The Stryker attack turned Microsoft Intune from a security tool into a weapon. Review all endpoint management configurations. Implement least-privilege access, require multi-admin approval for destructive actions, and monitor for unauthorized admin account creation.

2. Assume you are a target. If your organization has any connection to defense, energy, healthcare, financial services, or government — even as a supplier — you are within Iran’s targeting scope. The Stryker attack targeted a medical device company, not a military contractor.

3. Review your supply chain for Iranian threat exposure. The Stryker attack affected hospitals that had no direct vulnerability — they just relied on Stryker for surgical supplies and patient monitoring systems.

4. Patch VPN and firewall appliances aggressively. Iranian APT groups have consistently targeted edge networking devices. CyberAv3ngers has exploited default passwords on industrial control systems. APT33 targets VPN infrastructure at energy companies.

5. Prepare for wiper attacks, not just ransomware. The Iranian playbook increasingly favors data destruction over data theft. Your backup and recovery strategy needs to account for mass device wiping, not just encrypted systems.

6. Monitor for hacktivist reconnaissance. The 60+ groups active in this conflict include many conducting opportunistic scanning and exploitation. Even if your organization isn’t a strategic target, you may be targeted for propaganda value.

7. Brief your board. The Iranian cyber threat is now a board-level risk. The Stryker attack affected a $25 billion public company’s global operations. Boards need to understand that this isn’t a theoretical risk — it’s an active, evolving threat with demonstrated capability.

The Uncomfortable Truth

There’s a bitter irony in the current situation. Operation Epic Fury may successfully destroy Iran’s ability to threaten the world with ballistic missiles, naval power, and nuclear weapons. That’s a significant strategic achievement.

But in doing so, it is almost certainly accelerating the development of the one capability that is hardest to destroy, cheapest to build, most difficult to deter, and most likely to directly impact American businesses and civilians: cyber operations.

The war will eventually end. The cyber threat it leaves behind will be permanent.

As the Soufan Center concluded: Iran’s cyber strategy “focuses on asymmetric cost imposition, aiming at psychological impact and subsequent resource exhaustion.” In a post-war environment where Iran’s other instruments of power have been systematically eliminated, cyber becomes not just a tool — it becomes the tool.

Every CISO in America should be thinking about what that means for their organization.

Sources: Risky Business, Palo Alto Networks Unit 42, The Soufan Center, Krebs on Security, CISA, BleepingComputer, Euronews, Reuters, Trellix, Fortune, CloudSek, SOCRadar