The first missile strikes hadn’t even cooled before Iranian-linked hackers were moving. When the U.S. and Israel launched military operations against Iran on February 28, 2026, Tehran’s cyber forces answered not with silence but with a systematic campaign against American infrastructure, one that has since moved well beyond reconnaissance into confirmed, disruptive attacks on United States soil.
The most striking blow came on March 11, when the Handala group — widely assessed as a front for an IRGC-sponsored threat actor — hit Michigan-based medical technology giant Stryker, wiping nearly 80,000 Windows devices, stealing 50 terabytes of data, and causing severe disruptions that materially impacted the company’s first-quarter earnings. Emergency responders across Maryland lost access to the electrocardiogram transmission system used to relay patient data to hospitals. The FBI later seized two domains that Handala used to leak the stolen data. It was, analysts noted, only the beginning.
Israel wiped out a major military hub in southeastern Tehran, hitting a site that Western intel says was the nerve center for the IRGC. The facility didn’t just house the Quds Force and Basij; it served as the literal “brain” for Iran’s global hacking campaigns and internal security operations.
The facility coordinated intrusion campaigns against adversaries across multiple continents. Yet even as satellite imagery confirmed the compound’s destruction, cybersecurity analysts were documenting a spike in reconnaissance activity emanating from Iranian-linked networks.
Tehran’s digital arsenal has proven more resilient than the bombing runs suggest. Handala — the persona behind the Stryker attack and now assessed as a front for Void Manticore, an MOIS-affiliated state actor — exemplifies exactly this. It operates as a hack-and-leak engine optimized for psychological disruption: breaking into accessible systems, wiping data, and timing the release of stolen material to maximize pressure on targets.
The earlier assassination of Deputy Intelligence Minister Seyed Yahya Hosseini Panjaki, once the man pulling the strings behind Handala and Karma Below, did not collapse the operation. Rather than dissolving, the apparatus evolved.
“State-aligned threat actors began utilizing out-of-band communication methods and alternative infrastructure, such as Starlink IP ranges, to bypass the degraded domestic grid,” JP Castellanos, Director of Threat Intelligence at Binary Defense, tells The Cipher Brief.
In simpler terms, Iranian hackers quickly shifted to alternative internet connections and encrypted communication channels that operate outside Iran’s damaged infrastructure, allowing cyber operations to continue even as domestic networks faltered.
Critical Infrastructure in the Crosshairs
The fallout from the February strikes has moved well past network probing. Iranian-linked hackers have successfully targeted and disrupted multiple U.S. oil, gas, and water sites — forcing some facilities to abandon automated systems entirely and operate manually, triggering financial losses, and, in some cases, deploying destructive wiper malware designed to erase data from victim networks. The IRGC’s CEC-affiliated group CyberAv3ngers has been confirmed to be targeting programmable logic controllers across U.S. government facilities, water and wastewater systems, and energy sectors — exploiting internet-facing industrial devices to create openings not just for disruption but for modifications to operating parameters with direct physical consequences. The campaign represents an escalation: where earlier Iranian cyber operations tested access, these attacks are weaponizing it.
Past operations attributed to IRGC-affiliated hackers include the 2011–2013 distributed denial-of-service attacks against major U.S. banks that disrupted online banking services for millions of customers. There was also the 2013 intrusion into the control systems of a small dam in New York, which demonstrated that Iranian hackers could potentially manipulate physical infrastructure.
“Iranian cyber strategy has consistently prioritized the targeting of ‘low-hanging fruit’ within critical infrastructure sectors where high societal impact can be achieved with relatively low-sophistication techniques,” Castellanos tells The Cipher Brief.
Much of this activity now comes from pro-Iran and pro-Russian hacktivist groups working in coordination. The current wave of activity suggests that Iranian operators are positioning themselves for potential retaliatory strikes, while American defense agencies operate under constrained circumstances.
“The Cybersecurity and Infrastructure Security Agency has been hampered by budget cuts, a significantly reduced workforce, and a lack of leadership over the last year,” Dave Chronister, Founder of Parameter Security, tells The Cipher Brief. “What makes it worse is that many of the remaining staff were effectively reassigned to support immigration enforcement operations rather than protecting critical infrastructure. That’s a significant misalignment of mission at exactly the wrong moment.”
The numbers now on record make that assessment concrete. CISA’s FY2026 budget dropped to $2.4 billion, with 2,649 funded positions, down from $3.0 billion and over 4,000 positions the prior year. By January 2026, the agency had logged at least 998 departures, layoffs, and transfers since the administration took office. The Trump administration also moved to reprogram $144 million from CISA’s 2025 budget to Immigration and Customs Enforcement operations.
Now, a proposed FY2027 budget would cut an additional $707 million. During an ongoing DHS shutdown, the acting CISA director has publicly stated that the agency cannot conduct the outreach and preparatory work necessary to counter cyber threats.
“The lapse of appropriations at CISA is impacting the depth and consistency of information sharing about Iranian cyber threats as well as coordinated planning for attacks that may occur,” Bob Kolasky, Senior Vice President at Exiger and founding director of CISA’s National Risk Management Center, tells The Cipher Brief.
Soft Targets and Hard Truths
Many water utilities, hospitals, and local governments still run unpatched systems with known vulnerabilities — exactly the soft targets Iranian hackers seek.
“Generally speaking, the most significant threat right now is what we call the n-day. These are known, but unpatched vulnerabilities, and Iranian threat actors are very aggressive at trying to exploit them,” Chronister points out.
The financial sector, despite its resources and experience defending against nation-state threats, remains vulnerable.
“Of all our critical sectors, the financial system is probably best positioned to weather an escalating Iranian threat, but ‘best positioned’ is not the same as immune,” Chronister says. “The sectors that keep me up at night are healthcare, industrial operations such as energy utilities, water systems, manufacturing, and non-federal government agencies. Those are the soft spots, and adversaries know it.”
The Stryker attack put the abstract into concrete terms. When Handala hit the Michigan-based medical technology giant on March 11, Maryland emergency responders lost access to the Lifenet system used to relay electrocardiogram data to hospitals, prompting a statewide alert that instructed EMS clinicians to switch to radio consultation.
The attack wiped nearly 80,000 Windows devices, stole 50 terabytes of data, and materially impacted the company’s first-quarter earnings. The FBI later seized two domains that Handala used to leak the stolen data. It is precisely the community-level harm the experts had forecast — now documented, not hypothetical.
Kolasky’s assessment aligns with this hierarchy of vulnerability.
“The Iranian playbook seems to suggest taking advantage of vulnerabilities in weaker parts of critical infrastructure cyber defenses. These include under-resourced sectors such as water and wastewater, food and agriculture, government services and healthcare, as well as areas of outdated technology, which can include operational technology,” he underscores.
In a conflict scenario, Tehran aims to harm critical functions that affect daily life across American communities. Water systems are failing. Hospitals are losing access to patient records. Local government services are grinding to a halt. These scenarios represent asymmetric warfare designed to erode public confidence and create pressure on policymakers without crossing thresholds that might trigger an overwhelming military response.
The Reach of Tehran’s Digital Operations
This geographic dispersion makes Iran’s cyber apparatus resilient to kinetic strikes like the weekend bombing.
“Cyber warfare depends far more on people than on high-end equipment, which means these operations can be dispersed across dozens of physical locations, down to a single operator working from a laptop,” Chronister tells The Cipher Brief. “While targeted strikes no doubt disrupt Iran’s overall tempo, the distributed nature of cyber makes total elimination of the apparatus virtually impossible.”
That assessment is no longer theoretical. During the twelve-day Israel-Iran conflict in June 2025, analysts from SecurityScorecard documented over 250,000 messages exchanged across 178 active Iranian proxy and hacktivist groups — with phishing campaigns, malware delivery, and data dumps timed precisely to kinetic strikes. Cyberattacks surged 700% within 48 hours of the opening salvos. When Iran’s domestic internet was largely cut off, operators shifted to Starlink and VSAT services to maintain tempo. The lesson was already written before the current conflict began.
Yet physical infrastructure still matters in the opening phases of conflict.
“Physical destruction of infrastructure such as data centers, cell phone towers, satellite communication channels, radar systems — all these systems destroyed or degraded by kinetic strike are usually high priority targets in the start of any conflict, as it prevents Iranian command and control from communication to lower echelon units,” Castellanos explains.
Essentially, destroying the communications infrastructure temporarily prevents Iranian commanders from directing their cyber operators on the ground. Nonetheless, the impact is likely to be temporary rather than decisive. Using alternative networks and encrypted channels to bypass damaged infrastructure entirely, cyber operatives quickly adapt.
“Effective cyber campaigns depend on access to technical infrastructure for carrying out attacks, personnel, and some level of command and control,” Kolasky asserts. “United States and Israeli operations have the proven ability to degrade Iran’s cyber capability and seem to have done so again. The question of how resilient the Iranian cyber warfare apparatus is remains an open one, but, thus far, it seems like we have limited Iran’s cyber offensive ability and, in the short term, I would expect that will remain the case.”
In simpler terms, the strikes have disrupted Iran’s ability to coordinate large-scale cyber operations for now, but it remains unclear how quickly Tehran can rebuild its offensive capabilities.
Meanwhile, Iranian operators have cultivated relationships with cybercriminal groups that provide technical services and operational cover. When Iranian-linked hackers targeted Albanian government networks in 2022, investigators traced the operation through multiple layers of contractors and intermediaries before establishing definitive state sponsorship.
Right now, pro-Russian hacktivist groups such as NoName057(16), the Z-Pentest Alliance and Killnet have joined with pro-Iran groups targeting Israel and its Western allies, launching DDoS attacks against Israeli and United States financial services in coordination with Iranian goals. These attacks aim to disrupt online banking and payment systems, creating public frustration and economic uncertainty while demonstrating Iran’s ability to strike back without firing a missile.
Moreover, DieNet, a pro-Palestinian hacktivist group that emerged in March 2025 and has since claimed responsibility for DDoS attacks against U.S. energy, financial, healthcare, government, transit, and communications systems — deploying DNS amplification, TCP SYN floods, and NTP amplification in operations that intensified following the arrest of activist Mahmoud Khalil.
“This international distribution of operations ensures that even if Iran is ‘offline’ domestically, its ‘second front’ in the cyber domain remains fully operational,” Castellanos tells The Cipher Brief.
Iran’s malicious cyber activities are made more difficult by this operational model, which complicates attribution efforts. Iran uses proxy forces to advance its strategic objectives while maintaining an official distance from their activities as part of its regional strategy. In the cyber domain, this approach allows Iranian intelligence services to conduct operations that would be politically costly if directly attributed to Tehran.
Since the February 28 strikes, Iranian-aligned groups have claimed numerous operations across the Middle East and beyond. Pro-Iran hacktivists have targeted energy infrastructure in Jordan, payment systems in Israel, and government portals across Gulf states. While many claims remain unverified, the volume and coordination of activity suggest a systematic campaign to demonstrate continued operational capability despite the degradation of Iran’s domestic infrastructure.
“It makes it very hard to identify them from a geolocation aspect, as well as identifying the fingerprint of the attack. It creates more resilience in these operations since there is no single point of infrastructure that you can attack,” Chronister tells The Cipher Brief. “It also means that as Iran’s leadership withers, and there is less coordination with their various cyber forces, these groups could act on their own initiative, which will make an already complex situation even worse.”
The loss of centralized control cuts both ways for Iran. Cyber operations conducted by dispersed groups can withstand missile strikes, but rogue proxy groups operating independently may unintentionally escalate conflicts.
Bombing a building does not stop hackers with laptops scattered across multiple countries, which highlights another fundamental challenge. Iranian cyber operatives can resume operations from new locations within hours, rendering traditional military strikes largely ineffective against digital threats.
“Like with proxy terrorist groups, Iran has the ability for a diffuse set of actors to work on behalf of the IRGC cause, but those actors are limited in the scale of what effects they can produce,” he adds. “This diffusion will allow for a continued exploitation of vulnerable systems that I would expect to be targeted for propaganda victories, to shift public opinion, and to cause harm at the community level. This necessitates broad information sharing engagement across critical infrastructure for the United States cyber defense community.”
The threat horizon extends well beyond the immediate conflict. Analysts are now flagging two upcoming high-profile moments on the U.S. calendar, the World Cup in June and the midterm elections in November, as likely priorities for Iranian cyber targeting. Security experts warn the tournament could see a 30 to 40 percent surge in fraud attempts, with Iranian-linked actors expected to focus specifically on airports, transportation systems, and critical infrastructure in host cities. Iran’s track record of infiltrating U.S. systems ahead of strategic moments — elections, geopolitical flashpoints, major public events — suggests these will not be missed opportunities.
The message is clear: Iran’s distributed cyber army may lack the power to cripple America’s infrastructure, but it has more than enough capability to disrupt daily life — and only coordinated defense can stop it.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
