"The Iranians are throwing everything they have at this."

"It is all hands on deck."

"If their cyber operators are breathing, then they will be on their keyboards."

Chris Krebs, former director, Cybersecurity and Information Security Agency (CSIA) 

 

"An Iran-linked group calling itself Handala claimed responsibility for a cyberattack on Portage, Michigan-based medical device maker Stryker Corp., carried out on March 11, 2026. Handala said the attack was in retaliation for events related to the conflict in Iran."

"The cyberattack affected Stryker’s internal Microsoft software system, disrupting the company’s order processing, manufacturing and shipping."

"As a scholar who researches cyber conflict, I’ve found that in periods of geopolitical tension such as the current U.S./Israel-Iran war, cyber operations often sit right next to missiles and airstrikes as a tool that states and state-linked groups use to inflict damage, probe weaknesses and signal resolve to their enemies."

"The Stryker case is notable because it shows how quickly a regional conflict can translate into disruption for organizations far from the battlefield. It also illustrates the vulnerabilities of U.S. organizations, including those involved in critical infrastructure."

William Akoto, Assistant Professor of Global Security, American University School of International Service, The Conversation  

Iran has long had sophisticated hacking operations. Jakub Porzycki/NurPhoto via Gettyimages

 

Thousands of Israelis earlier this month received texts purportedly from the IDF that encouraged them to download a fake shelter app. Had they done so, reams of personal data could have been stolen. This, while others in Israel received a mass text that said: "Netanyahu is dead. Death is approaching you and soon the gates of hell will open before you. Before the fire of Iranian missiles destroys you, leave Palestine." An obvious play to strew panic and demoralization. According to cybersecu3rity experts, these messages represent a minuscule portion of a vast cyberwar between Iran, Israel and the United States.

 

Iranian hackers who have stabled themselves in the digital shadows for years are considered among the most reliably battle-hardened operatives Tehran can depend upon in this aspect of the Islamic Republic's existential war of survival. The ploy of sowing fear in the Israeli and American public is a powerful yet little-appreciated weapon remaining at the disposal of the Iranian regime, hoping to see some satisfying results in public chaos and a move in both countries to call off the conflict. These tactics, familiar to both Israeli and American cyber experts who have long engaged in their own counter battle, employ their own.

 

Three different levels of cyber operators have been identified in Iran, with boundaries that are frequently blurry, according to analysts and former cybersecurity officials. The Islamic Revolutionary Guard Corps and Iran's Ministry of Intelligence operate the most experienced corps of cyber hackers, with a wide array of front organizations whose purpose is to introduce plausible deniability for attacks and the issuance of public threats.

 

Semi-autonomous hacking proxies, cybercriminals and contractors are also in the hire of the Islamic Republic, with volunteer hackers bringing up the rear to mobilize behind Tehran. Israel-based employees of a large U.S. defence contractor are believed by cyber experts to have been doxxed. Emails of politicians in Albania which hosts an Iranian opposition group have received similar treatment, while a Polish nuclear research centre has been infiltrated. The most sensitive espionage is thought to have gone unreported.

 

A hacking front named as Handala is believed by cybersecurity researchers and the American government to be tied to Iranian intelligence; the hacking group claimed to have wiped 200,000 devices in the most consequential wartime cyber attack against the U.S. ever seen, according to one of the most senior civilian U.S. cybersecurity officials, Chris Krebs. It was Handala that claimed to have broken into FBI director Kash Patel's personal email account, to publish personal photographs.

 

Iranian hackers, no matter their level and association, are not quite the match of the U.S. and Israel with their formidable offensive capabilities, an illustration being the significant damage the Iranian nuclear program sustained in 2009 with the unleashing of the mysterious Stuxnet offensive. According to General Dan Caine, chairman of the joint chiefs of staff, the U.S. launched cyber attacks just prior to the February 28 airstrikes on Iran "disrupting and degrading and blinding Iran's ability to see, communicate and respond".

 

Years ago, Israel's cyber intelligence dealt one of the most telling blows of the war, when it hacked the majority of traffic cameras in Tehran as part of an extensive intelligence-gathering operation preceeding supreme leader Ayatollah Ali Khamenei's assassination. A popular Iranian prayer app was used by Israel to send notifications to millions inciting regime defections: "Only this way can you save your life for Iran", one of the delivered messages read. 

 

According to analysts in cyber security  Iran's more intensely threatening groups methodically search for vulnerabilities such as entry points to position themselves to target networks. Seedworm, a group the U.S. and U.K. state has links to Iranian intelligence has been identified through attempts to enter U.S. networks since early February, revealed cybersecurity firm Symantec. Resulting in the group being extracted out of a U.S. bank, an airport and software company supplying the defence industry.

 

Iranian cyberhacking is focused on breaking through Israel's hardened cyber defences by launching thousands of wiper attacks on Israeli companies, with success in hitting 50 of them. Security cameras hacked across Israel and the Gulf aided Iran to target drone and missile strikes, pointed out Israeli cybersecurity company Check Point Software. Gill Messing at Check Point added Iranian hackers demonstrated a 'new level' of "scale, effect and sophistication" co-ordinating strikes with the mass text messages sent to Israeli citizens. 

 

There is also speculation that Tehran, in throttling its internet for the purpose of domestic censorship, might have inadvertently set back its own hackers' advances in cyber offences. Although there is  some fear that Iranian hackers may have infiltrated undetected into sensitive economic or military targets, biding time to suck up data. "They could have longterm access that they are not ready to burn", suggested Andy Piazza at cybersecurity firm Palo Alto Networks. 

 

Since war began, Iranian hackers have been at work throughout the Persian Gulf region – and far beyond. Still from YouTube video