Iran–Israel–U.S. Escalation Drives Heightened Iranian-Linked Cyber Threats to Healthcare and Critical Infrastructure
Security experts warned that the escalating U.S./Israel conflict with Iran could spill into increased cyber activity by Iranian sympathizers, proxies, and hacktivist groups, with healthcare highlighted as a particularly exposed target due to its operational sensitivity and historically weaker security posture. Expected activity includes DDoS, ransomware, wiper/destructive malware, and data theft, with the risk extending beyond Iran’s own connectivity because many hacktivist operations rely on globally distributed infrastructure.
A separate critical-infrastructure-focused advisory tied the heightened risk to the outbreak of open conflict and referenced Operation Lion’s Roar strikes on Iranian military and nuclear sites, warning that Iranian state-affiliated APTs may increase espionage and disruptive attacks against foreign networks and industrial control systems (ICS/OT) as part of a broader hybrid campaign. The guidance emphasized that defenders should plan for both opportunistic and state-directed activity affecting civilian infrastructure (e.g., energy and transportation) and prioritize resilience measures appropriate for critical infrastructure environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Handala claims March 11 attack on Stryker
On 2026-03-11, the Iran-linked Handala persona reportedly claimed responsibility for a cyberattack on medical technology company Stryker. The incident was cited as a driver of elevated concern for U.S. healthcare, including risks to hospitals, medtech firms, and supply-chain partners.
Nozomi issues guidance for critical infrastructure during escalation
On March 2, 2026, Nozomi Networks published recommendations for customers and critical infrastructure owners in response to the Iran-Israel-U.S. escalation. The guidance called for heightened monitoring, threat intelligence updates, patching and credential changes, and stronger IT/OT segmentation and OT baselining.
Health sector warned of elevated Iran-related cyber risk
On March 2, 2026, security experts and Health-ISAC warned that escalating U.S. and Israeli strikes on Iran could drive increased cyberattacks against U.S. healthcare and other healthcare targets globally. They highlighted likely threats including DDoS, defacement, ransomware, wipers, data theft, and exploitation of internet-exposed systems, and urged organizations to harden defenses and rehearse downtime procedures.
Nozomi reports two-week rise in Iran-linked APT detections
By early March 2026, Nozomi Networks said it had observed a systematic increase over the prior two weeks in detections associated with Iran-linked APT activity. Its telemetry indicated Manufacturing and Transportation were the most targeted sectors, with activity consistent with scanning, brute force, and credential abuse.
Handala claims attack on Clalit and theft of patient data
In late February 2026, the Iran-linked group Handala reportedly claimed it targeted Clalit, Israel’s largest healthcare network, and stole patient data. The claim was cited as an example of healthcare becoming a cyber target amid the regional conflict.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Critical Condition: The 2026 Healthcare Cyber Threat Landscape
blog.polyswarm.io
Open sourceHealthcare in the Crosshairs: Iran-Linked Cyber Threats Raise Risk for Hospitals, MedTech, and Care Delivery Supply Chains
blog.polyswarm.io
Open sourceIran Conflict Elevates Cyber Risk for Healthcare
govinfosecurity.com
Open sourceIranian APT Activity During Geopolitical Escalation: Recommendations for Nozomi Customers and Critical Infrastructure Owners
nozominetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Middle East Conflict Raises Risk of Hacktivist and Proxy Cyberattacks
Security monitoring and expert reporting indicate the escalating **Middle East conflict involving Iran** is increasing the likelihood of cyber spillover, particularly from **hacktivists** and **Iran-aligned proxies**. Cisco Talos reported no major, sustained cyber impacts observed so far, but noted **low-level activity** consistent with early-stage spillover, including **website defacements** and **small-scale DDoS** activity, and assessed that Iranian-linked actors have historically focused on **espionage**, **destructive attacks**, and **hack-and-leak** operations. Healthcare is highlighted as a high-risk sector for retaliatory or opportunistic activity due to its operational sensitivity and comparatively exposed attack surface. Industry experts warned that conflict-driven cyber activity could include **DDoS**, **ransomware**, **wiper malware**, and **data theft**, with some groups able to operate using globally distributed infrastructure that does not rely on Iranian domestic connectivity; sector-specific monitoring organizations (e.g., **Health-ISAC**) are tracking potential spillover. Both sources also cautioned that **cybercriminals** may exploit the conflict with themed lures and social engineering to expand infections and fraud.
Mar 21, 2026
Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint **U.S.–Israel strikes on Iran** (described as *Operation Epic Fury*), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early **DDoS campaigns against Israeli government sites** expanding into a wider coalition of **pro-Iranian, pro-Palestinian, and Russian-aligned** groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on **critical infrastructure**; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links. U.S. state and local governments were separately warned by **MS-ISAC** to expect heightened “low-level” activity—particularly **DDoS**—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Apr 22, 2026
Heightened Cyber Risk to US Financial Services and Critical Infrastructure Amid Iran-US Conflict
US financial services and critical infrastructure operators have moved to heightened vigilance amid escalating **Iran–US conflict**, with industry groups and analysts warning that geopolitical shocks often correlate with increased cyber activity. Reuters reporting cited by *teiss* says US intelligence assesses **Iran-aligned hacktivists** could conduct **low-level attacks** against US networks—particularly **DDoS**—and that banks are increasing monitoring and resilience measures given the sector’s role in payments, clearing/settlement, and market infrastructure. Separate threat research argues the conflict environment increases the likelihood of **ICS/OT-focused** activity, emphasizing that US critical infrastructure presents an attractive retaliation surface due to civilian impact and a large internet-exposed OT footprint. CloudSEK highlights rapid activation of numerous hacktivist groups after late-February 2026 strikes and points to prior public reporting on long-dwell intrusions and campaigns affecting ICS devices; a SecuritySenses episode similarly describes state-linked hacktivist activity targeting OT (including **Unitronics PLCs**) and broader spillover effects beyond the region. Other items in the set—an ISC/SANS guest diary on opportunistic scanning and a Dark Reading piece on higher attack volumes in Latin America—do not describe the Iran-related escalation and are not directly part of this specific event narrative.
Mar 30, 2026