Iran Conflict Drives Cyberattacks, Highlighting Security Preparedness

• By: Olivia Overman
• March 25, 2026

As the Iranian conflict continues to unfold, cyberattacks on businesses and infrastructure continue to escalate.

On March 12, a cyberattack targeted medical technology company Stryker Corporation, reportedly wiping more than 200,000 devices worldwide and deleting 50 terabytes of corporate data. The coordinated “wiper” attack rendered laptops, desktops and servers across the company’s global network inoperable, according to a Coalition report.

The Iran-linked threat group Handala, linked to Iran’s Ministry of Intelligence and Security (MOIS), claimed responsibility for the global network disruption, framing the destruction as a retaliatory strike against U.S. military action.

Stryker, which provides surgical equipment and orthopedic devices to hospitals and other customers across the globe, returned to normal operations last week after the attack temporarily disrupted ordering, manufacturing and shipping.

“The surge in activity following geopolitical tensions is consistent with what we typically see in these environments,” said Sunil Gottumukkala, CEO at cybersecurity provider Averlon, in “Cyber War Surge: Attacks Spike 245% as Iran Conflict Opens the Floodgates.”

“Early-stage signals like reconnaissance, credential harvesting, and infrastructure probing tend to increase significantly as attackers look for initial access opportunities,” Gottumukkala said.

The attack on Stryker is believed to be part of a broader strategy by Iranian-linked groups to target not just U.S. businesses, but also other critical infrastructure and institutions in the Middle East.

Since the Iran war began, cyberattacks have spiked 245%, according to Akamai. Coalition, a leading provider of cyber insurance and security, observed a one-day surge of 392,000 cyberattack events on February 18, signaling a heightened risk environment.

Additionally, U.S. honeypots—a cybersecurity mechanism that uses a manufactured attack target to lure cybercriminals away from legitimate targets—were attacked more than 2.5 times as often as Canadian honeypots and roughly five times as often as Australian honeypots during the week of February 16.

In these instances, remote desktop protocol (RDP) and virtual private networks (VPNs) were favored targets of Iranian-origin scans, according to Coalition.

“For cyber defenders, this reinforces a familiar reality: Simple, exposed technologies create outsized risk during periods of geopolitical tension,” said Scott Walsh, staff security researcher at Coalition, in “How Geopolitical Tension Can Spotlight Latent Cyber Risks.”

“Organizations with publicly accessible RDP, poorly configured VPNs, or legacy remote access solutions are far more likely to move to the front of a cyber attacker’s attack queue,” Walsh said.

Other reports indicate that Iranian-linked hackers have also aimed their efforts at a variety of facilities, including Middle Eastern surveillance cameras, in an effort to improve Iran’s missile targeting, according to AP News. They have also targeted data centers, Israeli industrial facilities, a school in Saudi Arabia, and an airport in Kuwait.

“Every organization today, right now, yesterday even, needs to be running a full hands-on-deck rehearsal of what happens if they have a similar event,” said Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, in “Stryker cyberattack: Iran-linked hackers wipe 200,000 devices in global disruption.”

“Make sure the bad guys cannot easily get in and move throughout the entirety of an organization,” Krebs said.

Olivia Overman is IA content editor.