Pro-Iranian hacking groups have expanded their cyber operations beyond the Middle East, targeting U.S. organizations and critical infrastructure amid the ongoing conflict involving Iran, raising concerns about attacks on defense contractors, power grids, and water systems.
U.S. cybersecurity experts confirmed that Iranian-linked actors claimed responsibility for a recent cyberattack on Stryker, a Michigan-based medical technology company. Since the war began on February 28, 2026, these groups have attempted to infiltrate cameras in the Middle East to improve missile targeting and have targeted industrial facilities in Israel, a school in Saudi Arabia, and an airport in Kuwait.
Objectives and Tactics
Iran has invested heavily in offensive cyber capabilities, often leveraging proxy groups to achieve strategic goals without direct attribution. These actors aim to disrupt U.S. operations, strain energy resources, and damage businesses connected to the defense sector.
Kevin Mandia, founder of cybersecurity firms Mandiant and Armadin, warned: “Something is going to happen because the gloves are off.”
Groups such as Handala, which has claimed responsibility for disrupting Stryker systems, focus primarily on data destruction rather than financial gain. Handala portrays itself as pro-Palestinian, but cybersecurity analysts widely consider it a front for Iranian state-sponsored operations.
Polish authorities are also investigating a cyberattack on a nuclear research facility, which may be linked to Iranian actors, although attribution remains uncertain.
Rising Threat to U.S. Infrastructure
Experts predict that U.S. defense contractors, government vendors, and companies working with Israel are likely targets. Critical infrastructure—including hospitals, ports, water facilities, power stations, and railways—remains especially vulnerable.
Pro-Iranian hackers openly discuss their plans on platforms such as Telegram, sometimes sharing specific objectives, including attacks on data centers hosting U.S. military communications and targeting systems.
“The datacenters need to be taken out,” one user reportedly posted, according to researchers at SITE Intelligence Group.
Targeting Weak Links
While Iranian cyber operations are not always highly sophisticated, even basic attacks can be effective against organizations with outdated cybersecurity measures. Small utilities and healthcare providers, often lacking advanced security resources, are particularly at risk. Common attack methods include denial-of-service (DoS) attacks, website defacements, and hack-and-leak operations.
Shaun Williams, a former FBI and CIA officer now at SentinelOne, emphasized the importance of cyber hygiene: “Patch your systems. Ensure your firewalls and security solutions are up to date. Remove stale accounts. Prepare for disruption.”
Iran’s Role as a “Chaos Agent”
While Russia and China represent major cyber threats, Iran has distinguished itself through creative, disruptive campaigns. In the past, Iranian-linked hackers impersonated American activists to influence protests, established fake news sites to spread disinformation, and attempted to breach political campaign email accounts.
Experts are also monitoring whether Russia, China, or affiliated hacking groups may collaborate with Iranian actors to expand attacks, with early signs of pro-Iranian hackers in Russia conducting operations against U.S. networks.
Adam Meyers, head of counter-adversary operations at CrowdStrike, stressed: “Western organizations should continue to remain on high alert.”
