Security experts warned that the escalating U.S./Israel conflict with Iran could spill into increased cyber activity by Iranian sympathizers, proxies, and hacktivist groups, with healthcare highlighted as a particularly exposed target due to its operational sensitivity and historically weaker security posture. Expected activity includes DDoS, ransomware, wiper/destructive malware, and data theft, with the risk extending beyond Iran’s own connectivity because many hacktivist operations rely on globally distributed infrastructure.
A separate critical-infrastructure-focused advisory tied the heightened risk to the outbreak of open conflict and referenced Operation Lion’s Roar strikes on Iranian military and nuclear sites, warning that Iranian state-affiliated APTs may increase espionage and disruptive attacks against foreign networks and industrial control systems (ICS/OT) as part of a broader hybrid campaign. The guidance emphasized that defenders should plan for both opportunistic and state-directed activity affecting civilian infrastructure (e.g., energy and transportation) and prioritize resilience measures appropriate for critical infrastructure environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
On 2026-03-11, the Iran-linked Handala persona reportedly claimed responsibility for a cyberattack on medical technology company Stryker. The incident was cited as a driver of elevated concern for U.S. healthcare, including risks to hospitals, medtech firms, and supply-chain partners.
On March 2, 2026, Nozomi Networks published recommendations for customers and critical infrastructure owners in response to the Iran-Israel-U.S. escalation. The guidance called for heightened monitoring, threat intelligence updates, patching and credential changes, and stronger IT/OT segmentation and OT baselining.
On March 2, 2026, security experts and Health-ISAC warned that escalating U.S. and Israeli strikes on Iran could drive increased cyberattacks against U.S. healthcare and other healthcare targets globally. They highlighted likely threats including DDoS, defacement, ransomware, wipers, data theft, and exploitation of internet-exposed systems, and urged organizations to harden defenses and rehearse downtime procedures.
By early March 2026, Nozomi Networks said it had observed a systematic increase over the prior two weeks in detections associated with Iran-linked APT activity. Its telemetry indicated Manufacturing and Transportation were the most targeted sectors, with activity consistent with scanning, brute force, and credential abuse.
In late February 2026, the Iran-linked group Handala reportedly claimed it targeted Clalit, Israel’s largest healthcare network, and stole patient data. The claim was cited as an example of healthcare becoming a cyber target amid the regional conflict.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
blog.polyswarm.io
Open sourceblog.polyswarm.io
Open sourcegovinfosecurity.com
Open sourcenozominetworks.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.