Cybersecurity 101 - Iran Cyber Attacks

While no imminent or ongoing cyber threat activity is good news, the recent cyber attacks against American companies in light of the military action in Iran and the surrounding area has many Pondurance customers (and lots of other people) especially worried. That worry is not without reason, and so in a special edition of Cybersecurity 101 we'll take a deeper look into what is happening and what your organization can do to protect itself. Note that this article is not answering one specific reader question, but rather addresses numerous questions that we've received in the last several days, and so the format is a bit different from our usual here at Cyber101.

"How likely is a cyber attack from Iran?"

Unfortunately, extremely likely. One such attack has already happened that we're aware of, and it's likely many others have happened but not made the news. Iran is a known state sponsor of cyber threat activity, and the country as a whole has been performing cyber attacks against other countries and companies in those countries for many years now. The recent military action has seen a ramping up of outgoing cyber attacks, so we should expect to see more. 

"What attacks have happened so far?"

One major cyber attack tied directly to the ongoing military action in Iran has been discovered, and more are likely to come to light in upcoming weeks. Stryker, a multi-national manufacturer of medical equipment, was rendered nearly entirely offline by a devastating cyber attack in the early morning hours of Tuesday, March 11, 2026. Few hard details are known, but here is what we do know at this time:

•  Around 2-3AM US Eastern Time on March 11, the majority of Stryker's Windows desktops, laptops, and servers along with mobile devices and tablets were "wiped." This means that all data, settings, and other information on those devices was destroyed. The process appears to have occurred over a very short period of time - within about six hours. It is suspected that data was also stolen from the organization. 

• Handala, a known "hacktivist" group aligned with Iran and pro-Palestinian causes, claimed responsibility for the attack. They stated that the attack was performed in retaliation for a US bombing mission that had taken place two days before the cyber attack itself. 

• Handala is a known threat actor group, responsible for many attacks against US and Israeli government organizations and private companies in the last few years. They tend to favor spearphishing tactics, targeting specific individuals within an organization to attempt to gain access to accounts, data, and systems. Once in, they favor data theft followed by the destruction of local data (a.k.a. "wiper" attacks). In many cases they will later leak the data they steal. This threat actor is not financially motivated, but rather politically driven, and as such requests for a ransom are rarely seen. Their goal is major disruption, defacing of public-facing systems, and leaking data to embarrass/hinder their victims' operations. 

What we do not yet know:

• While Handala is a known threat actor group tied to Iran, there is no official confirmation that they were the group that performed the attack against Stryker. In the past, threat actor groups have fraudulently claimed responsibility for attacks they did not perform. 

• The exact method of attack is not known. Handala (if they were indeed the attackers) does favor wiper-type attacks, but does not traditionally target mobile devices and tablets due to the additional attack complexity required to perform such an action. If this is Handala, then this represents an escalation in their attack technique toolkit. 

• No details of what data was stolen, or if that data will be publicly released, has yet been confirmed. 

  
  

"What can I do to prevent an Iranian attack?"

This question is easier to answer. First, ensure you have patched and updated as many known vulnerabilities within your organization's systems, applications, and platforms as you possibly can. If this requires downtime, take it. If this requires reboots, do them. Now is not the time for organizations to allow users to refuse to reboot their laptops to apply an update. Many threat actor groups, including those from Iran, specifically target vulnerabilities in public-facing systems like email platforms, VPN solutions, firewalls, and other systems, so this step is crucial to protect the organization.

Refresh user Security Awareness Training with a quick email to all staff. We've attached a template for such an email below that you can use and edit as you see fit. 

Monitor all security controls and logs for any evidence of suspicious activity. Pondurance customers can rely on us to handle that for you, as we're always monitoring any systems that we can see. If you're not a Pondurance customer (or a customer of another Managed Detection and Response company), then be highly aware of any alerts or tickets created by your endpoint anti-malware, firewalls, VPN solution, Office365/Google Workspace, etc. Attack methodologies that have been witnessed in previous Iranian cyber attacks have been detectable, and usually quickly enough to prevent significant damage to the organization. 

Prepare an Incident Response Plan. Bring together all contact information (email, phone, Messenger/Whatsapp/Signal info) for all persons you need during an emergency. Remember this is not only technical team members. Senior leadership, legal counsel, marketing/PR team members and others will also need to be part of this plan. Set up alternate communication paths outside of the organization's usual email/Teams/Slack/etc. in case those systems are rendered unusable. Get agreement ahead of time on when/if taking the company offline is acceptable in light of potential total compromise, what recovery plans are and how long they will take to run through, how to involve insurance and other third-parties, how you will alert customers and partners, etc.

Finally, don't ignore warning signs. If something looks suspicious, it must be investigated. Better to confirm more false positives during times of military action than risk a total compromise of the organization. 

A final note: Don't panic.

Whenever a major global event happens, it is normal for everyone to be on-edge, nervous, and prone to panic. You must ensure that does not happen. The threat is real, but can be dealt with by a prepared organization. Panic leads to mistakes that can create situations where none exist, or make an existing situation extraordinarily worse and more difficult to deal with. No matter what, stay calm. Deal with any suspicious activity following your current protocols. Isolate systems which are acting oddly. Deny requests for the addition of new add-ons, applications, etc. until the current situation passes. Do this rationally, carefully, and calmly to prevent accidentally making a situation worse, or creating a brand new situation to deal with. 

Email Template for End Users:

To all employees: 

As you are all no doubt aware, the recent military actions in Iran and the surrounding region have led to an increase in cybersecurity threat activity and attacks. We are asking you to take extra caution while this action is happening to protect the organization, our data, our customers, our partners, and yourselves. This extra caution doesn't require you to be better with technology or become cybersecurity experts; just to remain calm and be aware that threat activity can occur.

If you receive an email or text message with an attachment or link that you are not directly expecting, confirm with the sender that they sent you that message before you interact with it. Do this by manually sending an email directly to your contact at the sender's company or by phone. Always remember that major companies, including those that do business with us, don't require that you click a link to perform an action. You can open your browser, go to the page of the company/government agency/application in question, log in, and find the information or forms you need on the site.

If you receive a phone call from IT, our customers, our partners, or anyone else that is unexpected or not a normal part of your job; politely let them know that you will call back and then hang up. Call the customer, partner, etc. using the officially available contact information. This ensures that the person on the other end of the line is who you believe they are, and not a threat actor. Note that IT will never require you to tell them your password or require you to give them a One-Time Passcode or other Multi-Factor Authentication information. This also holds true for company messaging systems like Teams/Slack/Zoom/etc. - IT will not require you to give them your passwords or tokens via messaging chat or voice/video call. Whenever you're in doubt, politely let the person know you will call them back and then end the voice/video call or text chat session. Reach out the person or group through official information sources like our internal directory, and know that you are speaking with the person you believe you are. 

If you see unusual activity in any company communication system - email, Slack/Teams, Messenger apps, etc. - report it to IT immediately. We'd rather deal with false alarms than miss a potential threat action against the company. Suspicious activity may include a user asking for login information, for access to systems or applications, for you to install an add-on or extension to an application or browser, etc.; but use your best judgment. 

The IT and Cybersecurity teams are working diligently to protect our organization, and are taking additional steps to defend our systems and applications - and you as well. You may see evidence of these measures, such as the inability to log into a system for short periods, and we'll apologize in advance if that happens. Reach out to IT with any questions, or if you lose access to a system or application you usually work with, and we'll get it corrected quickly for you. Please be especially aware that our IT team will be applying updates and patches to many systems and applications. Because of this, some systems may be temporarily unavailable, or your laptop or desktop may need to reboot to allow the process to happen. We will alert you before such events so that you know they will happen, but it is required and necessary for them to happen. When your apps need to be restarted or your laptop rebooted, please do so as quickly as possible. Do not wait until end of business day, but finish up your current call or meeting, then restart/reboot. 

Stay safe, protect yourselves and your families from cyber threat actors, and help protect this organization, our customers, and our partners as well.

About the Author:

Michael DeNapoli is a seasoned Senior Solutions Architect with more than 25 years of experience in cybersecurity, solution architecture, and enterprise systems design. Throughout his career, he has led technical strategy, security architecture, and advanced solution development for organizations ranging from emerging security vendors to global enterprises. Michael’s expertise spans cybersecurity operations, cloud architecture, technical sales leadership, security posture management, and identity protection, with a proven track record of guiding clients through complex technology challenges. Today, he brings his deep industry knowledge to Pondurance as a Senior Solutions Architect, helping organizations strengthen their security foundations with clarity and confidence.