American medical technology company Stryker confirmed on March 11 that a cyberattack had disrupted its global network. Employees across the company's offices found the logo of Handala, an Iran-linked hacking group, displayed on their login pages, the Wall Street Journal reported.
The attack targeted Stryker's Microsoft environment, though the full scope of damage and a timeline for restoration remain unclear.
Handala claimed responsibility and to have exploited Microsoft's cloud management platform, Intune, to remotely wipe more than 200,000 devices across 79 countries, according to cyber intelligence platform SOCRadar. Euronews Next has contacted Microsoft to verify the claim.
The group said the operation was retaliation for a missile strike on a girls' school in Minab, Iran, which killed more than 160 people.
The breach is part of a broader wave of cyber operations by state-linked and hacktivist groups targeting the United States and Israel in response to Operation Epic Fury.
Which state actors are involved?
A report from cybersecurity company CloudSek said several long-standing Iranian state-connected groups are acting against American critical infrastructure.
Groups backed by Iran’s Islamic Revolutionary Guard Corps (IRGC), including the CyberAv3ngers, APT33, and APT55, have launched attacks on American industrial control systems, the computers that run physical infrastructure such as water treatment plants, power grids and manufacturing lines.
CyberAv3nger hackers are logging into industrial machines with default passwords and are installing malware that potentially controls those systems, the report found.
APT33 uses various common passwords to gain access to multiple accounts at US energy companies. Then, it attempts to bring down safety systems by installing malware into their computer systems, it continued.
In APT55’s case, the group conducts cyber-espionage against people connected to the American energy and defence sectors to gather information for Iranian intelligence targeting, CloudSek said.
Iran’s Ministry of Intelligence and Security (MOIS) is also working with groups such as MuddyWater, APT34 and Handala against Israel and the United States.
MuddyWater’s role has been to target telecommunications, oil and gas, and government organisations. They do this as an initial access broker, which means they collect passwords by breaking into a network and pass them along to other attackers.
Handala has claimed other attacks in addition to Stryker, such as wiping more than 40 terabytes (TB) of data from servers at the Hebrew University of Jerusalem, and a breach of Verifone, an American telecommunications company, in Israel, according to SOC Radar.
However, American media reports that Verifone refuted the breach, claiming there was no evidence of any compromise or service disruption.
American efforts ‘disrupt’ communications networks, officials say
The United States and Israel are also conducting cyber attacks.
General Dan Caine, America’s highest-ranked military officer, said in remarks on March 2 that the US Cyber Command was one of the “first movers” in Operation Epic Fury.
The division disrupted communications and sensor networks, which left Iran “without the ability to see, coordinate, or respond effectively,” he said.
Caine did not offer any additional information about US cyber operations in Iran.
A separate statement on March 13 from Pete Hegseth, US Secretary of Defence, confirmed that the US is using artificial intelligence (AI) and cyber tools as part of its war in Iran.
Israeli spies also reportedly used information from hacked traffic cameras across Tehran to assist in their plans to take down Ayatollah Ali Khamenei, according to the Financial Times.
A coordinated hactivist ‘operations room’
Over 60 hactivist groups were mobilised in the first hours of Operation Epic Fury and formed a coalition called the Cyber Islamic Resistance, according to CloudSek.
The pro-Iranian collective organises its attacks in an “Electronic Operations Room,” on Telegram, the report found. Their group “operates on ideological initiative rather than central state direction,” which makes it difficult to track their movements, the CloudSek report reads.
“These actors are less disciplined than state-directed groups, potentially more reckless, and have no political constraint on civilian impact,” it added.The actors within this collective are also the most likely to be using AI “to compensate for the technical depth that they lack”.
In the first two weeks of the war, the Cyber Islamic Resistance claimed responsibility for over 600 distinct attacks in over 100 Telegram channels, according to cyber intelligence platform SOC Radar.
The group has taken credit for an operation on Israeli defence company Rafael’s air defence systems, an attack on a drone detection service called VigilAir and for coordinating an attack on the electricity and water systems at a hotel in Tel Aviv.
The same group claimed to have hacked Iran’s BadeSaba Calendar, a popular religious app with over five million downloads on the Google Play store, during the first weekend of the conflict.
Users received notifications that said “Help is on the way!” and “It’s time for reckoning,” according to screenshots circulating on social media.
Russian, Syrian, Iraqi actors join the fray
SOC Radar notes that there are fewer hactivists located in Iran involved in the conflict due to ongoing internet restrictions across the country, which it claims is disrupting Telegram-based coordination.
As the conflict continues, the platform said it sees actions from pro-Iranian groups in Southeast Asia, Pakistan and elsewhere in the Middle East.
The Islamic Cyber Resistance in Iraq, known as 313 Team, is a pro-Iranian cell that claimed responsibility for targeting the websites of various Kuwaiti government ministries, including the Armed Forces and the Ministry of Defence, according to cybersecurity firm Unit 42. The group has also targeted Romanian and Bahrainian sites.
DieNet, a pro-Iran hacktivist group with roots throughout the Middle East, has also claimed responsibility for cyber attacks on airports in Bahrain, Saudi Arabia and the United Arab Emirates, Unit 42 wrote in a threat briefing.
There are also pro-Iranian groups of Russian hackers, such as NoName057(16), a group that has conducted multiple attacks on Ukraine, according to SOC Radar.
NoName057(16) has launched a wave of denial-of-service attacks (DDoS) to overwhelm the websites of Israeli municipal, political, telecom, and defence-related entities, including defence contractor Elbit Systems, according to the threat intelligence platform FalconFeeds.
They also have an alliance with a North Africa-based group, Hider-Nex, which claims to have targeted the domains of several Kuwaiti government websites during the war in Iran, according to SOC Radar.
There are some pro-Israeli active groups, such as Anonymous Syria Hackers, who recently claimed to have breached an Iranian tech firm and leaked the credentials, emails and passwords of PayPal accounts.
SOC Radar said that Israel operates its cyber attacks mostly from the state, which makes independent groups “largely redundant”.
The pro-Israeli groups that do exist are largely under-documented, since they do not generate alerts from the US’s Cybersecurity and Infrastructure Security Agency (CISA).
