Home » Iran’s Cyber War Is Now America’s Problem, Including Yours

Iran’s Cyber War Is Now America’s Problem, Including Yours

We Know Cyber

War doesn’t just play out on battlefields anymore. The conflict between the United States, Israel, and Iran which escalated sharply with military strikes beginning February 28, 2026 has opened a second front that could reach right into your office, your inbox, and your network.

On March 11, 2026, Iranian-linked hackers from a group called Handala attacked Stryker, a $25 billion U.S. medical technology giant. They didn’t ask for ransom. They didn’t steal data to sell. They wiped it. Employees’ phones and laptops were factory-reset remotely. Work stopped. And according to the experts watching this unfold more is coming.

If you run a small business a medical practice, an accounting firm, a contractor, a retailer you might be thinking: “That’s a big company problem.” It isn’t. Here’s what you need to know.

Why Small Businesses Are in the Crosshairs

Iran’s cyber strategy has always been asymmetric. They can’t match the U.S. military head-to-head, so they attack where defenses are weakest and that’s often small and mid-sized organizations.

There are three reasons small businesses are vulnerable right now:

  • You’re in the supply chain. If you’re a vendor, supplier, or subcontractor to a larger company especially in defense, healthcare, energy, or financial services you are a path into that larger target. Attackers know that big companies have hardened their perimeters. They come in through the side door: you.
  • You share the same internet. DDoS attacks and broad campaigns don’t discriminate by company size. If you’re using the same hosting provider, payment processor, or cloud service that gets hit, you feel it too.
  • Destruction, not theft, is the goal. Historically, ransomware at least gave you the option to pay and recover. The current wave of Iranian attacks what security researchers call “wiper” malware destroys data permanently. A small business typically can’t survive that.

What the Government Is Saying (In Plain English)

CISA, the FBI, and the NSA have all issued formal warnings in the past 90 days. The Department of Homeland Security issued a critical incident note after the killing of Iran’s Supreme Leader, Ayatollah Khamenei, warning of fatwas calling for retaliation against U.S. targets.

A separate DHS bulletin to private companies specifically warned that the U.S. financial sector is a priority target. An FBI/NSA notice to defense contractors flagged that companies with ties to Israeli research and defense firms are at elevated risk.

A retired brigadier general and former Pentagon homeland defense official, speaking about the Stryker attack, identified four sectors most likely to face future targeting: healthcare, banking, agriculture, and energy. If your business touches any of these, read on carefully.

The Specific Threats Targeting U.S. Networks

Security researchers have identified several active Iranian-linked campaigns:

  • Handala Team: The group behind the Stryker attack. Linked to Iran’s Intelligence Ministry. Uses device management tools (like Microsoft Intune) to remotely wipe corporate devices at scale.
  • MuddyWater (APT34): A state-backed group that was actively pre-positioning on U.S. networks in the weeks before the military strikes began. Think of them as advance scouts leaving back doors open.
  • Hydro Kitten: An IRGC-linked group that has publicly announced intent to target the U.S. financial sector.
  • Sicarii Ransomware: Unlike typical ransomware where you can pay and recover, Sicarii has a fundamental flaw that permanently destroys data regardless of whether ransom is paid. The group has signaled plans to dramatically increase targeting volume.
  • HydraC2 & Hacktivist Coalitions: High-volume DDoS botnets coordinating with pro-Russian groups (like NoName057(16)) to amplify impact. Their Telegram channels openly discuss targeting U.S. data centers and communications infrastructure.

What You Should Do Right Now

You don’t need a six-figure security budget to take meaningful action. The basics go a long way, and right now is the time to make sure you’re doing them.

1. Back Up Everything And Test Your Backups

Wiper malware is lethal specifically because people don’t have recent, working backups. Follow the 3-2-1 rule: 3 copies of your data, on 2 different types of media, with 1 copy offsite or in the cloud. And actually, test that you can restore from those backups. A backup you’ve never tested is just hope.

2. Patch and Update Everything

Iranian actors exploit known, unpatched vulnerabilities this isn’t sophisticated zero-day stuff, it’s the digital equivalent of leaving a window open. Update your operating systems, applications, and firmware on routers and firewalls. If you’re running end-of-life software (Windows 10 support ended in October 2025), plan to upgrade.

3. Enable Multi-Factor Authentication (MFA)

The Stryker attack reportedly leveraged compromised access to Microsoft Intune, their device management platform. MFA on all administrative accounts and cloud services is non-negotiable right now. Use an authenticator app rather than SMS when possible, as SMS-based MFA can be bypassed.

4. Train Your Team on Phishing

Most successful attacks start with an email. Tell your employees now: be suspicious of unexpected emails asking them to click links or open attachments, even from people they recognize. Iranian actors use spear-phishing targeted emails crafted to look legitimate. When in doubt, pick up the phone and verify.

5. Harden Your Microsoft Environment

If your business runs on Microsoft 365, review who has administrative privileges. Remove accounts that don’t need them. Check what devices are enrolled in Intune or your MDM solution. Enable conditional access policies. If this sounds complex, it’s worth a conversation with your IT provider or a cybersecurity consultant.

6. Have an Incident Response Plan

If something does happen, what do you do? Who do you call? How do you communicate with employees and customers if your email is down? Having even a one-page plan written down and shared with key staff dramatically improves your ability to recover. Don’t be the business that figures this out in the middle of a crisis.

The Bottom Line

Kevin Mandia, founder of cybersecurity firm Mandiant, put it bluntly in the days after the Stryker attack: “Something is going to happen because the gloves are off.”

The geopolitical environment we’re in right now is unlike anything U.S. businesses have faced before. Iran has 15+ years of experience using cyber operations as a pressure valve a way to punch back without starting a conventional war. And right now, every U.S. business is a potential pressure point.

The good news: the fundamentals of cyber hygiene really do work. Patching, backups, MFA, and awareness aren’t glamorous, but they stop the vast majority of attacks. Do the basics and do them now.

If you’d like help assessing your current risk posture or want to know where to start, we’re here. That’s what We Know Cyber is for.

 

Ready to strengthen your defenses?  Contact We Know Cyber at weknowcyber.com for a free initial consultation.

Sources

CISAIranian Cyber Actors May Target Vulnerable US Networks (cisa.gov, Jan 2026)

CNNUS Intelligence Ramps Up Warnings of Possible Retaliatory Attacks by Iran (Mar 10, 2026)

NBC NewsIran Appears to Have Conducted Significant Cyberattack Against a U.S. Company (Mar 12, 2026)

AxiosIranian Cyber Attacks: What to Know About US, Israel’s Cyberwarfare (Mar 11, 2026)

HalcyonIranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates (halcyon.ai)

Cybersecurity DiveUS Entities Face Heightened Cyber Risk Related to Iran War (Oct 2025)

Comments are closed.