CODY KELLER

Geopolitical Cyber Threats Are Now a Business Problem

The conflict between the United States and Iran that began on February 28, 2026 moved into the cyber domain almost immediately. If you’ve been watching it as a geopolitical story and not a security operations story, it’s time to adjust your perspective.

This isn’t abstract nation-state activity happening at the edges of critical infrastructure. On March 11, an Iran-linked hacking group claimed responsibility for a cyberattack on Stryker Corporation — a Michigan-based medical device company — disrupting its Microsoft environment and forcing tens of thousands of employees offline globally. NBC News Security analysts called it the first destructive cyberattack to hit a major US corporation during the Iran conflict, and warned it was just the beginning. The Register

Here’s what that means for your program.

The Threat Is Not Contained to Critical Infrastructure

The instinct is to assume that nation-state attacks target government agencies and defense contractors. That assumption has always been partially wrong, and it’s getting worse.

Retired US Army Lt. Gen. Ross Coffman said it plainly: “The NSA is really, really good at defensive operations. I don’t see the attacks going against government assets — I see them going after civilian assets.” The Register

As of early March 2026, security researchers were tracking over 60 active threat groups aligned with the conflict — 53 of them operating on the pro-Iranian side. Kennedys Law LLP These aren’t coordinated military units executing precision strikes. They’re a mix of state-sponsored actors, hacktivists, and opportunistic criminal groups operating with varying levels of capability and targeting discipline. That combination is what makes the threat hard to manage. Sophisticated actors lay groundwork quietly. Hacktivists swing at targets of opportunity. You may not know which one found you until the damage is done.

Since the war began, hackers supporting Iran have launched thousands of cyberattacks on companies and organizations in both the US and Israel, seeking to undermine the war effort and critical supply chains. The Washington Post Healthcare, energy, financial services, and defense supply chain companies are at elevated risk — but elevated risk doesn’t mean exclusive risk.

What Iran’s Playbook Actually Looks Like

Understanding the tactics in use matters more than tracking headlines.

The current campaign includes AI-enhanced spear-phishing operations that materially improve attack velocity and credibility, smishing campaigns using spoofed government alert apps to harvest credentials, and physical attacks on digital infrastructure — including drone strikes on cloud data centers in the UAE and Bahrain that caused structural damage and service disruptions. Kennedys Law LLP

That last point deserves a pause. The boundary between cyber and physical attack has collapsed. Your business continuity plan needs to account for scenarios that didn’t exist three years ago.

Researchers at Symantec and Carbon Black found evidence that Iranian hackers installed backdoors on the networks of several US companies in late February Axios — before the Stryker attack made headlines. Pre-positioning is a signature Iranian tactic. They don’t always attack when they gain access. Sometimes they wait.

Unit 42 identified 7,381 conflict-themed phishing URLs spanning 1,881 unique hostnames Palo Alto Networks — all active, all designed to exploit the news cycle. Your users are being targeted with lures referencing the war, and those lures are more convincing than the average phishing attempt.

The Compliance Dimension Nobody Is Talking About

There’s a legal exposure here that doesn’t get enough attention in operational security conversations.

Iranian APT groups use infrastructure — servers, domains, payment accounts — that may be controlled by sanctioned entities. Paying a ransom or making any transfer of value that ultimately benefits a sanctioned party could constitute a sanctions violation, even where the organization is itself a victim. Under US law, civil fines can reach up to $311,562 per violation under IEEPA, with criminal prosecution possible for management. Kennedys Law LLP

If your incident response plan doesn’t have a sanctions screening step before any ransom payment decision, add one now. That’s not a theoretical edge case anymore.

CIRCIA requires covered critical infrastructure entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours — with CISA set to finalize mandatory reporting regulations by May 2026. Foley If you haven’t mapped your reporting obligations under CIRCIA, the finalization deadline is closer than most teams realize.

What to Do Right Now

This isn’t a call to panic. It’s a call to verify that your fundamentals are working under elevated threat conditions.

  • Run your phishing simulations with conflict-themed lures. Generic simulations don’t reflect the current threat. Your users are seeing Iran-themed credential harvesting campaigns right now.
  • Review your incident response plan for two specific gaps: sanctions screening before ransom payment, and CIRCIA reporting timelines if you’re in a covered sector.
  • Check your third-party exposure. If any of your critical vendors have operations in the Middle East or significant exposure to affected sectors, do a quick check on their current security posture.
  • Verify your backup and recovery position. Iran has a documented history of wiper attacks — malware designed to destroy data rather than encrypt it. Ransomware playbooks don’t fully apply. If your recovery capability hasn’t been tested recently, test it.
  • Brief your leadership. Geopolitical cyber risk is a board-level conversation now. If your executives don’t understand the current threat environment, they can’t make informed decisions about risk appetite and response authorization.

The Stryker attack was a signal, not an isolated event. The conflict is ongoing, the threat actor ecosystem is active, and the targeting is opportunistic enough that sector and size don’t provide the protection organizations assume they do.

Discussion Questions

  1. Does your current incident response plan include a sanctions screening step before any ransom payment decision? If not, what would it take to add one?
  2. If your organization is covered under CIRCIA, are your reporting timelines and escalation paths documented and tested?
  3. When was the last time you tested recovery from a wiper-style attack scenario — not ransomware recovery, but full data destruction?

Further Reading

Cody Keller

, , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *