The Iran conflict is no longer just a regional security story. It has moved into cyberspace, and the risks are becoming harder for business leaders to dismiss. Public reporting since February 28, 2026, points to destructive attacks, hack-and-leak activity, intimidation campaigns, disruption of regional digital infrastructure, and warnings from U.S. authorities about increased risk to critical infrastructure and enterprise environments.
What makes this moment stand out is not simply the rise in cyber activity but also the widening scope of its impact. This is no longer limited to espionage or website defacements. Public reporting now points to disruptive activity affecting a major U.S. medical technology company, doxxing and threats involving Israeli-affiliated individuals, cyber-enabled intimidation of dissidents, and even physical disruption to Gulf cloud infrastructure after drone strikes damaged Amazon Web Services facilities in the United Arab Emirates and Bahrain.
For enterprise leaders, the message is straightforward: This is no longer a distant geopolitical issue to monitor passively. It is a fast-moving risk environment that shows how quickly regional conflict can create operational, cyber, third-party and infrastructure exposure for organizations well beyond the immediate conflict zone. The recent incidents reported so far help show what that looks like in practice.
What recent incidents suggest
The March 11 attack on Stryker remains the clearest U.S.-linked cyber incident reported so far, and its relevance extends well beyond the health care sector. Reuters reported disruptions to order processing, manufacturing and shipments, along with impacts to devices connected to the company’s Microsoft environment. Stryker said patient-related services and connected medical products were not affected, but the recovery effort was still significant. Handala, a group widely linked in public reporting to Iran, claimed responsibility.
For business leaders, the broader takeaway is that this was not just a technical cyber event. It appears to have affected core parts of the business, including:
- Production
- Fulfillment
- Workforce productivity
- Recovery capacity.
That is the real issue — not simply whether an attack occurs, but whether the business can keep operating, support customers and maintain trust while recovery is underway.
The U.S. government has since added to that picture. On March 20, the Department of Justice said domains tied to Iran’s Ministry of Intelligence and Security were used in a broader campaign involving destructive attacks, leak operations and psychological operations. It also said one of those domains was used to claim credit for the March 2026 destructive malware attack on a U.S.-based multinational medical technologies firm, a description that aligns with the Stryker incident.
That same action also pointed to a wider campaign involving:
- Publication of personally identifiable information
- Additional claimed leaks
- Death threats targeting dissidents and journalists
The FBI described this as a shared playbook that combines destructive cyberattacks with so-called faketivist psychological operations.
What matters here is how cyber risk is now showing up inside the enterprise. It is no longer limited to unauthorized access or stolen data. Organizations may now have to manage disruption that is:
- Technical
- Operational
- Public
- Reputational
- Personal
There are also signs of spillover beyond the initial target. Public reporting citing FBI materials indicated that a related cyberattack disrupted hospital systems, leading providers to suspend connections to tools used to analyze patient data and vital signs. In parallel, drone strikes damaged AWS data centers in the United Arab Emirates and Bahrain, causing structural damage, power disruption, fire-suppression activity and prolonged service recovery.
Taken together, these incidents show that cyber risk tied to geopolitical conflict is spilling into operations, third-party dependencies and critical infrastructure in ways business leaders can no longer afford to view as theoretical.
Why this matters for organizations
These developments show that geopolitical cyber risk is now an operational resiliency issue. This is not limited to one sector or one attack method. The current threat environment spans destructive attacks, hack-and-leak activity, infrastructure disruption, intimidation and opportunistic targeting of business systems that can create real operational fallout. Organizations do not need to be direct geopolitical actors to feel the impact. Supply chains, cloud tenants, managed service customers and regional business units may all experience downstream effects.
What also stands out is the way these campaigns are being carried out. Iranian-linked actors have long mixed espionage, disruption and influence, but this cycle appears to go further by combining technical compromise with public pressure, stealing data, leaking it selectively, threatening individuals and amplifying the impact through coordinated messaging.
From a defense standpoint, much of the tradecraft is familiar: phishing, password spraying, multifactor-authentication (MFA) fatigue, cloud-account compromise, credential theft, and abuse of remote access and administrative tools. But the bigger concern now is the disruptive intent behind it. When attackers gain access to identity systems, end-point-management tools or remote administration platforms, they may be able to turn a routine intrusion into fast-moving enterprise-wide disruption.
What to do next
For business and security leaders, the priority is not prediction. It is resilience — making the organization harder to disrupt and better equipped to recover. Iranian-linked cyber activity should be viewed as both an operational risk and a reputational one, with the potential to interrupt business processes, affect critical devices and systems, expose sensitive data, and increase pressure through public claims or intimidation tactics.
That calls for a more integrated response across security, operations, technology and leadership teams. A few actions should move to the top of the list:
- Harden identity and access controls by strengthening MFA, reviewing privileged access and reducing opportunities for attackers to use compromised credentials to move quickly across the environment.
- Reduce unnecessary exposure by reassessing externally exposed remote access, end-point-management platforms and administrative tools that could be used to create broader disruption.
- Pressure-test incident-response plans so they account not only for technical containment and recovery but also for public claims, selective leaks and intimidation tactics that can raise the stakes quickly.
- Review third-party and concentration risk across cloud providers, managed services and other critical dependencies that could create downstream operational impact.
- Align leadership teams in advance so security, legal, communications, operations and executive stakeholders are prepared to make coordinated decisions under pressure.
- Communicate proactively with employees to raise vigilance, reinforce what suspicious activity may look like, and remind them how and where to escalate concerns quickly.
The larger point is straightforward: The cyber dimension of the Iran conflict is no longer theoretical. Organizations do not need perfect clarity on what happens next, but they do need to be ready for the possibility that geopolitical events can create immediate business consequences. The companies that act now to strengthen core controls, reduce response friction and improve resilience across the enterprise will be in a much stronger position if this threat environment continues to intensify.
