I wrote about the Handala wiper attack on Stryker Corporation two weeks ago — a $100 billion Fortune 500 medical device maker, data wiped across 60+ countries, login screens replaced with the Handala logo, stock down 4.5% inside a trading session, Ireland’s NCSC scrambling — and I remember thinking: okay, that’s the clearest evidence yet that this conflict isn’t staying in the Middle East. And then I look at my feed this week and the picture is so much worse than one wiper attack on one company.

Let me tell you what’s actually happening, because mainstream coverage of Operation Epic Fury is entirely focused on oil prices, Trump’s power plant ultimatum, and whether Hormuz reopens before chip prices spike. What almost nobody is writing about is the cyber war running in parallel — a hybrid conflict with the largest documented cyberattack in history on one side, and sixty-plus hacktivist groups plus IRGC-linked actors systematically probing Western industrial control systems on the other. Including yours.

What Happened — The Cyber Timeline

On February 28, 2026, the US and Israel launched Operation Epic Fury. Per Security Boulevard and AttackIQ’s detailed post-strike analysis, US Cyber Command was designated the “first mover” — cyber operations began before a single kinetic weapon was deployed. What happened next, per Israeli sources confirmed by Western intelligence, was described as “the largest cyberattack in history.” Israel’s cyber offensive collapsed Iran’s internet connectivity to between one and four percent of normal levels within hours, through simultaneous multi-layered attacks on BGP routing infrastructure, DNS, and SCADA/ICS systems. The IRNA state news agency went offline. Tasnim — the IRGC’s media arm — was hacked and displayed anti-Khamenei messaging. The BadeSaba prayer app, with five million downloads, was compromised to deliver defection messages to military personnel. Western intelligence sources confirmed the IRGC’s command-and-control communications were specifically targeted to prevent coordination of counterattacks during the opening hours of the campaign.

That part of the story everyone has broadly covered. Here’s the part that’s getting buried.

By March 2, 60 hacktivist groups had been activated outside Iran, per Unit 42’s March 2026 Threat Brief. Many are Iran-aligned. Some are explicitly Russian — pro-Russian collectives including NoName057(16) and Z-Pentest formally joined the coalition, which means Russia gets free proxy cover to hit Western infrastructure under the banner of this conflict while the world watches the Gulf. SOCRadar recorded over 600 distinct cyberattack claims across 100-plus Telegram channels within fifteen days. That’s the background noise. The signal is what’s underneath.

Per the Flashpoint intelligence timeline: Z-Pentest was logging claims of compromise against US ICS and SCADA systems — water utilities, energy sector, financial services, airports — as early as the first 48 hours. FAD Team, the Fatimiyoun Cyber Team, claimed SCADA and PLC access in Israel and other countries. DieNet was driving around 70% of hacktivist DDoS volume alongside Keymous+, hitting Middle East airports and banks and a US port. Poland announced it foiled a cyberattack on its national nuclear center with possible Iranian links under investigation. As I wrote in my full breakdown of the Iran cyber-kinetic war and its implications for AWS and cloud providers, the Tasnim target list explicitly named Amazon, Google, Microsoft, Palantir, IBM, Nvidia, and Oracle as legitimate targets in an infrastructure war. The IRGC’s media arm published that list. This is not posturing. It is pre-operational targeting communications.

And the detail that should make every water utility, energy company, and manufacturing plant in the English-speaking world stop and re-read their threat model: CyberAv3ngers, the IRGC-linked group, was documented accessing US industrial control systems at water treatment facilities. Using default passwords. Default. Passwords. In 2026. On systems that control the treatment of drinking water.

Why It Matters — This War Has No Front Line

Here’s what the oil price coverage misses entirely. The Strait of Hormuz closure is a supply chain disruption that affects everyone in an economy dependent on energy. But the cyber dimension of this war has no geographic constraint. A hacktivist collective operating in Iraq, coordinating on Telegram, with tools supplied by a Russian DDoS kit provider, can hit a water authority in Ohio. And they have been trying. The Electronic Operations Room — a unified command structure established by Iranian-aligned hacktivist groups on February 28, the same day strikes began — is a centralised coordination platform directing attacks across Gulf, Israeli, European, and US targets. It is still active.

The targets being hit are not random. Iranian APT groups have spent years mapping Western critical infrastructure. MuddyWater’s new MuddyViper backdoor, discovered by ESET in December 2025, was targeting Israeli and Egyptian critical infrastructure before the kinetic war started. Operation Olalampo, a February 2026 campaign by Iranian actors, deployed AI-assisted backdoors against MENA energy and marine sectors. The pattern is clear: pre-positioned access, waiting for the moment it’s needed.

What’s happening now — as Iran’s domestic internet slowly recovers from the 4% disruption floor — is that the sophisticated state-sponsored actors who were temporarily hampered by the connectivity collapse are getting back online. Unit 42’s assessment is blunt: “more destructive wiper attacks will materialize once the operation stabilises.” Handala’s attack on Stryker used Microsoft Intune — a legitimate cloud management platform — as the attack vector. They didn’t break in through a firewall. They abused the cloud management tools Stryker already had deployed.

As I’ve been tracking through my analysis of Handala wiping Stryker offline via cloud administration tools, the tactical shift from DDoS and defacement to destructive wiper deployment represents a qualitative escalation that the March 11 Stryker incident confirmed. Handala has since claimed breach of Verifone payment systems and Saudi Aramco’s facilities. Some of these claims are exaggerated. Not all of them.

What Went Wrong — Systemic Failures on Display

Let me pick apart the specific failure modes, because “Iranian hackers are scary” is not actionable and “default passwords on ICS” absolutely is.

The default password problem on industrial control systems is not new. CISA has been issuing advisories about this for years. The specific instance of CyberAv3ngers accessing US water infrastructure using default credentials is a scandal that should have been impossible in 2026. These are systems that control chemical dosing in public water supplies. They are internet-connected — because someone at some point decided remote monitoring was convenient — and they are running with the same credentials they shipped with.

The cloud administration vector used in the Stryker attack is a different failure, and in some ways a more troubling one. Legitimate cloud management tools — Microsoft Intune, in this case — were used to push wiper malware to endpoints across 60+ countries. This is the supply chain and cloud management problem transposed to a geopolitical conflict: if an attacker can authenticate to your cloud management plane, they own everything that management plane manages. The same failure mode I covered in my post on VMware Aria landing on CISA’s KEV list with an actively exploited admin console bypass — management infrastructure is the highest-value target and the most consistently under-defended asset in enterprise environments.

The pro-Russian hacktivist coalition joining this conflict is a strategic manoeuvre worth understanding clearly. Russia has plausible deniability. Russian state actors are technically not involved — it’s “hacktivists” operating “independently.” But the targeting priorities of NoName057(16), Z-Pentest, and their affiliated groups align precisely with Russian strategic interests: NATO-adjacent infrastructure, Western financial systems, US transportation and logistics. This is 2022 all over again, where the Ukraine conflict activated a Russian hacktivist ecosystem that has never fully stood down. The Iran conflict just gave it a new operational mandate.

The Fix — Fixer’s Advice

I’m going to be very specific here, because the threat is specific. This isn’t “improve your security posture generally.” These are the exact attack vectors being used right now, against organisations that look like yours.

Step one: Audit every ICS and OT device for default credentials. Today. This is not a quarterly project. Get a list of every internet-connected or network-adjacent operational technology device in your environment — PLCs, HMIs, RTUs, SCADA servers, building management systems, water treatment controllers, anything — and check whether it’s running factory default credentials. If you don’t know how to get that list, your first problem is that you don’t have an OT asset inventory. Build one. Then change every default credential you find. This is the specific attack vector CyberAv3ngers used on US water infrastructure. It should not be a viable attack vector. Make it not viable.

Step two: Network-segment your OT environments from corporate IT and the internet. The Purdue model is not dead, it’s just ignored. OT networks — industrial control systems, building management, utility SCADA — should not have direct paths to the internet. They should not have direct paths to corporate IT networks. They should be on isolated network segments with monitored, audited crossing points for the traffic that legitimately needs to cross. If your OT environment has any kind of internet-reachable interface — including cloud-based remote monitoring — assess whether that exposure is necessary and reduce it to the absolute minimum.

Step three: Audit your cloud management plane access. Specifically. The Stryker attack vector was Intune. If you’re running Microsoft Intune, Jamf, SCCM, or any other mobile device or endpoint management platform, pull an audit of every identity that has administrative access to that platform. Privileged cloud management accounts should have phishing-resistant MFA — hardware keys or passkeys, not TOTP codes. Conditional access policies should restrict administrative access to known, managed devices from defined IP ranges. If Handala can authenticate to your Intune tenant, they can push wiper malware to every managed endpoint in your organisation simultaneously. Treat cloud management admin accounts like the skeleton keys they are.

Step four: Monitor for Iranian and pro-Russian IOCs. The threat intelligence community has been publishing extensive IOC lists for this conflict. SOCRadar’s live dashboard, Flashpoint’s tracking, Unit 42’s threat brief, AttackIQ’s Iranian adversary assessment template — the IOCs are available. Get them into your SIEM. Monitor for the malware families associated with Iranian APTs: Shamoon, ZeroCleare, Dustman, POWERSTATS, QUADAGENT, RustyWater, WezRAT, MuddyViper. Set up detection for DDoS amplification patterns consistent with Keymous+ and DieNet tooling.

Step five: Apply phishing-resistant MFA everywhere, especially engineering and OT accounts. The Handala methodology — and broader Iranian APT methodology — relies heavily on credential theft and phishing as initial access vectors. The RedAlert APK malware campaign documented by Unit 42 is an SMS phishing campaign delivering Android malware designed to steal credentials. Engineering and OT staff are not historically the best-phished population to defend, but they are now explicit targets. Get phishing-resistant MFA on every account. SMS OTP is not sufficient.

Step six: Table-top an OT disruption scenario now. When was the last time your incident response plan was tested against a scenario where your SCADA systems stopped responding or your building management system was wiped? If the answer is “never” or “years ago,” schedule a tabletop exercise in the next two weeks. The Flashpoint analysis recommends: “Conduct tabletop exercises assuming loss of visibility or control in critical systems.” Do this before the actual incident makes the exercise irrelevant.

My research on why a Cyber 9/11 scenario remains a near-term risk was written before this conflict began. The conditions it describes — pre-positioned access in critical infrastructure, coordinated hacktivist ecosystems with state backing, exploitation of default credentials in ICS environments — are all present and active right now. And my analysis of global terrorism’s digital financing covers exactly why these proxy groups are so hard to attribute and contain once activated: the operational infrastructure is decentralised, the funding is crypto-denominated, and the actors are operating across multiple jurisdictions simultaneously.

Final Word

The mainstream media is focused on oil prices and whether Trump bombs Iranian power plants. The cyber war doesn’t care about those headlines. It’s running in the background, against water utilities and cloud management platforms and payment systems, and it will keep running after the kinetic phase ends. Get your OT credentials changed. Get your cloud management plane locked down. Get your incident response plan tested.