On March 11, twelve days into Operation Epic Fury, a medical device company in Michigan called Stryker woke up to find its global network down.
Defibrillators. Ambulance cots. Surgical equipment. All of it made by a company whose computers had just been hit by a group called Handala, an Iranian-linked hacktivist collective, in retaliation for a US missile strike on an elementary school in Minab, Iran that killed roughly 175 people, over 100 of them children. Nearly a week later, Stryker’s online ordering system was still offline.
That wasn’t an isolated incident. It was the opening move of something broader.
What Iran Has Actually Launched
Within hours of the February 28 strikes, Iran’s available internet connectivity dropped to between 1 and 4%, the US had effectively cut the country off. But Iran had prepared for that.
Over 60 hacktivist groups mobilized in the first hours of the war, forming a coalition called the Cyber Islamic Resistance. Some are directly IRGC-linked. Some are ideologically motivated opportunists. Some are criminal proxies. Collectively, they’ve been hitting targets across the US, Israel, the Gulf states, and Europe every single day since.
Amazon’s data centers in the UAE took drone strikes, physical, not digital, that caused structural damage and disrupted power delivery to AWS infrastructure in two countries.
Iran’s IRGC-linked Tasnim News Agency then published a hit list: Amazon, Microsoft, Palantir, Oracle. The caption read: “Enemy’s technological infrastructure: Iran’s new goals in the region.” It wasn’t a threat. It was a schedule.
On the cyber side, IRGC-linked groups including CyberAv3ngers, APT33, and APT55 have been targeting American industrial control systems, the computers that run water treatment plants, power grids, and manufacturing lines.
CyberAv3ngers have been found logging into industrial machines using default passwords and installing malware capable of controlling those systems remotely. A nuclear research facility in Poland was hit in what authorities believe may be an Iranian operation.
Jordan’s fuel systems were compromised. Kuwait’s government websites were taken down. In one week alone, Israel was the most targeted country, followed by Kuwait and Jordan. The most hit industries: national government, aerospace and defense, and technology.
Why Iran Is Unusually Good at This
Most people think of Iran’s cyber capabilities as a second-tier threat, below Russia, below China, certainly below the US. That’s mostly right, but it misses something important. What makes Iran dangerous isn’t sophistication, it’s unpredictability and preparation.
Iranian cyber actors are known for laying groundwork months or years before a conflict actually erupts. They plant access. They wait. When the war starts, they activate what they already built.
Tehran also learned from watching what was done to it. John Cohen, former Under-Secretary for Intelligence under Obama, put the principle plainly: “If you want to understand what Iran is going to do, look at what’s been done to it.”
The US targeted Iranian government officials, petrochemical facilities, and military infrastructure. The US used cyberattacks in the opening hours of the offensive, US Cyber Command confirmed it was one of the “first movers” in Operation Epic Fury, disrupting Iranian communications and sensor networks so completely that Iran was left “without the ability to see, coordinate, or respond effectively.”
Iran is now doing the same thing back. Government officials. Energy infrastructure. Communication systems. Water supplies, Iranian hackers have threatened water treatment plants in the US on multiple occasions in the past.
And like Russia, Tehran uses proxies. Hacktivists and ransomware gangs who are ideologically aligned but organizationally separate, which means governments can’t easily respond with sanctions or indictments. You can’t sanction a group that doesn’t officially exist.
The Part That Should Concern Businesses Most
Here’s what former FBI and CIA officer Shaun Williams told the Insurance Journal this week, and it’s worth reading twice: “Cyber operations don’t require much infrastructure. A laptop and an internet connection can be enough to reach out and wreak havoc.”
He’s not being dramatic. The Stryker attack didn’t require state-level resources. It required a motivated group, an unpatched vulnerability, and time. Stryker is a major medical device manufacturer with a serious security budget. Its network still went down for a week.
The organizations most at risk right now, according to every agency that has issued a warning in the past two weeks, and there have been many, are defense contractors, companies with Israeli business relationships, hospitals, ports, water utilities, power stations, and railways.
Not because they’re the flashiest targets, but because they’re the ones where disruption causes the most pain with the least effort. A hospital that can’t access its systems doesn’t just lose data. People can die.
The FBI and NSA issued a joint advisory warning that “Iranian-affiliated cyber actors may target US devices and networks for near-term cyber operations.” A consortium of critical infrastructure sector groups issued its own advisory. CISA has been publishing threat bulletins. The warnings are serious, consistent, and coming from every corner of the intelligence community simultaneously.
The AI Wrinkle Nobody Saw Coming
Pete Hegseth confirmed on March 13 that the US is using AI tools as part of its war in Iran. The Wall Street Journal reported that the DoD used Anthropic’s Claude in the opening hours of the offensive, hours after the government had publicly announced it would stop using that technology.
Israel reportedly used data from hacked traffic cameras across Tehran, processed through AI systems, to help locate and plan the strike that killed Khamenei.
Iran has responded in kind. Trump accused Iran, without evidence, of using AI as a “disinformation weapon.” A New York Times investigation found over 110 unique AI-generated images and videos about the war circulating on social media in two weeks.
Real footage mixed with generated footage, real quotes mixed with fabricated ones, real grief mixed with manufactured outrage. At scale. Automatically. In real time.
This is what the first major AI-era war actually looks like from the inside. Not just drones and missiles, algorithms, agents, generated content, and hacked industrial controllers, all running simultaneously, around the clock, with no clear front line and no obvious off switch.
About the Author
