Under Attack and Still Standing: Building Cyber Resilience in a Geopolitical Crisis
In March 2026, employees at Stryker, one of the world's largest medical device companies, arrived at work to find their computers wiped. The Iranian-linked hacking group Handala had remotely destroyed thousands of employee devices using the company's own security tools, triggering a global network disruption. Stryker serves more than 150 million patients through its health equipment. It makes defibrillators, surgical instruments, ambulance cots. None of that had anything to do with the conflict. But it was enough to make it a target.
The Stryker attack was not an isolated incident. By April 2026, Iranian-affiliated advanced persistent threat actors had disrupted industrial control systems at water utilities, oil and gas facilities and energy plants across the United States, manipulating the operational technology that keeps those systems running safely. The FBI, CISA, the NSA and the Department of Energy issued a joint advisory warning critical infrastructure operators to act immediately. Some victims had suffered financial losses. Others had been forced to shut down automated processes and revert to manual operation. Meanwhile, Iranian-linked hackers leaked partial contents from FBI Director Kash Patel's private email account, and the Justice Department moved to seize four domains linked to Iranian Ministry of Intelligence psychological operations running in parallel with the physical attacks.
This is what geopolitical conflict looks like in 2026. Not only airstrikes and diplomacy, but a parallel offensive running through every internet-connected system a determined adversary can reach. And the target list is far wider than most security teams have planned for.
Morey Haber, Chief Security Advisor at BeyondTrust, describes the three forces that converge whenever geopolitical tensions spike. Nation-states pursue strategic objectives, targeting infrastructure to degrade an adversary's ability to function. Activist groups, acting on ideology, move opportunistically against anyone they can frame as the enemy. Criminal syndicates exploit the chaos and distraction that conflict creates. In the current crisis, all three are active simultaneously. "What we are seeing now," Haber says, "is that information about how a system may have been breached, previously kept quiet for silent espionage, is being deliberately made public as a form of humiliation. The goal is to show weakness, to create social discord, to demonstrate that even senior officials cannot protect themselves. The breach becomes the message."
The Expanding Target List
Eliad Kimhy, Senior Security Researcher at Acronis, has tracked the evolution of these campaigns across multiple conflicts. He describes how objectives shift as a crisis deepens: early attacks are precise, aimed at degrading specific capabilities. As conflict intensifies, the scope widens to critical infrastructure. Then a third phase emerges. "The battlefield expands to include public opinion," he says. "Groups attack a company not because it has direct military value, but because it shapes the narrative. It demonstrates strength to supporters and embarrasses adversaries. Any organisation whose breach generates headlines becomes useful. The question is no longer whether you are a military asset. It is whether attacking you tells a useful story."
The 2026 Iranian campaign illustrates all three phases running concurrently. Handala's attack on Stryker was claimed online as retaliation for a specific strike, serving a clear narrative function. The disruption of water and energy utilities targeted systems that keep civilian life functioning. The Patel email leak was designed for maximum public humiliation. One adversary, three simultaneous objectives.
This also means that organisations which consider themselves peripheral to any conflict, a regional logistics firm, a mid-sized financial services provider, a healthcare supplier, can no longer rely on obscurity as a defence. In a campaign designed to generate disruption and headlines, any organisation with operational significance or public visibility is a potential instrument. The calculus has shifted from targeting what is strategically valuable to targeting what is most likely to be vulnerable and most likely to hurt.
Vibin Shaju, Vice President of EMEA Solutions Engineering at Trellix, adds important context. These groups did not emerge in February 2026. "These threat actors have been operating and refining their techniques for a decade or more," he says. "What a geopolitical crisis does is activate them and give them a mandate. The conflict changes the context. The capability was already there, and it has been growing the entire time." Trellix had been tracking and documenting Iranian cyber group activity long before the current escalation brought it to mainstream attention.
Crisis Reveals What Was Already Broken
Every surge in geopolitically driven attacks reveals the same uncomfortable truth: most exploited vulnerabilities were not created by the crisis. They were already there. The CISA advisory published in April 2026 made this plain. The programmable logic controllers compromised at US water and energy facilities had been left exposed to the open internet, despite Rockwell Automation having issued guidance years earlier specifically warning customers to disconnect them. The vulnerability was not new. The attack exploiting it was.
Shaju describes the structural conditions that leave organisations exposed when a crisis hits. "The one thing that gets left behind during periods of rapid transformation is resilience," he says. "Organisations hand responsibility to cloud providers, assume the contract covers them, and do not ask hard enough questions about what happens when something goes wrong outside their control. When disruptions hit, they discover they have no grip on their own continuity. The contract said one thing. The reality said another." In a geopolitical threat environment, resilience cannot be contracted away. Organisations need genuine control over the systems that can't go dark, and we need to answer that question before a crisis makes it urgent.
Haber traces the evolving attack surface across three generations of security thinking: software vulnerabilities and patching, then identity and access management, and now AI as an offensive weapon. "AI can probe systems at speeds and scales no human attacker could match, identify subtle vulnerabilities that traditional tools miss, and operate without the human bottleneck that used to limit how many organisations an adversary could pursue simultaneously," he says. "The defensive posture that matches this capability does not yet exist at most organisations. In a geopolitical crisis, when those tools are being directed with strategic intent, that gap is acutely dangerous." Looking further ahead, he flags quantum computing as the next horizon, with Google predicting that by 2029, it will be able to break current encryption standards. Nation-states are already investing. Organisations that wait until the AI problem feels solved to start thinking about quantum will find themselves years behind.
Building Resilience When the Ground Is Shifting
The CISA advisory gave organisations a concrete starting point: keep operational technology off the public internet, implement multi-factor authentication, monitor for unusual traffic, keep devices updated. These are not sophisticated recommendations. They are fundamentals. The fact that they needed to be issued as an urgent federal warning, pointing to systems compromised by years-old, unaddressed guidance, tells its own story about how wide the gap between advice and practice remains.
Kimhy is direct about what preparation actually requires. "In preparing for a cyber attack during a conflict situation, you should not be thinking about anything you would not be thinking about anyway," he says. "The techniques being used are not new. Phishing, social engineering, credential theft, wiper malware: these have been in use for years. What changes during a geopolitical crisis is the volume, the intent, and the likelihood that your organisation is in scope. The response is to do the things you should already be doing, properly and without delay."
Shaju argues for treating resilience as a continuous discipline, not a crisis response. The organisations best positioned to absorb the current wave of Iranian-linked attacks are not those scrambling to act on April's CISA advisories. They are those that had already hardened their environments, tested their continuity plans, and built relationships for sharing threat intelligence before an incident forced it. "In the UAE, we are starting to see that collective approach develop," he says. "Vendors, regulators and enterprises coming together before incidents happen, not just comparing notes afterwards. That kind of preparedness is one of the most valuable investments any organisation can make."
On immediate priorities, Haber is unequivocal. Identity is the most urgent surface to harden. State-aligned attackers, criminal groups and activists all know the fastest path into most organisations runs through compromised credentials, stolen access keys or exploited machine identities. "Any single-factor authentication, any persistent keys, any standing privileges in your environment right now: that is your most urgent problem," he says. "If I can steal a username and password, or find an API key, I am inside without deploying malware. I can operate entirely using tools your own systems provide. In a geopolitical crisis, with a resourced and motivated adversary looking for exactly that entry point, you cannot afford to leave it open."
The Organisations That Will Be Ready
The US-Iran conflict has tested US cyber defences in ways that are still unfolding. Iranian-linked actors have disrupted industrial control systems, wiped devices at a major medical technology company, leaked private communications of a senior law enforcement official and run influence operations at scale. The picture is of a sustained, multi-vector campaign with no near-term end in sight. And it is a picture that any organisation operating in a region touched by geopolitical tension should study carefully, because the same playbook has been deployed in every major conflict of the past decade, and there is no reason to expect it to stop now.
For any organisation trying to understand its position in this landscape, the message from all three experts is consistent: the question is not whether the threat will reach you. Given the breadth of the current campaign and the AI-assisted scale at which it is being prosecuted, the question is whether you will be standing when it does.
Shaju frames the goal plainly. "There is nothing that is 100% secure. The objective is not to make your organisation impenetrable. It is to ensure that when something happens, the impact is contained, recovery is fast, and the business can continue to function. That is what resilience means in a geopolitical crisis. Not the absence of attacks. The ability to absorb them and keep going."
The organisations that achieve that standard are not waiting for the world to calm down. They understand that geopolitical instability is not a temporary condition to manage around. It is the environment they operate in. And they are building accordingly.