Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict

This brief catalogues confirmed and credibly reported cyber operations directly linked to the escalating US-Israel-Iran military conflict spanning June 2025 through March 2026. The conflict has generated one of the most intensive periods of state-linked cyber warfare since the Russia-Ukraine war, with operations conducted by both sides across multiple domains including critical infrastructure, financial systems, communications networks, and social media platforms.

We will continue to update this timeline with the most recent information as the situation develops.

For customers seeking further details, please reach out to your Customer Success Manager, and for non-customers please reach out here.

US-Israel-Iran Conflict Timeline & Cyber Context

The cyber operations documented in this brief are responses to three major kinetic escalations:

Confirmed & Credibly Reported Cyber Attacks

We are updating this section to include only the newest incidents. For customers seeking further details of past incidents, please reach out to your Customer Success Manager, and for non-customers please reach out here.

Stryker SEC 8-K Confirms Incident Contained; Palo Alto Networks Unit 42 Identifies Malicious File Used by Attackers (March 23-24, 2026)

• Threat Actor: Handala Hack (Iran MOIS / Void Manticore)
• Target: Stryker Corporation (continued, Day 14)
• Attack Type: Continued investigation and recovery from identity-based wiper attack via Microsoft Intune

Stryker filed a Form 8-K with the SEC on March 23 confirming the March 11 cyberattack is contained and restoration is progressing. The filing included an assessment letter from Palo Alto Networks Unit 42, which identified a malicious file that allowed the attackers to execute commands while hiding their activity within the Stryker environment. Unit 42 stated the file was not capable of spreading inside or outside the environment. Forensic analysis found no evidence of active, uncontained, persistent unauthorized access. All known indicators of compromise have been identified and addressed. Stryker is rebuilding impacted systems and restoring from backups predating the compromise window. Isolated systems not yet rebuilt remain offline. Manufacturing capability is ramping as critical lines and plants come back online. Stryker confirmed it is working with the White House National Cyber Director, FBI, CISA, DHA, HHS, and H-ISAC. SecurityWeek reported on March 24 that the FBI also published a separate alert describing malware used by Iranian government hackers, though the malware described in the FBI alert is unlikely related to the Stryker incident if no malware was deployed as Stryker maintains.

Sources: SecurityWeek (March 24, 2026); Cybersecurity Dive (March 23); MassDevice (March 23); GovInfoSecurity (March 23); Stryker SEC 8-K filing (March 23)

FBI Publishes FLASH Alert on MOIS Malware Campaign Using Telegram Bots as C2 Against Dissidents Worldwide (Mar 20-23, 2026)

• Threat actor: Iran MOIS cyber actors (linked to Handala / Homeland Justice)
• Target: Iranian dissidents, journalists, and opposition groups worldwide
• Attack type:  Social engineering delivery of masquerading malware with Telegram-based C2

The FBI released FLASH-20260320-001 on March 20 detailing a malware campaign conducted by MOIS cyber actors targeting Iranian dissidents, journalists, and opposition groups around the world. The campaign uses social engineering to deliver stage 1 malware masquerading as legitimate applications including Pictory, KeePass, and Telegram. Stage 2 persistent implants establish command-and-control via Telegram bots, enabling bidirectional communication through api.telegram.org. Capabilities include remote device control, file exfiltration, screenshot capture, and Zoom call recording. The FBI noted that actors performed target reconnaissance before engaging victims to increase download likelihood. TechCrunch reported on March 23 that the FBI confirmed Handala and Homeland Justice are linked and controlled by the MOIS. Telegram stated its moderators routinely remove accounts

Sources: FBI IC3 FLASH-20260320-001 (Mar 20, 2026); TechCrunch (March 23); SecurityWeek (March 24)

State Department Formally Launches Bureau of Emerging Threats With Five Divisions (March 23, 2026)

• Target: Institutional response to Iranian and adversary cyber operations
• Attack type: Government advisory and structural reorganization

The State Department formally launched the Bureau of Emerging Threats on March 23, notifying Congress on March 21. The bureau includes five divisions: Office of Cybersecurity, Office of Critical Infrastructure Security, Office of Disruptive Technology, Office of Space Security, and Office of Threat Assessment. Deputy Spokesperson Tommy Pigott stated the bureau will address threats in cyberspace, outer space, critical infrastructure, and the misuse of AI and quantum technology. Senior Bureau Official Anny Vu, who recently served as charge d’affaires at the US Embassy in Beijing, held her first meeting with the French Ambassador for Digital Affairs on March 24. ABC News reported the bureau was created with Iran, China, Russia, North Korea, and foreign terrorist organizations identified as particular areas of focus. CrowdStrike was cited confirming an uptick in activity from pro-Iranian actors since the February 28 strikes.

Sources: ABC News (March 23, 2026); JNS (March 23); US State Department Public Schedule (March 24); PYMNTS (March 23)

Iran Internet Blackout Enters 25th Day; 552+ Consecutive Hours Offline; War Enters Fourth Week (March 23-24, 2026)

• Target: Iranian civilian population (90+ million)
• Attack type: State-imposed internet shutdown; National Information Network whitelist enforcement

NetBlocks confirmed on March 23 that the internet blackout entered its 24th day with more than 552 consecutive hours of restricted connectivity. As of March 24, the blackout has entered its 25th day. NetBlocks described the outage as the most severe government-imposed nationwide shutdown on record, surpassing the January 2026 protest shutdown. Connectivity remains at approximately 1% of normal levels. Middle East Eye reported on March 19 that only Sudan and Myanmar have experienced longer shutdowns, both in the context of military coups. Limited allowlisted IPv4 routes confirm authorities continue to preserve connectivity for officials and state media. Telecoms continue to threaten legal action against users who attempt to connect to the global internet. The blackout continues to have no measurable impact on the operational tempo of externally based proxy groups.

Sources: Daily Post Nigeria (March 23, 2026); NetBlocks (March 23); Middle East Eye (Mar 19); Iran International; Cloudflare Radar

 Pro-Iran Hacktivist ‘APT Iran’ Claims Alleged Breach of Lockheed Martin; Demands $400 Million (March 23, 2026)

• Threat actor: APT Iran (pro-Iranian hacktivist collective)
• Target: Lockheed Martin Corporation
• Attack type: Alleged data exfiltration and extortion (UNCONFIRMED)

Cybersecurity Dive reported on March 23 that a pro-Iran hacktivist collective tracked as APT Iran claims to have stolen 375 terabytes of data from Lockheed Martin, including blueprints of F-35 fighter aircraft and other corporate information. The claims were posted on Telegram. Multiple security researchers including Flashpoint and Check Point Software confirmed awareness of the claims. Halcyon reported the group subsequently posted demands of more than $400 million in exchange for not selling the data to US adversaries. APT Iran previously claimed credit for attacks against critical infrastructure in Jordan, according to Palo Alto Networks. A Lockheed Martin spokesperson told Cybersecurity Dive the company is aware of the reports and stated: ‘We remain confident in the integrity of our robust, multilayered information systems and data security.’ The claims have not been independently verified. Lockheed Martin manufactures the F-35 jets used in Operation Epic Fury and was previously listed on Handala’s RedWanted targeting site.

Sources: Cybersecurity Dive (March 23, 2026); Flashpoint; Check Point Software; Halcyon; Palo Alto Networks

Intoxalock Confirms Systems Restored Following Eight-Day Cyberattack Disrupting Ignition Interlock Devices Across 46 States (March 22-23, 2026)

• Target: Intoxalock (Consumer Safety Technology, Iowa)
• Attack type: DDoS-style cyberattack disrupting operational technology and recalibration systems (restoration confirmed)

Intoxalock posted a status update on March 22 confirming that systems have resumed and installations, calibrations, and service center support are now available. The cyberattack began March 14 and disrupted calibration systems for court-ordered ignition interlock devices used by DUI offenders across 46 states. The company described the incident as a DDoS-style attack that overwhelmed its servers. During the outage, drivers due for calibration were unable to start their vehicles. Intoxalock developed a new system app that was pushed to all calibration devices while coordinating with state regulators. The company offered 10-day calibration extensions and committed to covering costs caused by the disruption. Connecticut Public reported on March 23 that normal operations have resumed. CBS13 in Maine confirmed a local driver was able to start his vehicle as of March 21. Intoxalock stated it will provide more information about the incident as the review continues. No attribution has been publicly confirmed.

Sources: CT Mirror (March 23, 2026); WGME (March 23); Intoxalock status page (March 22); Cybernews (Mar 20); CEOutlook (March 23)

Key Threat Actor Summaries

Relevant Government Advisories

New advisories issued since previous report (March 23rd):

For historical advisories, please reach out to your Customer Success Manager if you are a customer, and reach out here if you are not a customer.

Assessment & Outlook

The conflict has entered its 25th day. As of March 24, the following assessment reflects developments from the previous 24 hours.

Near-Term Threat (1-4 weeks): CRITICAL & DETERIORATING

Stryker entered Day 14 of restoration on March 24. The SEC 8-K filing and accompanying Palo Alto Networks Unit 42 assessment confirm the incident is contained, with no evidence of active unauthorized access. The identification of a malicious file used for command execution while hiding attacker activity provides new forensic detail on the intrusion method. Manufacturing is ramping but full restoration has not been declared. The scale of the attack (200,000+ wiped devices across 79 countries) continues to demonstrate the destructive potential of identity-based attack paths through cloud management platforms.

The FBI FLASH alert published March 20 and reported by TechCrunch on March 23 reveals an active MOIS malware campaign using Telegram bots as C2 infrastructure to target Iranian dissidents, journalists, and opposition groups worldwide. The malware masquerades as legitimate applications and enables remote control, screenshot capture, and Zoom call recording. This campaign confirms MOIS actors maintain operational capability despite the domestic internet blackout and kinetic disruption to leadership structures.

The State Department launch of the Bureau of Emerging Threats on March 23 signals institutional recognition that Iranian cyber operations require a dedicated foreign policy response. The bureau’s five-division structure covering cybersecurity, critical infrastructure, disruptive technology, space, and threat assessment represents a long-term structural change in how the US government approaches adversary cyber threats.

On the kinetic front, Trump announced a five-day pause on strikes against Iranian power infrastructure on March 24, claiming productive conversations with Iran. Tehran denied any negotiations. If the pause holds, the probability of escalatory cyber retaliation targeting US energy and financial sectors may decrease temporarily. If the pause collapses, the IRGC’s previous threats to hit Israeli power plants and those supplying US bases indicate a high probability of retaliatory cyber operations against energy infrastructure.

Cybersecurity Dive reported on March 23 that a pro-Iran hacktivist collective tracked as APT Iran claims to have stolen 375 terabytes of data from Lockheed Martin, including F-35 blueprints, and is demanding $400 million. The claims have not been verified. Lockheed Martin stated confidence in its system integrity. If legitimate, this would represent a significant escalation in targeting of the US defense industrial base. Defense contractors listed on Handala’s RedWanted targeting site should treat this as an indicator of heightened threat activity.

Priority Targets (Updated March 24)

• Organizations using Microsoft Intune or equivalent endpoint management platforms (CRITICAL): Stryker SEC 8-K and Unit 42 analysis confirm attackers used a malicious file to execute commands while hiding activity. Multi-Admin Approval for wipe commands remains the primary mitigation.
  
• US and Israeli financial institutions and energy infrastructure (CRITICAL, UPDATED): Diplomatic uncertainty around the five-day pause on power plant strikes creates volatile conditions. Iran has previously declared all US financial institutions in the Middle East as justified targets. If the pause collapses, retaliatory cyber operations against energy infrastructure are highly probable.
  
• US defense industrial base (CRITICAL, NEW): APT Iran claims against Lockheed Martin, if verified, represent targeting of the defense sector. Defense contractors listed on Handala’s RedWanted targeting site should assume pre-positioning activity and conduct threat hunts.
  
• Iranian dissidents, journalists, and opposition groups worldwide (CRITICAL, NEW): FBI FLASH confirms active MOIS Telegram-based malware campaign targeting these populations. Organizations supporting Iranian diaspora communities should distribute IOCs and mitigation guidance from the FBI alert.
  
• US multinational corporations with operations in allied countries (CRITICAL): Irish intelligence assessment from March 23 confirms Handala is actively scanning for targets among US companies with European operations.
  
• Medical technology and healthcare (ELEVATED): Stryker restoration ongoing Day 14 with manufacturing ramping. Hospitals dependent on Stryker equipment face continued supply chain risk until full restoration is declared.

At Flare, we will continue to monitor this conflict and update this article as we learn more information.