Iran Geopolitical Update — March 2026

TLP:CLEAR | Period: March 2026 | Published: 2026-03-15

Executive Summary

The U.S.-Israeli strikes of February 28, 2026, killed Supreme Leader Khamenei and decimated senior IRGC leadership, including the physical headquarters of Iran's cyber and electronic command[18]. Iran's new Supreme Leader, Mojtaba Khamenei, has publicly declared that retaliation is "not complete" [11], and Iranian-aligned cyber actors have already demonstrated capability through confirmed pre-positioned access in U.S. banking, aviation, and defense supply chain networks [5], a disruptive attack on medical device maker Stryker[3], and hacktivist coordination with Russian groups [15]. This is occurring at the exact moment the primary U.S. federal cyber defense agency, CISA, has lost roughly a third of its workforce and is operating without permanent leadership [8].

1. Operation Epic Fury Destroys Iranian Military and Cyber Command Infrastructure

• What happened: On February 28, 2026, the United States and Israel launched coordinated strikes (Operation Epic Fury and Operation Roaring Lion) targeting Iranian military infrastructure, the nuclear and ballistic missile program, and IRGC command structures. The IDF confirmed that the IRGC's cyber and electronic headquarters and its Intelligence Directorate were among the military targets struck. Supreme Leader Khamenei, the Defense Minister, the IRGC commander, and the army chief of staff were all reported killed [18].
• Cyber implications: The physical destruction of Iran's cyber command center almost certainly disrupts state-directed coordination of offensive cyber operations in the near term. However, this does not eliminate the threat. Pre-positioned access in foreign networks persists independently of command infrastructure in Tehran[7].
• Sectors at risk: Government, defense, critical infrastructure broadly
• Confidence: High
• Sources:, [17], [18], [22]

2. MuddyWater Confirmed Pre-Positioned in U.S. Banking, Aviation, and Defense Networks

• What happened: Security researchers confirmed that MuddyWater (Seedworm), operating under Iran's Ministry of Intelligence and Security (MOIS), deployed previously unknown backdoors inside a U.S. airport, a U.S. bank, and a software supplier connected to the defense and aerospace industry [5]. The activity began in early February 2026, before the strikes, indicating deliberate pre-positioning. TTPs included a new backdoor called Dindoor (using the Deno JavaScript runtime), a Python backdoor called Fakeset, Ethereum-based C2 resolution, exploitation of over a dozen CVEs, and multiple exfiltration channels [5][6].
• Cyber implications: This is the most operationally significant finding for defenders this month. These implants represent latent destructive capability. Analysts at The Register and ExtraHop both assessed that groups like Seedworm could pivot from espionage to disruption in response to the war[7]. The breadth of TTPs, including novel C2 methods like Ethereum-based resolution, complicates detection.
• Sectors at risk: Aviation, banking and financial services, defense and aerospace supply chain
• Confidence: Moderate
• Sources: [5],, [6], [7]

3. Handala Attacks U.S. Medical Device Maker Stryker, Claims Retaliatory Motive

• What happened: The Iran-linked hacktivist group Handala claimed responsibility for a cyberattack on Stryker, a major U.S. medical device company, causing what Stryker confirmed was a "global network disruption" to its Microsoft environment[3]. Handala framed the attack as retaliation for strikes on a school in Minab. The group also claimed an attack on payments company Verifone, though Verifone denied disruption. Federal agencies including HHS were assessing downstream impact on patient care [3].
• Cyber implications: This attack establishes a wartime precedent for Iranian-aligned groups targeting U.S. healthcare sector entities. Handala maintained operational autonomy during Iran's internet blackout by routing C2 through Starlink satellite IP ranges [1], meaning this group can operate regardless of conditions inside Iran.
• Sectors at risk: Healthcare, medical devices, payments, hospital operations
• Confidence: Moderate (attack confirmed by victim; attribution to Handala is Moderate, based on group claims)
• Sources: [1],, [3]

4. Russian-Iranian Hacktivist Cooperation and the 60-Group "Electronic Operations Room"

• What happened: Unit 42 estimated approximately 60 hacktivist groups were active as of early March, including pro-Russian groups coordinating with Iranian-aligned collectives under an "Electronic Operations Room" formed on February 28, 2026 [1]. Pro-Russian group NoName057(16) teamed up with Iranian hacktivists to target Israeli defense and municipal organizations, including Elbit Systems [15]. CrowdStrike separately confirmed a surge of Russian hacker activity in support of Tehran [16].
• Cyber implications: The convergence of Russian and Iranian hacktivist ecosystems creates a force multiplier. Russian groups bring established DDoS infrastructure and operational experience, while Iranian groups bring targeting knowledge and retaliatory motivation. Israel is the primary target, but U.S. and Gulf Cooperation Council (GCC) nations are firmly in scope [15][16].
• Sectors at risk: Government, aerospace and defense, technology, municipal services, financial services
• Confidence: Moderate
• Sources: [1], [15], [16]

5. Mojtaba Khamenei Appointed Supreme Leader, Signals Continuity of Hardline Posture

• What happened: The Assembly of Experts appointed Mojtaba Khamenei, 56, as Iran's new Supreme Leader on March 8, 2026 [10]. He is widely assessed as a hardliner with deep ties to the Revolutionary Guard [10]. Leaked IRGC reports from 2023 indicated he effectively controlled the Basij and held significant influence over Iran's intelligence apparatus [19]. In a statement attributed to him, Iran vowed that retaliation against U.S.-Israeli strikes was "not complete" [11].
• Cyber implications: Mojtaba Khamenei's documented control over IRGC intelligence structures [19] and explicit vow of continued retaliation [11] almost certainly mean cyber operations will remain a priority tool for asymmetric response. The leadership transition may initially cause some operational friction, but reporting indicates his pre-existing influence over the security apparatus will likely accelerate, not delay, coordinated state-directed cyber activity [7].
• Sectors at risk: All sectors previously targeted by IRGC-linked operations: government, financial services, energy, defense
• Confidence: Moderate (appointment confirmed); Moderate (assessment of cyber operational continuity)
• Sources: [10],, [11], [19], [7]

Strategic Context

• National strategy: Iran's asymmetric doctrine has long positioned cyber operations as a primary tool for projecting power against conventionally superior adversaries. The kinetic destruction of Iran's conventional military assets and IRGC command infrastructure during Operation Epic Fury[18] has, if anything, increased the relative importance of cyber as a retaliatory vector. Iran's new leadership has explicitly framed retaliation as ongoing [11]. Sanctions pressure from the U.S. [12][13], EU, and contested UN mechanisms [14] continues to squeeze Iran's economy, which historically correlates with increased cyber-enabled financial crime. Treasury identified UK-registered crypto exchanges processing over $94 billion in transactions linked to sanctioned Iranian entities, including IRGC-connected wallets [12].

• Key actors and mandates: Iran's cyber operations are split between two principal organizations. MOIS (Ministry of Intelligence and Security) oversees groups like MuddyWater/Seedworm, which conduct espionage and pre-positioning operations against critical infrastructure [5]. The IRGC Cyber-Electronic Command (IRGC-CEC) oversees more aggressive disruptive and influence operations, though its physical headquarters was struck during Operation Epic Fury. The current status of IRGC-CEC's operational capability is uncertain. Proxy groups like Handala and hacktivist collectives operate with significant autonomy, as demonstrated by Handala's Starlink-based C2 during the internet blackout [1]. Multiple APT groups (APT34, APT35, APT39, APT42) remain active and are targeting population-scale data sets to identify regime dissidents.

• Ongoing strategic objectives: Iran is pursuing three objectives through cyber operations right now. First, retaliation: demonstrating capability and imposing costs on the U.S. and Israel [11]. Second, regime survival: tracking and suppressing dissidents through data collection campaigns targeting ISPs, medical systems, and telecom providers, and countering Israeli influence operations like the hijacking of Iranian prayer apps and state media. Third, sanctions evasion: funding operations through crypto exchanges and financially motivated cybercrime that blurs the line between state and criminal activity [2][12]. The Sicarii ransomware tool, which permanently destroys data due to flawed key handling, exemplifies how destructive intent is masked behind criminal tradecraft [2].

Sources: [1],, [2], [5],,, [11], [12], [13],, [14], [18]

Outlook

The next 30 to 60 days represent the period of highest risk for destructive Iranian cyber operations against U.S. and allied infrastructure. Three specific scenario branches warrant monitoring:

Escalation trigger 1: Activation of pre-positioned access. MuddyWater's confirmed presence in U.S. banking, aviation, and defense supply chain networks [5] represents latent destructive capability. If the new leadership issues orders to pivot from espionage to disruption, the initial compromise phase is already complete. Defenders should assume this pivot is a matter of political decision, not technical capability[7].

Escalation trigger 2: Proxy group autonomy fills the coordination gap. Iran's internet blackout (now past 240 hours at sub-1% connectivity [9]) severely constrains state-directed coordination from within Iran. But groups like Handala have already demonstrated they don't need connectivity to Tehran to operate [1]. If the blackout persists, we assess proxy groups will likely conduct opportunistic attacks against soft targets (healthcare, payments, municipal services) with limited strategic coordination, making their target selection harder to predict.

Escalation trigger 3: Russian-Iranian cooperation deepens. The UN Security Council dispute over snapback sanctions [14] and Russia's overt hacktivist support for Iran [15][16] point toward a deepening operational relationship. If Russian threat actors share infrastructure or tooling with Iranian groups, the technical sophistication of Iranian-aligned attacks could increase materially. Watch for Iranian groups appearing on previously Russian-associated infrastructure.

De-escalation indicator: A ceasefire or sustained diplomatic engagement, particularly if Iran's internet connectivity is restored, would likely reduce the tempo of proxy hacktivist operations. However, pre-positioned state-sponsored access would persist regardless of diplomatic developments.

Sources: [1],, [5],, [7], [9], [11], [14], [15], [16]

Sources

• [1] "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran" - Unit 42 / Palo Alto Networks, https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
• [2] "Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates" - Halcyon, https://www.halcyon.ai/ransomware-alerts/iranian-use-of-cybercriminal-tactics-in-destructive-cyber-attacks-2026-updates
• [3] "Stryker: Pro-Iran hackers claim cyberattack on major US medical device maker" - CNN, https://www.cnn.com/2026/03/11/politics/pro-iran-hackers-cyberattack-medical-device-maker
• [4] "US intelligence community ramps up warnings of possible retaliatory attacks by Iran" - CNN, https://www.cnn.com/2026/03/10/politics/us-intel-warning-retaliatory-attacks-iran
• [5] "Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor" - The Hacker News, https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html
• [6] "Iran-linked APT targets US critical sectors with new backdoors" - Help Net Security, https://www.helpnetsecurity.com/2026/03/06/seedworm-muddywater-backdoors-victims/
• [7] "The Digital Front of Iranian Cyber Offensive and Defensive Response" - ExtraHop, https://www.extrahop.com/blog/the-digital-front-of-iranian-cyber-offensive-and-defensive-response
• [8] "The lead U.S. cyber agency is stretched thin as Iran hacking threat escalates" - CNBC, https://www.cnbc.com/2026/03/03/iran-cisa-cybersecurity-war-threat.html
• [9] "Iran's Internet Blackout Surpasses 10 Days as Traffic Flatlines Below 1% of Normal Levels" - Cybersecurity News, https://cybersecuritynews.com/iran-internet-blackout/amp/
• [10] "Mojtaba Khamenei, son of ayatollah killed in U.S.-Israeli strikes, named Iran's new supreme leader" - NBC News, https://www.nbcnews.com/world/iran/iran-supreme-leader-mojtaba-khamenei-rcna261645
• [11] "Iran Vows to Keep Fighting" - Council on Foreign Relations, https://www.cfr.org/articles/iran-vows-to-keep-fighting
• [12] "Treasury Sanctions Iranian Regime Officials for Violent Repression and Corruption" - U.S. Department of the Treasury, https://home.treasury.gov/news/press-releases/sb0375
• [13] "Treasury Targets Iran's Shadow Fleet, Networks Supplying Ballistic Missile and ACW Programs" - U.S. Department of the Treasury, https://home.treasury.gov/news/press-releases/sb0405
• [14] "Security Council Debates Iran Nuclear Programme amid Dispute over 'Snapback' Sanctions" - United Nations, https://press.un.org/en/2026/sc16316.doc.htm
• [15] "Cyber retaliation surges after US-Israel strikes on Iran" - Industrial Cyber, https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/
• [16] "Iran-linked hackers take aim at US and other targets" - OPB, https://www.opb.org/article/2026/03/12/iran-linked-hackers-take-aim-at-us-and-other-targets-raising-risk-of-cyberattacks-during-war/
• [17] "How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran?" - CSIS, https://www.csis.org/analysis/how-will-cyber-warfare-shape-us-israel-conflict-iran
• [18] "Iran in 2026" - UK House of Commons Library, https://commonslibrary.parliament.uk/iran-in-2026/
• [19] "Mojtaba Khamenei" - Wikipedia, https://en.wikipedia.org/wiki/Mojtaba_Khamenei
• [20] "Iranian APT Activity During Geopolitical Escalation" - Nozomi Networks, https://www.nozominetworks.com/blog/iranian-apt-activity-during-geopolitical-escalation-recommendations-for-nozomi-customers-and-critical-infrastructure-owners
• [21] "Intelligence firms watch for uptick in Iran cyber activity after US, Israel strikes" - Nextgov/FCW, https://www.nextgov.com/cybersecurity/2026/03/intelligence-firms-watch-uptick-iran-cyber-activity-after-us-israel-strikes/411802/
• [22] "Situation Report: Middle East Escalation" - CloudSEK, https://www.cloudsek.com/blog/middle-east-escalation-israel-iran-us-cyber-war-2026

Entity Relationships