Executive Summary
April 2026 marks a period of open cyber conflict between Iran and the United States, running in parallel with kinetic military operations under Operation Epic Fury and a fragile ceasefire now approaching expiration [8][9]. Iranian-affiliated actors are actively exploiting programmable logic controllers across US water, power, and government systems [2], while destructive wiper operations and GPS spoofing campaigns have expanded the target set to healthcare, maritime, and energy sectors [4][5]. The ceasefire's uncertain future, combined with Iran's ongoing nationwide internet blackout exceeding 1,000 hours [7], means defenders should treat the current threat level as wartime posture with no clear de-escalation timeline.
What Changed Since March 2026
- Iranian-Affiliated Cyber Actors Exploit Programmable Logic ...
- Iran claims US exploited networking equipment backdoors during strikes — says devices from Cisco and others failed despite blackout in attack that 'indicates deep sabotage'
- Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
- Stryker Cyberattack: Handala Iran Hack Wiped 200K Devices
- 2026 Internet blackout in Iran
- Iran's forced nationwide internet blackout becomes second-longest on record as it passes 1,000 hours offline — possessing Starlink terminals punishable by death, country using 'military-grade jamming' against service
- Peace Through Strength: Operation Epic Fury Crushes Iranian Threat as Ceasefire Takes Hold
- Pakistan races against time to get Iran back to US talks as truce end nears
- Cyberwarfare during the 2026 Iran war
- Iran War: Kinetic, Cyber, Electronic and Psychological Warfare Convergence
- GPS spoofing threatens oil and gas amid Iran conflict
1. Active Exploitation of PLCs Across US Critical Infrastructure
- What happened: CISA published a joint advisory in April 2026 warning that Iranian-affiliated cyber actors are actively exploiting programmable logic controllers in US water, power, and government facilities [2]. This is a federal Tier 1 alert, indicating confirmed activity rather than theoretical risk. Unit 42 corroborated the heightened threat level in an updated assessment published April 17 [1].
- Cyber implications: OT and ICS environments in the named sectors should assume they are being targeted now. The focus on PLCs signals intent to cause physical disruption, not just data theft.
- Sectors at risk: Water utilities, electric power generation and distribution, government facilities with industrial control systems
- Confidence: Moderate
- Sources: [1], [2]
2. Handala Wiper Destroys 200,000 Devices at Stryker
- What happened: The Iranian-affiliated Handala group claimed responsibility for a wiper attack against medical technology firm Stryker, reportedly destroying approximately 200,000 devices [4][5]. The attackers targeted mobile device management (MDM) systems to amplify the destruction across the corporate fleet [5]. The attack occurred in March but its operational impact continued into April.
- Cyber implications: This operation demonstrates a willingness to conduct large-scale destructive attacks against Western private sector targets, with healthcare and medtech as acceptable targets. MDM abuse as a distribution vector for wipers is a tactic that transfers to any organization relying on centralized device management.
- Sectors at risk: Healthcare, medical devices, any organization with centralized MDM infrastructure
- Confidence: Moderate (attribution based on group self-claim; scale figures from lower-tier sources)
- Sources: [4], [5]
3. GPS Spoofing Targeting Oil, Gas, and Maritime Operations
- What happened: Reporting from March into April indicates GPS spoofing operations attributed to Iranian actors are threatening oil and gas infrastructure, with navigation and timing systems at particular risk. GPS clock manipulation can affect SCADA timing, vessel navigation, and pipeline operations simultaneously.
- Cyber implications: GPS spoofing is a lower-profile attack vector that many organizations haven't hardened against. Energy and maritime firms operating in or near the Persian Gulf region face the most direct risk, but spoofing effects can propagate through supply chains and timing-dependent systems globally.
- Sectors at risk: Oil and gas, maritime shipping, energy infrastructure, any GPS-timing-dependent systems
- Confidence: Low
- Sources:
4. Iran's 1,000-Hour Internet Blackout and Information Control
- What happened: Iran's nationwide internet blackout has exceeded 1,000 hours, making it the second-longest on record [7]. The Iranian government has criminalized possession of Starlink terminals (reportedly punishable by death) and deployed military-grade jamming against satellite internet services [7][6]. Iran has also claimed that US forces exploited backdoors in Cisco and other networking equipment during strikes, describing the incidents as "deep sabotage" [3].
- Cyber implications: The blackout complicates threat intelligence collection from inside Iran. Iran's claims about networking equipment backdoors, while unverified, will almost certainly be used to justify further domestic network isolation and could motivate retaliatory supply chain targeting of Western networking vendors. Defenders at organizations using Iranian-manufactured or Iranian-adjacent networking components should monitor for anomalous behavior.
- Sectors at risk: Telecommunications, satellite communications, networking equipment vendors
- Confidence: Moderate (blackout confirmed by multiple sources; Iran's backdoor claims are unverified)
- Sources: [3], [6], [7]
5. Ceasefire Approaching Expiration with No Resolution
- What happened: The US conducted Operation Epic Fury targeting Iranian military capabilities, after which a ceasefire was established [8]. Pakistan is now mediating between the US and Iran, but the truce is approaching its expiration date with uncertainty about whether Iran will return to talks [9]. The diplomatic window is narrowing.
- Cyber implications: If the ceasefire collapses, we assess with high confidence that Iranian cyber operations will escalate in both tempo and destructiveness. Historical patterns show Iran treats cyber operations as a primary asymmetric response to kinetic military pressure. A ceasefire collapse would likely trigger retaliatory operations against US government, defense, and critical infrastructure targets within days.
- Sectors at risk: Defense, government, critical infrastructure (all sectors)
- Confidence: Moderate
- Sources: [8], [9]
National Strategy
Iran is operating under a wartime posture in April 2026 following US military strikes under Operation Epic Fury [8]. The government's strategy combines conventional military defense with aggressive information control (the internet blackout) and offensive cyber operations against Western targets [6][10][11]. Iran's doctrine treats cyber capabilities as an asymmetric equalizer against conventionally superior adversaries. The multi-domain convergence of kinetic, cyber, electronic, and psychological operations reported during this conflict reflects deliberate strategic integration rather than opportunistic hacking [11].
Key Actors and Mandates
Iran's cyber operations are conducted through two primary institutional channels: the IRGC Cyber-Electronic Command (IRGC-CEC) and the Ministry of Intelligence and Security (MOIS). The IRGC-CEC focuses on offensive operations aligned with military objectives, while MOIS handles espionage and strategic intelligence collection. Additionally, proxy hacking groups like Handala operate with varying degrees of state direction, providing deniability for destructive operations such as the Stryker wiper attack [4][5]. The CISA advisory on PLC exploitation indicates that at least some Iranian-affiliated actors possess operational technology expertise sufficient to target industrial control systems directly [2].
Ongoing Strategic Objectives
Iran's immediate cyber objectives during this conflict period are threefold: impose costs on the United States and its allies through disruptive attacks on critical infrastructure [2], demonstrate retaliatory capability to deter further kinetic strikes [10], and maintain information control domestically through the internet blackout [6][7]. GPS spoofing operations against maritime and energy targets likely serve both military objectives (disrupting adversary logistics) and economic warfare goals (threatening global energy supply chains). Iran's longer-term objective of sanctions evasion continues to drive financially motivated cyber operations, though the current conflict has shifted the operational balance toward destructive and disruptive activity.
Sources: [2], [4], [5], [6], [7], [8], [10], [11],
Outlook
The next 30 days hinge on whether Pakistan-mediated talks produce a renewed ceasefire or diplomatic framework before the current truce expires [9]. Three scenario branches warrant monitoring:
Scenario 1: Ceasefire renewal or extension. If talks succeed and a new truce holds, Iranian cyber operations will likely decrease in tempo but won't stop. Espionage collection against US government and defense targets would continue. Destructive operations would likely pause but proxy groups like Handala may still conduct opportunistic attacks with plausible deniability. This is the most optimistic case, and we assess it as possible but not probable given current reporting.
Scenario 2: Ceasefire expires with no agreement, but no kinetic escalation. This is a gray zone where neither side resumes strikes but no formal peace exists. In this scenario, Iranian cyber operations would almost certainly intensify against US critical infrastructure, likely expanding PLC targeting beyond water and power to include natural gas and transportation systems. Proxy group activity would increase. GPS spoofing operations would probably expand geographically. Defenders should treat this scenario as the baseline expectation.
Scenario 3: Ceasefire collapses and kinetic operations resume. If military strikes restart, we assess with high confidence that Iran would launch its most destructive cyber operations, potentially including wiper campaigns against multiple US private sector targets simultaneously, attacks on financial sector infrastructure, and expanded OT targeting. The Stryker attack's scale (200,000 devices) [5] provides a preview of the destruction Iranian-affiliated groups are willing to inflict. This scenario would also likely trigger Hezbollah and other proxy-affiliated cyber actors to open additional fronts against US allies.
Defenders should monitor diplomatic reporting closely. Any breakdown in Pakistan's mediation effort [9] is a leading indicator for cyber escalation.
Sources: [1], [2], [5], [8], [9],
Red Sheep Assessment
Assessment (Moderate Confidence): The sources collectively point to something that isn't being stated explicitly: Iran's cyber operations during this conflict have demonstrated a level of OT capability and destructive scale that exceeds pre-war estimates. The combination of PLC exploitation across multiple critical infrastructure sectors [2], a 200,000-device wiper operation [5], and GPS spoofing against energy infrastructure suggests either significant pre-positioning that occurred well before hostilities began, or access to capabilities (possibly through third-party cooperation) that weren't previously attributed to Iranian actors.
Iran's public claims about US-exploited backdoors in Cisco equipment [3], while self-serving and unverified, also warrant attention from a different angle. If Iran genuinely believes its networking infrastructure was compromised through vendor backdoors, this perception (regardless of accuracy) will almost certainly drive future Iranian targeting of Western networking and telecommunications supply chains as both retaliation and intelligence collection.
A contrarian reading: the internet blackout [6][7] may not be purely about domestic information control. It could also serve an operational security function, reducing the attack surface available to US cyber operators and limiting exfiltration channels. If that's the case, lifting the blackout post-ceasefire would paradoxically increase Iran's vulnerability, creating a perverse incentive to maintain it even during peacetime. Defenders should watch for whether Iran's internet connectivity restoration (if it happens) is accompanied by aggressive network scanning and probing from Iranian IP space as their operators re-establish situational awareness.
Defender's Checklist
- ▢[ ] Review all PLC-facing network segments immediately. Cross-reference CISA advisory AA26-097A [2] against your asset inventory. Prioritize Unitronics and other PLCs identified in the advisory. Ensure default credentials are changed and PLCs are not internet-accessible.
- ▢[ ] Audit MDM infrastructure for unauthorized configuration changes. The Handala group's abuse of MDM to wipe 200,000 Stryker devices [5] makes your MDM platform a high-value target. Verify admin access controls, enable MFA on MDM consoles, and alert on mass device wipe commands.
- ▢[ ] Validate GPS and NTP timing sources for OT environments. If your SCADA or industrial systems rely on GPS timing, implement secondary timing sources (authenticated NTP, PTP) and alert on clock drift anomalies. Maritime and energy sector teams should prioritize this.
- ▢[ ] Hunt for Iranian infrastructure IOCs from Unit 42 and CISA reporting. Pull the latest IOC feeds from the Unit 42 threat brief [1] and CISA advisory [2]. Run retroactive searches across DNS logs, proxy logs, and endpoint telemetry for the past 90 days.
- ▢[ ] Establish a diplomatic monitoring trigger. Assign one analyst to track the Pakistan-mediated ceasefire status [9]. If talks collapse or the truce expires without renewal, immediately elevate your organization's threat condition and brief leadership on expected cyber escalation.
Sources
- [1] "Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)" - Palo Alto Networks Unit 42, https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
- [2] "Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure" - CISA, https://www.cisa.gov/sites/default/files/2026-04/AA26-097A-Iranian-Affiliated-Cyber-Actors-Exploit-Programmable-Logic-Controllers-Across-US-Critical-Infrastructure_508c.pdf
- [3] "Iran claims US exploited networking equipment backdoors during strikes" - Tom's Hardware, https://www.tomshardware.com/tech-industry/cyber-security/iran-claims-us-exploited-networking-equipment-backdoors-during-strikes
- [4] "Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker" - KrebsOnSecurity, https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
- [5] "Stryker Cyberattack: Handala Iran Hack Wiped 200K Devices" - Tech Insider, https://tech-insider.org/stryker-cyberattack-handala-iran-mdm-wipe-2026/
- [6] "2026 Internet blackout in Iran" - Wikipedia, https://en.wikipedia.org/wiki/2026_Internet_blackout_in_Iran
- [7] "Iran's forced nationwide internet blackout becomes second-longest on record as it passes 1,000 hours offline" - Tom's Hardware, https://www.tomshardware.com/tech-industry/iran-passes-1000-hours-offline
- [8] "Peace Through Strength: Operation Epic Fury Crushes Iranian Threat as Ceasefire Takes Hold" - The White House, https://www.whitehouse.gov/releases/2026/04/peace-through-strength-operation-epic-fury-crushes-iranian-threat-as-ceasefire-takes-hold/
- [9] "Pakistan races against time to get Iran back to US talks as truce end nears" - Al Jazeera, https://www.aljazeera.com/news/2026/4/21/pakistan-races-against-time-to-get-iran-back-to-us-talks-as-truce-end-nears
- [10] "Cyberwarfare during the 2026 Iran war" - Wikipedia, https://en.wikipedia.org/wiki/Cyberwarfare_during_the_2026_Iran_war
- [11] "Iran War: Kinetic, Cyber, Electronic and Psychological Warfare Convergence" - Resecurity, https://www.resecurity.com/blog/article/iran-war-kinetic-cyber-electronic-and-psychological-warfare-convergence