Iran’s cyber war targets hospitals as asymmetric weapon
Nearly 5,800 cyberattacks since February offensive reveal strategic shift toward medical infrastructure degradation while U.S. defences operate at 40% capacity.
Iran-aligned cyber groups have launched nearly 5,800 documented attacks against U.S. and Israeli critical infrastructure since the February 28 Operation Epic Fury offensive began, with hospitals and medical device manufacturers emerging as primary targets in what security analysts describe as a deliberate campaign to degrade civilian healthcare capacity rather than conduct traditional espionage.
The scale and coordination mark a fundamental shift in hybrid warfare doctrine. Iran’s decentralised network of proxy groups — numbering at least 50 distinct entities tracked by DigiCert — has moved from opportunistic financial targeting to synchronised infrastructure attacks timed with kinetic strikes. During Iranian missile barrages on March 10, Israelis fleeing to bomb shelters received SMS messages offering a fake civil defence app that installed spyware granting access to device cameras, locations, and communications. “This was sent to people while they were running to shelters to defend themselves,” Gil Messing, chief of staff at Check Point Research, told the Associated Press. “The fact it’s synced and at the same minute is a first.”
Medical infrastructure as strategic vulnerability
The March 11 attack on Stryker, a $25 billion medical device manufacturer serving 150 million patients annually across 61 countries, demonstrated the operational impact of targeting Healthcare supply chains. Iran-linked group Handala compromised a Microsoft Intune account to remotely wipe more than 200,000 devices and exfiltrate 50 terabytes of data, according to CNN reporting. Emergency medical services in Maryland lost access to equipment documentation, while hospitals paused surgeries pending security reviews. U.S. officials subsequently described the incident as likely the most significant wartime cyberattack against American infrastructure in history, according to The Soufan Center.
A second healthcare provider — identity not publicly disclosed — suffered a Pay2Key ransomware attack in late February that encrypted systems within three hours, Axios reported on March 24. Critically, attackers made no ransom demand, signalling disruption rather than financial motive. “This suggests a deliberate focus on the medical sector rather than targets of opportunity,” Cynthia Kaiser, senior vice president at Halcyon, told The Republic News. “As this conflict continues, we should expect that targeting to intensify.”
Handala claimed the Stryker attack as retaliation for a March 3 U.S. missile strike on an elementary school in Minab that killed at least 160 children. The group, assessed by Western intelligence as a persona operated by Iran’s Ministry of Intelligence (MOIS) under the codename Void Manticore, explicitly framed the cyber operation as reciprocal targeting of civilian infrastructure. While no evidence links U.S. forces to the school strike — which occurred during a chaotic early phase of Operation Epic Fury with extensive collateral damage — the attribution demonstrates Iran’s narrative strategy of justifying escalation through claims of proportionate response.
Technical evolution and AI integration
Iran’s cyber apparatus has adapted rapidly to overcome connectivity constraints. Despite a nationwide internet blackout that reduced Iranian connectivity to 1-4% of normal levels for 27 consecutive days as of March 26, Handala continued operations by routing through Starlink satellite IPs, ExtraHop researchers documented. This autonomous capability — combined with the proliferation of 70+ distinct hacktivist groups in the early conflict phase — suggests a deliberately distributed command structure designed to survive leadership decapitation strikes.
MuddyWater, a long-tracked Iranian APT group, launched Operation Olalampo on January 26 with four new malware families (CHAR, GhostBackDoor, GhostFetch, HTTP_VIP) written in Rust, a memory-safe language that complicates detection. Director of National Intelligence Tulsi Gabbard testified to Congress in March that generative AI tools “will increasingly shape cyber operations with both cyber operators and defenders using these tools to improve their speed and effectiveness,” according to The Washington Times. The MuddyWater campaign predated the kinetic offensive by a month, indicating Iran had positioned cyber assets in anticipation of conflict escalation.
Defensive capacity crisis
Iran’s cyber escalation coincides with unprecedented constraints on U.S. defensive capabilities. The Cybersecurity and Infrastructure Security Agency (CISA) operated at 40% strength with 60% of its workforce furloughed as of March 25, acting director Nick Andersen testified to Congress, according to the Foundation for Defense of Democracies. The staffing crisis stems from broader federal budget disputes unrelated to the Iran conflict but creates a window of vulnerability that Iranian operators appear calibrated to exploit.
“There are a lot more attacks happening that aren’t being reported,” Michael Smith, field chief technology officer at DigiCert, told the Associated Press. The reporting gap reflects both classification concerns and corporate reluctance to disclose breaches during active conflict. Private sector security firms have assumed expanded intelligence-sharing roles, with Palo Alto Networks’ Unit 42 tracking 7,381 distinct phishing URLs in Iranian campaigns as of March 26, while CISA’s skeleton staff struggles to coordinate cross-sector threat intelligence.
“The digital fight is likely to persist even if a ceasefire is reached, because it’s a lot easier and cheaper than conventional conflict and because it is designed not to kill or conquer, but to spy, steal and frighten.”
Security analysts cited by The Republic News
Economic asymmetry and escalation risk
The first 100 hours of Operation Epic Fury cost approximately $3.7 billion for the U.S., mostly unbudgeted, according to CSIS analysis. Iran’s cyber campaign, by contrast, operates at a fraction of that cost while achieving strategic effects that extend beyond immediate disruption. After the FBI seized multiple Handala-controlled websites on March 19, the group restored all domains within 24 hours and resumed operations — demonstrating resilience that kinetic strikes struggle to replicate. “It’s an important step, as most of Handala’s work was to publish their work and create the physiological effect of the damage, even if exaggerated,” Messing told NBC News. “So taking out their websites and channels is hitting them where it matters.”
The deliberate targeting of healthcare distinguishes this campaign from historical Iranian operations focused on financial institutions or energy infrastructure. Medical device supply chains create cascading vulnerabilities — a single compromised manufacturer affects hundreds of hospitals simultaneously, while patient safety concerns constrain aggressive defensive responses that might disrupt clinical operations. Iran has effectively identified infrastructure where the cost of defence exceeds the cost of attack, and where retaliation carries higher political costs.