Prepared by: Matt Veall, SOC Lead Victoria | Latest updates: 17 March 2026
Triskele Labs’ Security Operations Centre (SOC) has moved to an elevated monitoring posture following a surge in Iranian-aligned cyber operations linked to the recent escalation in the Middle East. Since the US and Israeli military strikes on Iran on 28 February 2026, threat actors associated with Iranian state interests and hacktivist coalitions have intensified cyber activity against organisations across allied nations, including Australia. Our SOC is actively tracking the campaign, analysing emerging intelligence, and strengthening detection coverage to protect client environments.
Open-source intelligence indicates a sharp increase in cyber operations following the strikes, widely referred to as Operation Epic Fury (US) and Operation Roaring Lion (Israel). Iranian state-aligned groups and affiliated hacktivists have launched retaliatory cyber campaigns targeting organisations in the United States, Israel, Gulf states, and Western allies such as Australia, the United Kingdom, and Canada.
Government agencies across multiple countries have issued warnings urging organisations to adopt a heightened defensive posture.
The US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security, and the UK’s National Cyber Security Centre have all published advisories highlighting increased risk. CISA has confirmed enhanced coordination with federal partners, including the Department of War and the FBI, to identify emerging threats and reduce exposure for critical infrastructure and private sector organisations.
Security researchers estimate that around 60 threat groups are currently active within this campaign. Several pro-Russian hacktivist collectives have reportedly aligned with Iranian actors, forming a loose coalition targeting Israeli and Western organisations.
Heightened media attention surrounding geopolitical events increases the likelihood of opportunistic targeting, particularly phishing, credential theft attempts, website disruption, and ransomware-style intrusion activity. Our existing 24/7 MDR monitoring posture is designed to detect and alert on this type of activity as standard.
In response to the current escalation, our SOC has implemented several proactive measures aligned to the tactics, techniques, and procedures associated with Iranian-aligned threat groups.
Increased detection sensitivity for MFA fatigue attempts, impossible travel events, and password spray campaigns within Microsoft Entra environments. These are the primary initial access techniques observed in Iranian-aligned operations.
Additional monitoring for phishing-driven intrusion attempts, including detection of suspicious email forwarding rules and newly created mailbox rules, which are commonly used by threat actors to maintain persistence in a compromised mailbox.
Increased scrutiny of privileged account behaviour and administrative actions, including anomalous role escalation, bulk device operations, and access to sensitive systems outside established baselines.
Enhanced detection for endpoint activity consistent with lateral movement, data staging, or preparation for destructive payload deployment across managed environments.
Increased monitoring for scanning and exploit attempts against externally facing services, particularly VPN appliances and remote access portals, which Iranian state-sponsored actors have historically targeted for initial access.
Current status: At this stage, we have not identified any specific confirmed indicators of compromise affecting our managed client environments. However, we agree with the broader intelligence community assessment that this should be treated as a heightened risk period and that organisations should maintain an elevated defensive posture.
While our SOC continues to monitor your environment, we recommend the following preventative steps be prioritised over the coming days to strengthen your defensive posture.
Ensure multi-factor authentication is enforced for all users, with particular attention to privileged accounts.
Confirm that no legacy authentication methods remain enabled, as these bypass MFA entirely. Check Point Research has observed hundreds of brute-force and credential stuffing attempts against organisational VPN infrastructure linked to Handala-associated infrastructure.
Audit all Global Admin, Domain Admin, and equivalent privileged accounts.
Confirm the principle of least privilege is applied and that no unnecessary standing access exists. According to public reporting, the Stryker attack succeeded when a threat actor leveraged a highly privileged account to remotely wipe over 200,000 devices globally via Microsoft Intune.
Ensure all external-facing services are patched and hardened, particularly:
CISA specifically recommends disabling Remote Desktop Protocol and administrative remote access unless explicitly required.
Remove default or unused accounts, disable unused ports and protocols, and segment critical systems such as ICS/OT environments from general business networks.
Issue a reminder to all staff to remain vigilant for phishing, especially emails relating to:
Donations
Media requests
Urgent payment activity
Account security alerts
During periods of geopolitical tension, threat actors frequently craft phishing lures tied to current events.
Verify backup and recovery capability, including testing restore procedures and ensuring backups are not directly accessible from production networks.
In a destructive wiper scenario like the Stryker attack, offline and immutable backups are the difference between recovery and rebuilding from scratch.
Ensure authentication logs and endpoint logs are being retained and monitored appropriately.
Iranian-aligned actors frequently use living-off-the-land techniques and legitimate administrative tools, making comprehensive logging critical for detection.
Review your Microsoft Entra Conditional Access policies.
At minimum we recommend:
Where licensing permits, risk-based Conditional Access controls (sign-in risk and user risk) should also be enabled.
Most organisations will not be directly targeted by Iranian state actors. However, geopolitical crises routinely trigger a rise in opportunistic cyber activity.
Threat actors exploit heightened media attention and global uncertainty to conduct phishing campaigns, credential harvesting, and disruptive hacktivist operations. Organisations can become collateral targets through supply-chain relationships, managed service providers, or widely used enterprise platforms.
CISA has historically observed Iranian government-sponsored activity targeting the following sectors:
The agency has also warned that Iranian threat actors may collaborate with criminal groups to deploy ransomware or steal sensitive data. In some campaigns, attackers exaggerate the value or scale of stolen information in order to amplify reputational damage during follow-on leak operations.
A series of cyber incidents since the end of February highlights the breadth of activity associated with the campaign. As with many hacktivist operations, some claims remain unverified. However, the scale and volume of reported incidents indicate a clear escalation.
March 2026 – Stryker Corporation (United States)
Attackers reportedly abused Microsoft Intune administrative access to trigger a large-scale device wipe affecting more than 200,000 endpoints across 61 countries. Healthcare supply chains were disrupted and over 5,000 workers in Ireland were sent home.
March 2026 – Israeli energy exploration company
Threat actors claimed a compromise and data exfiltration operation targeting energy sector systems.
March 2026 – Jordan fuel infrastructure
Hacktivists claimed disruption of national fuel station systems. Jordan’s National Cybersecurity Center separately confirmed it prevented an attempted attack on wheat silo management systems.
March 2026 – Gulf state infrastructure
Distributed denial-of-service (DDoS) attacks targeted airports in Bahrain and the UAE, Riyadh Bank in Saudi Arabia, and the Bank of Jordan.
March 2026 – Israeli ICS and OT environments
Threat actors claimed access to drone defence systems and payment infrastructure. Screenshots of water pump human-machine interface (HMI) systems were also published online, allegedly showing operational access.
March 2026 – Pro-Russian coalition activity
Pro-Russian hacktivist groups formally joined the pro-Iranian campaign under the banner #OpIsrael, launching large-scale DDoS attacks against Israeli defence contractors and municipal governments.
January 2026 – Human rights organisations
A phishing campaign targeted NGOs using malicious Microsoft Office documents disguised as protest casualty reports. Command-and-control infrastructure reportedly leveraged GitHub, Google Drive, and Telegram.
The situation continues to evolve rapidly. Our SOC is actively monitoring intelligence from several government and industry sources, including:
Intelligence from these sources is continuously ingested into our SOC detection pipelines, enabling rapid identification of activity associated with emerging campaigns.
The cyber threat environment is likely to remain elevated while geopolitical tensions continue.
Our SOC is actively monitoring developments and analysing alerts through an enhanced threat-awareness lens. If suspicious activity associated with this campaign is detected in client environments, affected organisations will be notified immediately.
If you have concerns about your environment or would like to discuss defensive measures in more detail, please contact your Triskele Labs account manager or reach out directly to our SOC team.
Further updates will be provided as the situation evolves.
Cybersecurity and Infrastructure Security Agency (CISA).
Urges Continued Vigilance Amid Conflict with Iran – advisory on heightened cyber threat activity and defensive guidance for organisations.
https://www.cisa.gov
KrebsOnSecurity.
Coverage of the Stryker cyber incident involving the reported large-scale Microsoft Intune device wipe.
https://krebsonsecurity.com
Palo Alto Networks Unit 42.
Threat intelligence brief on Iranian cyber operations and the estimated 60 active threat groups involved in the campaign.
https://unit42.paloaltonetworks.com
Check Point Research.
Analysis of Iranian cyber capabilities and threat actor profiles including Void Manticore and Handala.
https://research.checkpoint.com
Canadian Centre for Cyber Security.
Government threat bulletin addressing Iranian cyber activity following the February 2026 strikes.
https://cyber.gc.ca
Australian Cyber Security Centre (ACSC) / Australian Signals Directorate (ASD).
Cyber security advisories and defensive guidance for Australian organisations.
https://www.cyber.gov.au
National Cyber Security Centre (NCSC), United Kingdom.
Guidance for organisations strengthening cyber defences during periods of heightened geopolitical threat.
https://www.ncsc.gov.uk
