When Geopolitics Becomes Your Cybersecurity Problem: What the Iran Conflict Means for Every U.S. Business

The Iran conflict is no longer a story you follow on the news. It is now a story your security team needs to be ready for. Iranian-backed attackers erased data from 200,000 computers at a single Fortune 500 company spanning 79 countries in early 2026 in a matter of weeks without ever installing malware on a single device. Iranian drones caused physical damage at commercial Amazon and Oracle data centers located in the Middle East, marking the first instance of a nation-state targeting commercial cloud infrastructure in wartime that we’re aware of. Threat actors based in Iran conducted widespread password-spraying attacks against hundreds of organizations utilizing Microsoft 365. And the Department of Defense quietly began taking steps to train artificial intelligence systems on classified military data. These events are connected. Understand how they connect, and what your organization should be doing about it.

Iran Has Officially Declared U.S. Tech Infrastructure a War Target

Iran’s Shahed drones attacked two AWS data centers in the UAE on March 1st this year. Another AWS data center in Bahrain was attacked later that night. This is said to be the first time commercial data centers have been targeted by a country during a war.

Iran didn’t just target AWS data centers at random. The Iranian government released via state media a published list of American targets which included Microsoft, Google, Apple, Meta, HP, Oracle, Intel, IBM, Cisco, Palantir, Dell, and Nvidia. Most were identified because of their role in supporting AI systems or coordinating cloud services across the region. The financial logic is an important context for security leaders. Attacking a traditional industrial target causes significant damage. Attacking an AI data center causes exponentially more. A single Nvidia NVL72 GB300 system can cost six million dollars. A data center housing tens of thousands of advanced processors holds billions in hardware value that cannot be quickly replaced, insured, or rebuilt. By early April, Iran’s Islamic Revolutionary Guard Corps claimed it had struck an Oracle data center in Dubai. Bahrain confirmed a strike on Batelco, the country’s largest telecommunications company and host of Amazon Web Services infrastructure. A Bellingcat investigation found the UAE has a documented pattern of downplaying successful Iranian strikes.

The strategic message from Iran is unambiguous. American technology companies are now considered military targets.

The Stryker Attack: A Masterclass in What Nation-State Wiper Attacks Look Like

While the data center strikes captured international headlines, the attack that should matter most to U.S. security leaders happened inside a Michigan conference room on the morning of March 11, 2026. Stryker employees in offices across numerous countries turned on their computers, and their screens showed a ‘logo of a barefoot boy holding a slingshot’. Personal phones that employees had enrolled in Stryker’s bring-your-own-device program were wiped as well, erasing photos, eSIMs, and authenticator apps employees used to access their own banks. Company laptops across the U.S., Ireland, India, and dozens of other countries were erased overnight. The responsible group was Handala, a pro-Iranian hacktivist collective Void Manticore. Void Manticore is an Iranian advanced persistent threat group believed to be part of the Iranian Ministry of Intelligence and Security (MOIS). It has been linked to wiper attacks that use psychological warfare tactics alongside malware.  The attack was framed as retaliation for U.S. and Israeli military strikes on Iran.

What made Stryker remarkable was the method. No malware. No zero-day exploit. Not using any advanced/customized tool, they abused the native wipe cmdlet present within Microsoft Intune, Microsoft’s cloud-based endpoint management solution to wipe devices. Over 78,000 devices were wiped in under 3 hours. The initial access vector was achieved by taking over an administrator account. Once they had access, they created another account with the Global Administrator role and full device access permissions.

The business impact was immediate and severe. Stryker’s order processing, manufacturing, and shipping operations went offline globally. Hospital surgical procedures were delayed because Stryker could not deliver patient-specific products. The financial hit reached Stryker’s first-quarter earnings and was disclosed in an amended SEC filing. CISA and the FBI responded within a week. CISA issued a formal advisory directing every organization running Microsoft Intune to harden their environment immediately, calling for least-privilege access on administrator roles, phishing-resistant multi-factor authentication, and multi-admin approval for destructive actions like device wipes.

The core lesson is not technical. It is organizational. A single compromised administrator account gave an Iranian threat actor the ability to erase every managed device in a global enterprise in three hours. The attack did not penetrate a firewall. It walked through a governance gap.

Is Your Organization Carrying the Same Gap?

This is the question security and IT leaders need to sit with after reading about Stryker. Not whether Iran would target you specifically, but whether your Microsoft Intune environment, your endpoint management configuration, and your administrator account controls are any better governed than Stryker’s were.

At HALOCK, we see this governance gap across organizations of every size and industry. Endpoint management tools like Intune are powerful. They are also increasingly weaponized precisely because most organizations have not applied the same scrutiny to their administrative control planes that they apply to perimeter defenses. A Compromise Assessment from HALOCK is designed to answer that question honestly and quickly. We look at where your environment has already been exposed or is currently at risk, examine administrator account configurations, review access controls on endpoint management systems, and identify evidence of reconnaissance or unauthorized activity that may already exist in your logs. If Handala ran months of brute-force attempts against Stryker’s VPN before the March 11 attack, the indicators were there. The question is always whether anyone was looking.

If you want to get ahead of that question rather than answer it after an incident, this is where to start.

Identity Is the Common Thread Across Every Attack in This Cluster

The Stryker attack is not an outlier. It is a pattern.

The same period produced an Iran-linked password-spraying campaign targeting more than 300 organizations running Microsoft 365. Hundreds of hacking attempts hit surveillance camera infrastructure across the Middle East in the days following Iran’s missile strikes. These are not exotic technical operations. They are credential-based intrusions that work because organizations have not closed the gap between the tools they run and the governance controls they maintain around those tools.

China, Russia, North Korea, and Iran are among the most remarkably similar advanced persistent threat actors, and they couldn’t have more divergent goals. From all of these nations, we’ve seen attackers extensively use credential phishing, password spraying, brute forcing VPN and remote access infrastructure, and abuse of built-in administrative tools. These actors are not sophisticated; they’re just patient and pick targets carefully.

Iran’s current campaign is running on multiple simultaneous tracks: physical strikes on data center infrastructure, destructive wiper operations against enterprise networks, credential attacks against cloud identity systems, and opportunistic intrusions tied to conflict events. For organizations not directly involved in the conflict, the risk is spillover and opportunistic targeting. Handala’s previous victims include IT providers, infrastructure operators, and supply chain companies. Any organization running the same tools and configurations as a named target is a potential next victim.

This is where HALOCK’s Security Engineering services are relevant. We help organizations understand their actual attack surface, including where credential-based access paths exist, where endpoint management controls are insufficient, and where administrative privileges have accumulated beyond what day-to-day operations require. The Risk-Based Threat Assessment and CIS-Based Security Assessment services are built specifically to surface these exposures before they become incidents.

The Q1 Vulnerability Picture: What Is Already Behind You

The Q1 vulnerability backlog adds a third dimension to this story. The Iran-linked campaigns are actively monitoring public vulnerability disclosures and moving to exploit them within hours. Organizations entering 2026 with unpatched edge devices, unmanaged VPN infrastructure, and open credential exposure are presenting Iran, China, and Russia with a menu of options.

The Stryker attack did not begin with a zero-day exploit. Check Point Research documented hundreds of brute-force attempts against Stryker’s VPN infrastructure over months before the March 11 attack. After Iran’s internet shutdown, Handala began routing those attempts through Starlink IP ranges to blend into legitimate satellite traffic. It was slow, methodical, and observed if you were looking at the right things.
The journey from initial credential breach to wiping 80k devices was a failure of governance, not tech. There were no sufficient controls on privileged accounts. Administrator activity was not adequately monitored. Multi-admin approval for destructive actions did not exist. Handala walked through every open door in sequence.

HALOCK’s External Attack Surface Management (EASM) and Penetration Testing services are designed to show you what attackers see before they use it against you. If your edge devices, VPN infrastructure, and remote access systems are exposed in ways you are not aware of, the time to find that out is now, not during a March 11 moment of your own.

The Pentagon’s AI Move and What It Means for Every Enterprise

Separate from the Iran conflict, but deeply connected to its strategic context, the Pentagon moved this week toward allowing AI companies to train models on classified military data. Models like Anthropic’s Claude are already operating in classified settings, including analyzing targets in Iran. Allowing models to train on that data represents a fundamentally different risk profile.

Training means sensitive intelligence, like surveillance reports, battlefield assessments, and human intelligence, could become embedded into the models themselves. The Pentagon’s plan calls for secure data centers accredited for classified projects, where copies of commercial models would be paired with classified data. The Department of Defense (DoD) would retain data ownership, and AI company personnel would need clearance to access it. The primary risk is not public exposure. It is internal leakage within the Defense Department itself, where a model with access to sensitive human intelligence could surface that information to personnel without the appropriate clearance level.

For private sector leaders, this story has three immediate implications. AI vendors pursuing government contracts will face increasingly stringent data governance requirements that will influence commercial AI security standards across the market. AI governance standards will come due at defense contractors and suppliers as DoD requirements funnel down to vendors in the supply chain. Meanwhile, the governance issues regulators are focused on now: data isolation, access controls, and model security. These are the issues boards and audit committees should be considering for every AI system operating in-house.

HALOCK’s AI Risk Management and Governance services are built to help organizations navigate exactly this terrain. If you’re a defense contractor grappling with new regulatory compliance mandates or an enterprise executive seeking to govern AI adoption in a responsible way, we help you develop programs that are thorough, scalable and defensible in front of regulators and courts.

Questions Your Security & Risk Program Should Be Able to Answer Right Now

Everything in this article points toward the same set of operational questions. We work through versions of these with every client. The organizations that can answer them honestly are better prepared. The ones that cannot are the ones that call us during an incident.

• Can a single compromised administrator account wipe every device in your environment? If you do not know the answer, that is the first problem to solve. CISA’s Intune advisory is a starting point. A Compromise Assessment gives you the full picture of what your administrative control plane actually looks like today.

• Do you have visibility into every AI tool your employees are using? Months of credential reconnaissance preceded the Stryker attack. Employees using unapproved AI platforms with sensitive organizational data expand your exposure in ways that are hard to detect without a structured governance program. HALOCK’s AI Risk Assessment is where that work starts.

• Does your incident response plan cover wiper attacks specifically? The Stryker attack was not ransomware. There was no encryption, no negotiation, and no ransom note. Only erasure. Traditional incident response playbooks built around ransomware do not map to this scenario. Your Incident Response Plan (IRP) needs to account for mass device wipe events, and it needs to be tested against that scenario before it matters.

• Are you monitoring for the indicators that precede attacks like Stryker? Months of brute-force activity against VPN infrastructure preceded March 11. That activity was visible in logs. HALOCK’s Incident Response Readiness as a Service (IRRaaS) program is built to keep your monitoring, detection, and response capabilities current, not just compliant on paper.

The Bottom Line

The Iran conflict has made explicit something security professionals have understood for years: geopolitical events and corporate cybersecurity risk are no longer separate categories. Physical strikes on cloud infrastructure, nation-state wiper attacks on enterprise networks, credential campaigns against Microsoft 365 organizations, and classified AI training programs at the Pentagon are converging into a threat environment that requires deliberate, proportionate, and documented preparation. At HALOCK, we define reasonable security as the right controls for your specific risk environment, defensible to regulators, courts, and executives. That work is guided by the Duty of Care Risk Analysis (DoCRA) framework, which HALOCK co-developed, and is grounded in the practical reality of what threats organizations in your industry actually face.

Reasonable security right now means knowing whether your Intune environment can be turned against you. It means knowing what AI tools your employees are using and what data they are putting into them. It means having an incident response plan that accounts for wiper attacks, not just ransomware. And it means having someone monitoring the indicators that show up months before the attack does. Basically, your security and risk are aligned with your mission, objectives, and obligations.

The organizations that have done that work recover faster, suffer less, and face substantially less legal and regulatory exposure when something happens. The ones that have not are the ones reading about Stryker right now, wondering if their own environment has the same gaps.

Establish reasonable security to safeguard your data as the regulations require. Develop a legally-defensible security strategy in the evolving cyber landscape.