Iran's state-linked hackers are changing what they do on American networks. For years the focus was quiet spying. In 2026 the goal has shifted toward openly breaking things, and the targets are the systems people rely on every day: drinking water, hospitals, and the factories that make medical equipment. US agencies have taken notice. In a 2026 advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and its partners warned that Iranian-affiliated actors are actively attacking the industrial control systems that run American critical infrastructure.
Why this matters
A spy who reads your email is a problem. An attacker who can shut off a water plant or erase a hospital supplier's computers is a crisis. That is the line Iran-aligned groups are now crossing, much of it framed as retaliation amid the conflict between Iran, Israel, and the United States. The most exposed victims are often not large companies with security teams, but small water utilities and regional operators that lack basic protections, which makes them soft, high-impact targets.
What is being targeted
Two patterns stand out. The first is water and wastewater systems. Since late 2023, an IRGC-linked crew calling itself CyberAv3ngers has hunted for internet-exposed Unitronics programmable logic controllers (PLCs are the small computers that run pumps and valves) and simply logged in using factory default passwords, in one case defacing the control screen at a Pennsylvania water authority. CISA, the EPA, the FBI, and the NSA have repeatedly warned the water sector about this exact technique. The second pattern is destructive wiper attacks, malware built not to steal data but to erase it.
The Stryker wake-up call
In March 2026 a pro-Iran group known as Handala, which security researchers link to the Iranian government, claimed a wiper attack on Stryker, one of the world's largest medical device makers. According to an analysis by Censys, the attack destroyed Stryker's Windows environment worldwide and halted manufacturing at its Ireland sites. Handala said it acted over Stryker's ties to Israel and a US defense contract. Neither Stryker nor Microsoft has confirmed how the attackers got in, though reporting points to abuse of a cloud device-management platform, the kind of admin tool that, if hijacked, can wipe an entire fleet of company computers at once. Censys also found roughly 2,000 Stryker systems exposed to the internet, more than 150 of them with login pages on the open web.
What you should do
The defenses are unglamorous but effective, and CISA spells them out. Change every default password, and never expose a PLC or its control screen directly to the internet; put it behind a VPN instead. Turn on multi-factor authentication for remote and administrator access, and tightly restrict who can use device-management consoles. Separate the network that runs physical equipment from the regular office network, so a breach on one side cannot jump to the other. Keep offline, tested backups so a wiper cannot become permanent. Smaller utilities can lean on free CISA resources and their state and sector partners to get started.
The bigger picture
This is the same destructive approach Iran has used before, from the Shamoon wipers against Saudi oil firms to Handala's more recent claims against other targets. What is new is that it is now aimed at everyday American services. For defenders in the United States, the lesson from Iran-linked activity in 2026 is simple: treat exposed industrial gear and powerful admin tools as the front line, because that is exactly where these attacks are landing. CISA's current guidance is in its 2026 advisory and the earlier water-sector advisory.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.