On March 11, 2026, employees at Stryker offices across 79 countries switched on their computers to find blank screens, each displaying the logo of Handala, an Iran-linked hacking group. In the space of three hours, one of the world’s largest medical technology companies had its entire endpoint environment wiped across six continents. Order processing stopped. Manufacturing lines halted. Hospitals waiting on surgical equipment got silence.
Stryker makes orthopedic implants. It is headquartered in Michigan. It has no direct role in the conflict. None of that mattered.
The attack did not care about Stryker’s geography, its industry, or its intentions. It cared about access. And access, in a globally connected vendor ecosystem, is almost always available if you know where to look.
This is third-party cyber risk in the age of geopolitical conflict. It is not a regional problem. It is not a defense-sector problem. It is a supply chain problem, and it is active right now.
Two Operations, One Global Threat Surface
On February 28, 2026, the United States and Israel launched a significant joint offensive: Operation Epic Fury on the US side, and Operation Roaring Lion on the Israeli side. Targets included Iranian leadership, IRGC facilities, and nuclear infrastructure.
The kinetic strikes were precise and geographically bounded. The cyber response was neither.
Accompanying the strikes, Iran was plunged into a near-total digital blackout. NetBlocks confirmed that internet connectivity fell to just 4% of normal traffic. State television satellite feeds were replaced with opposition broadcasts. A prayer app with over 30 million installations was hijacked to broadcast messages to soldiers.
With its conventional military capabilities degraded and its communications infrastructure shattered, Iran had one instrument of retaliation left at scale: its cyber proxy network, built over years and pre-positioned in vendor ecosystems, cloud environments, and industrial control systems across the globe.
That network activated immediately, and it did not limit itself to targets in the Middle East.
The Threat Decentralized. It Did Not Disappear.
This is the aspect of the current conflict that most vendor risk programs are not equipped to process: the threat did not diminish when Iran went offline. It redistributed.
Palo Alto Networks Unit 42 assessed that the degradation of Iranian state command structures would hinder coordinated sophisticated cyberattacks in the near term. But cyberattacks from proxy groups and activists operating outside Iran escalated sharply in the same window.
In March 2026, the Islamic Cyber Resistance, an Iranian-linked hacktivist coalition, announced a recruitment campaign of “cyber experts and resources” for what it described as “the great epic battle.” Over 60 individual groups mobilized, including pro-Russian factions, coordinating via Telegram channels that operate entirely outside Iran’s disrupted infrastructure. More than 150 hacktivist incidents were recorded in the first days of the conflict, with documented spillover into energy, finance, IT, and critical infrastructure sectors across 16 countries.
John Hultquist, Chief Analyst at Google’s Threat Intelligence Group, stated: “We expect Iran to target the US, Israel, and GCC countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure.”
Targets of opportunity. That phrase carries the full weight of what third-party risk teams need to understand. The targeting logic in this conflict is not limited to named adversaries or strategic assets. It follows access, visibility, and whatever is reachable within a vendor’s exposed attack surface.
A Conflict That Has Already Crossed Every Border
The geographic scope of cyber activity tied to this conflict should recalibrate how any organization thinks about its exposure, regardless of where it operates.
In the week following February 28, the most impacted regions by hacktivist activity were Israel, Kuwait, and Jordan. The most targeted industries globally were national government, aerospace and defense, and technology. But the spillover extended well beyond those categories.
Iranian state-sponsored groups, including CyberAv3ngers, APT33, and APT55, launched active campaigns against US energy companies using password spraying techniques. MuddyWater, operating under Iran’s Ministry of Intelligence and Security, functioned as an initial access broker: breaching telecommunications, oil and gas, and government networks, harvesting credentials, and passing access downstream to other actors for exploitation. The Fatimiyoun Electronic Team targeted Western financial and energy firms with the goal of deploying wiper malware.
GPS spoofing and automatic identification system interference affected more than 1,100 ships across the Gulf region, disrupting maritime logistics at scale. Two AWS data centers in the UAE were physically destroyed. Flashpoint identified targeted attacks on industrial control systems across the region, disrupting manufacturing and energy distribution operations.
The conflict produced activity on every continent. North America, the Gulf states, the Schengen Area, and the Indo-Pacific all recorded incidents. The common thread across all of it was not geography. It was the connection to industries, vendors, and infrastructure that the attacking groups had either pre-positioned access to, or could reach through a supplier.
The Stryker Case: How Supply Chain Exposure Works in Practice
The Stryker incident is worth examining in detail, not because it is exceptional, but because it makes the supply chain attack mechanism unusually transparent.
Handala did not use a zero-day vulnerability. It did not need one. The group compromised an administrator account, then used Microsoft Intune, a legitimate enterprise endpoint management platform used by tens of thousands of organizations globally, to issue a mass device wipe across Stryker’s entire enrolled device fleet. The operation ran for approximately three hours before detection. Stryker confirmed the incident in an SEC 8-K filing, reporting disruption across 61 countries. CISA issued an advisory urging organizations to harden their Microsoft Intune and Azure Entra ID environments.
Palo Alto Networks Unit 42 had warned explicitly that “state-sponsored campaigns are likely to target victims’ supply chains, critical infrastructure, vendors, and providers.” The Stryker attack is the documented execution of that playbook.
What the Stryker case makes visible is the mechanism. Initial access brokers compromise a supplier. They harvest credentials and map the environment. They pass that access downstream. A second actor deploys the payload against the downstream victim. The original victim is not the ultimate target. It is the vector.
Every organization in your vendor ecosystem that holds privileged access to shared infrastructure is a potential version of that vector. Most of them are not running continuous monitoring of their own external attack surface. Most of them do not have real-time threat intelligence feeding into their security posture. Most of them completed your vendor questionnaire several months ago.
What Conventional TPRM Cannot See
Three structural gaps are exposed by this conflict that apply to any organization relying on conventional vendor risk management.
The first is that static risk scoring does not reflect live targeting. Unit 42 has noted that state-sponsored Iranian cyber capabilities are frequently used through destructive and psychological tactics, with a documented focus on supply chains and high-value providers. A vendor risk score computed from a questionnaire completed last quarter does not reflect what APT33’s active password-spraying campaign is currently doing to that vendor’s environment. The gap between assessment date and threat date is where breaches happen.
The second is that point-in-time assessment misses continuously shifting exposure. The attack surface of any organization changes daily. New cloud assets are spun up. Administrative credentials are reused across systems. VPN gateways go unpatched. These exposures are only visible if someone is continuously looking at them from the outside, across your critical third parties, not just across your own perimeter.
The third is that vendor risk frameworks are not built to incorporate geopolitical context dynamically. A vendor serving an energy company in the Gulf, running a shared SaaS platform used by defense-adjacent clients, or operating infrastructure in a region under active targeting has a risk profile that changes when a conflict erupts. The annual reassessment cycle does not move at the speed of a hacktivist coalition forming on Telegram overnight.
What to Prioritize Right Now
Audit privileged access across vendors using Microsoft cloud infrastructure. The Stryker attack vector is now a documented, replicable playbook. Any vendor using Microsoft Intune or Azure Entra ID should be assessed for phishing-resistant MFA enforcement, just-in-time admin access controls, and secondary approval requirements for high-impact commands including mass device wipes.
Map sector and infrastructure exposure across your vendor inventory. Identify which of your third parties operate in energy, telecommunications, defense-adjacent, logistics, or healthcare sectors, and which share cloud or SaaS infrastructure with high-value targets. Concentration risk in shared platforms is real, and this conflict has demonstrated it.
Run continuous attack surface monitoring on your most critical vendors. Initial access almost always begins with something externally visible: an exposed credential, an unpatched VPN gateway, a misconfigured management interface. Continuous ASM across your critical vendor tier closes the detection window before an attacker establishes a foothold. Point-in-time assessments do not.
Integrate live threat intelligence into vendor risk tiers. Your risk scoring needs to reflect what is happening in the threat landscape now, not at your last assessment date. Iranian APT targeting patterns, hacktivist coalition activity, and dark web initial access broker listings need to feed dynamically into how you prioritize vendor oversight.
Stress-test your continuity posture for total loss scenarios. Most business continuity plans are not designed for the simultaneous loss of all managed endpoints at a critical vendor. Run a tabletop exercise that assumes a Stryker-style event at one or more vendors simultaneously. Discover your actual recovery posture before an attacker forces you to find out in production.
Calibrate your response to hacktivist claims carefully. Google’s Threat Intelligence Group has noted that “Iran has historically had mixed results with disruptive cyberattacks and frequently fabricates and exaggerates effects in an effort to boost psychological impact.” Claims should neither be accepted at face value nor dismissed as noise. Triage every claim against your own vendor monitoring data and confirmed threat intelligence before acting or communicating to the board.
The Cyber Campaign Will Outlast the Kinetic One
Operation Roaring Lion and Operation Epic Fury have no clear endpoint. The kinetic phase may evolve, pause, or escalate. The cyber campaign will not follow the same arc.
With conventional military options degraded, cyber has become Iran’s primary remaining instrument of asymmetric retaliation. That instrument does not require functioning state command structures to operate. It runs on pre-positioned access, a distributed proxy network, and franchised hacktivist coalitions that were built over years precisely for this scenario.
The broader lesson of this conflict for vendor risk management is that geopolitical events now activate cyber exposure that was already embedded in your supply chain, exposure that existed before the first strike, that no questionnaire surfaced, and that no annual assessment cycle would have caught. The organizations that discover this the hard way will do so through an incident, not a report.
The question for every security and vendor risk leader right now is not whether your own environment is hardened. It is whether you have continuous, intelligence-driven visibility into the exposure your vendors carry, and whether your program moves at the speed the threat does.
Most programs do not. This conflict is a concrete demonstration of what that gap costs.
Sources: Kela Cyber, Palo Alto Networks Unit 42 (March 2026 Threat Brief), Google Threat Intelligence Group, NetBlocks, Flashpoint, CloudSEK, eSentire, CISA, SEC 8-K (Stryker Corporation), Industrial Cyber, Euronews.