Nation-State Cyberattacks in 2026: What Businesses Must Do to Stay Protected

On February 28, 2026, coordinated military strikes by the United States and Israel targeted locations in Iran, resulting in the confirmed death of Iran’s Supreme Leader. On retaliation, cyber threat activity is directed at Western businesses, and that wave is still growing.

U.S. officials believe the most significant wartime cyberattack carried out by Iran against American targets so far occurred on March 11, 2026 — when Stryker Corporation, one of the world’s largest medical device companies, had tens of thousands of its employees forced offline, causing global disruption to its operations.

The Michigan-based company, which reported revenues of over $25 billion in 2025 and serves more than 150 million patients across 61 countries, confirmed a global network disruption to its Microsoft environment as a result of the attack.

 For a deeper technical breakdown, read our wiper attack analysis. 

US Healthcare, Defense, and Government Vendors Targeted

Although the healthcare and life sciences sector faces acute risk right now, the threat posed by Iran-linked actors is not limited to that sector. Going forward, U.S. defense contractors, government vendors, businesses that work with Israel, and critical infrastructure such as hospitals, ports, water plants, power stations, and railways are all likely targets.

The U.S. Department of Homeland Security has warned that “ongoing claims and calls for cyberattacks targeting U.S. entities by Iranian-aligned groups could lead to an increase in malicious activity against the financial services sector,” noting that “historically, the U.S. financial sector has been viewed as a priority target.”

In plain terms: if your organization is American, works with American or Israeli partners, operates in critical industries, or simply has a public-facing digital presence — you are in scope.

What These Attacks Look Like in Practice

1. Data Destruction (Wiper Attacks) — Iranian-linked tools are built to permanently erase your data, with no recovery possible and no ransom that can fix it.
2. Business Disruption — Systems taken offline, operations halted, and your brand dragged publicly — the goal is damage, not money.
3. Psychological Operations — Fake messages from “your CEO,” fabricated emergency alerts, deepfake audio — designed to cause panic inside your workforce before you even know you’re under attack.

You can also explore how modern attack techniques are evolving in our analysis of AI-driven threats 

The Bottom Line on Business Risk

The question right now is simple: Are you prepared, and do you know it?

Leaders should find out what steps have been taken to ensure the business is not at risk, how the company has engaged with partners to detect attacks, and how technology is being used to do so.

This conflict could take many twists and turns and move in a lot of different directions. It is not one we are going to tidily wrap up and move on from in a few days.

What Your Security Team Should be Doing

Your security team should be directed to immediately implement the protective measures across whole environment. All enforcements should know what they mean for the business:

Blocking Connections from Iran and High-Risk Countries - Configuring systems so that no login or access attempt originating from Iran — or other high-risk nations — can reach to business applications, email, or internal systems. Think of it as locking a specific door that we have no legitimate reason to leave open.

Ensuring Only Trusted, Known Devices Can Access Our Systems - Tightening the requirement that anyone accessing company systems must be doing so from a company-approved, verified device. Unrecognized or unmanaged devices — even with valid credentials — will be blocked.

Strengthening How Staff Prove Their Identity - Sophisticated attackers can trick standard password-and-code login methods. MFA needs to be enforced for every user.

Monitoring for Unusual Behaviour 24/7 - Activate enhanced monitoring that flags anything out of the ordinary like logins from unexpected locations, large file downloads, and access at unusual hours.

Locking Down Administrator-Level Access - The accounts with the highest level of power inside our systems are being placed under stricter controls. No one holds permanent elevated access; it must be actively requested, approved, and it expires automatically.

Detailed analysis on dealing with wiper attacks:

Our Requests for You and Your Teams

Technology alone cannot protect us. The human layer matters enormously right now. Please cascade the following to your teams:

• Be sceptical of urgency. Stop and verify unexpected message even from a name you recognize asking you to click a link, approve a payment, or share credentials.
• Do not ignore security update prompts. If your device is asking you to update, please do so promptly.
• Report anything that feels wrong. Please report immediately to IT security teams in case of an unusual email, a login you did not recognize, or a system behaving oddly. Early reporting can be the difference between a minor incident and a major one.
• Be aware of deepfakes and impersonation. If you receive a voice message or video that seems out of character for a colleague or leader,  especially one requesting urgent action, treat it with suspicion.

We encourage everyone to actively collaborate with trusted vendors like ProArch to strengthen our security posture. Working closely with knowledgeable partners helps ensure we remain vigilant and resilient against evolving threats. Together, we can protect our organization and maintain a secure environment for all.

Talk to our cybersecurity experts to assess your readiness and reduce risk.