Iranian Cyber Operations Take Advantage of Weakened U.S. Defenses

The agency responsible for defending against Iranian cyberattacks is running at less than half strength, so perhaps cyber strikes against two U.S. healthcare companies in two weeks should not be surprising. According to a new report from cybersecurity firms Halcyon and Beazley Security, an Iran-linked ransomware group targeted an unnamed U.S. healthcare provider in late February, encrypting its systems in under three hours. On March 11, separate Iranian hackers wiped more than 200,000 phones, laptops, and other equipment at medical device giant Stryker. The twin attacks reflect a deliberate, long-running campaign against American healthcare infrastructure.

Iranian Hackers Disrupt and Destroy Systems

In late February, an Iranian ransomware gang, which the FBI previously determined is associated with the regime in Iran, compromised a healthcare provider’s network, rapidly encrypting the entire environment. Unlike traditional ransomware operations, the group issued no ransom demand and stole no data. Former FBI Cyber Deputy Director Cynthia Kaiser warned that the operation marked a “significant departure” from the group’s standard behavior, going on to explain, “When a group that usually steals data before encrypting suddenly skips that step, we need to wonder whether disruption — not just leverage — was the goal.”

Weeks later, Iranian hackers known as Handala, working for Iran’s Ministry of Intelligence and Security (MOIS), struck Stryker, using the company’s own device management software to delete data from more than 200,000 employee devices. Federal prosecutors stated the attack “had a direct impact on emergency medical services and hospitals within Maryland,” prompting some hospitals to temporarily suspend connections to the company. Some hospitals reportedly postponed surgeries because Stryker implants were unavailable. Taken together, the two attacks signal that Iranian actors are no longer content to encrypt systems for profit; they are deliberately degrading American healthcare.

Iran’s Long Campaign Against U.S. Healthcare

Since 2011, government-backed and pro-regime hackers have conducted dozens of cyber operations against Americans. Healthcare has been a recurring, deliberate target. In 2021, Iranian hackers linked to the Islamic Revolutionary Guard Corps attempted to steal sensitive information from American medical researchers. That same year, Iranian state-sponsored hackers attempted to breach Boston Children’s Hospital, one of the country’s most prominent pediatric hospitals. Then FBI Director Christopher Wray called the operation “one of the most despicable cyberattacks I’ve seen.” The Boston attack was foiled only because the FBI warned the hospital in real time.

A year later, the Department of Justice (DOJ) indicted the Iranian operatives responsible for that and hundreds of other attacks on companies, many of which provide critical services to Americans. Last week, DOJ similarly sought to punish Iranian hackers by seizing websites Handala and other MOIS-backed groups used to conduct its operations. FBI Director Kash Patel pledged “to hunt down every actor behind these cowardly death threats and cyberattacks.” One day after the takedown, however, Handala restored its websites.

Congress Must Protect Our Critical Infrastructure

The attacks happened as the federal government’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA), is in a freefall. Testifying before Congress on March 25, CISA’s acting director, Nick Andersen, warned that roughly 60 percent of the agency’s workforce was furloughed, even as the nation faces “increasing pressure from nation-state and criminal actors targeting our nation’s critical infrastructure.” What has been “scaled back or paused,” Andersen testified, are “the very activities that reduce systemic risk over time” — in other words, the types of warning systems that stopped the Boston Children’s attack.

In light of the shortfalls Andersen described and the agency’s own assessment prior to the department shutdown that it is 40 percent understaffed in “key mission areas,” Congress must not only fund CISA but also demand the agency explain how it is addressing its workforce gaps following a year of cuts. Simultaneously, the DOJ and the Treasury Department should go beyond website takedowns and indictments and sanctions of hackers themselves, to additionally go after the command-and-control infrastructure, financial networks, and cryptocurrency intermediaries that enable and sustain these operations. Iran is hitting harder. Washington cannot afford to act with any less force.

Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) and senior fellow at the Foundation for Defense of Democracies (FDD). Aarushi Garg is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.