top of page

Cyber Security Report -March 2026

  • Apr 20
  • 16 min read

Updated: Apr 21

Research by OSINT Monitoring Team, NTT Security Japan K.K

Table Contents


Page Summary

This report selects and summarizes three topics that are considered particularly important among the various information security-related incidents and events that occurred during March 2026 and the changes in the environment surrounding them. The abstract of each topic is as follows.


Chapter 1: Cyber Attacks on Iran by U.S. and Israeli Forces


  • The United States and Israel have been hostile to Iran over the past few decades, viewing Iran's nuclear and missile development and its efforts to increase its influence in the Middle East by supporting armed groups such as Hamas.

  • In March 2026, the United States and Israel launched military action and killed Khamenei. It is reported that Israel has been hacking traffic surveillance cameras in Iran for a long time since peacetime to probe Khamenei's actions. In addition, there have been a series of cyberattacks, such as apps used by many people being compromised and political messages being distributed.

  • This case case can be said to highlight once again the reality that activities in cyberspace continue to be carried out regardless of peacetime and emergencies, and that cybersecurity measures from peacetime are essential for organizations and nations.


Chapter 2: Iranian Hacktivists Strike Back Against U.S. Companies: Geopolitical Implications in Cyberspace


  • The hacktivist group "Handala", which has been pointed out to have ties to Iran's Ministry of Information and Security, claimed on its website that it carried out a cyber attack on Stryker, a major US medical device company. As a result of this attack, a large number of terminals were initialized at the company's business bases in Japan and overseas, and major operations were suspended.

  • Handala views the attack as part of an act of retaliation stemming from geopolitical conflicts and concludes that Stryker is a Zionist-rooted company.

  • In order to deal with such a serious situation, it is necessary to review the design of access permissions and take measures against unnecessary authentication, as well as strengthen security measures such as strengthening the management platform, including the endpoint management system.


Chapter 3: Disguising Ransomware Infection, Interfering with Work Operations, Arresting Man


  • A 38-year-old man was arrested on suspicion of obstruction of business such as damage to an electronic computer. Six months earlier, the suspect had exploited his servers to cause fake ransomware infections.

  • The company to which the suspect belonged was forced to suspend operations due to investigation of the cause, etc., and suffered a loss of about 20 million yen due to investigation and data recovery.

  • This incident, which has caused losses to the organization in terms of time and economy, shows that the risk of internal crime should not be taken lightly.



Cyber attacks on Iran by the US and Israeli forces


1.1. outline

The United States and Israel launched military attacks on Iran in late February 2026. The airstrikes killed Supreme Leader Ali Khamenei and several government officials, and also caused many civilian casualties. In parallel with these physical means, cyberattacks have also been reportedly carried out in a series of military operations, including breaking into surveillance cameras and mobile app management systems.


1.2. Causes of confrontation and history so far

Due to the Iranian Revolution in February 1979, the pro-American Emperor Mohammed Reza Shah Pahlavi was overthrown, and the anti-American Islamic Islamic Republic of Iran (hereinafter referred to as Iran) led by Khomeini was born. In the fall of the same year, Iranian students protested against the U.S. government's admission of the former emperor to the country, occupying the U.S. embassy in Tehran and taking diplomats hostage for more than a year. Diplomatic relations with the United States were severed.[1]


On the other hand, the ruling forces in charge of Iran's Islamist regime are also hostile to Israel, positioning Israel as an occupier of Palestine and denying its existence.[2]


And while supporting armed groups such as Hezbollah in Lebanon and Hamas in the Palestinian Gaza Strip, it expanded its influence in the Middle East. These organizations act as "proxy forces" that exert influence without Iran's direct involvement.[3]


The United States, Israel's largest supporter, sees Iran's nuclear and missile development and the expansion of its proxy network as a serious security threat, and the US-Israel-Iran conflict has been going on for many years.[4], [5]


In recent years, Israel and Iran have intermittently carried out mutual missile attacks since Israel's invasion of Gaza in 2023. In the "12-day war" that occurred in June 2025, the United States and Israel jointly attacked Iran's defense and nuclear-related facilities, and Iran responded by launching missiles at US military bases in Qatar. [6], [7]


1.3. The attack and its purpose

In this situation, Iranian and U.S. officials held talks in Switzerland on February 26, and Iran demanded the lifting of U.S. economic sanctions in return for restricting nuclear development. Oman's foreign minister, who attended the talks as a mediator, said that significant progress had been made, and that talks between officials were scheduled to take place the following week.[8]


However, on the 28th, the United States and Israel launched a military attack on Iran. At the UN Security Council meeting on the same day, Secretary-General Guterres mentioned the nuclear talks in Switzerland, which showed some bright signs, and criticized the attack by the United States and Israel as "a waste of diplomatic opportunities."[9]


The military operation is named "Epic Fury" in the United States and "Roaring Lion" in Israel. US President Trump has listed military goals such as preventing Iran from acquiring nuclear weapons and destroying missile arsenals and production bases.[10]


On the other hand, there is a view that this military action is a comprehensive operation aimed at influencing the Iranian regime itself, rather than limited capacity destruction.[11]



1.4 Cyber attacks used in military operations

Two days after the start of the attack, General Kane, chairman of the U.S. Joint Chiefs of Staff, said, "[In the early stages of military operations], the focus was on systematically targeting Iranian command and control infrastructure, naval units, ballistic missile bases, and information infrastructure to confuse and upset the enemy." , revealed that it had deprived Iran of the ability to check and respond to the situation.[12]


This statement is believed to support the fact that cyberattacks are planned and operated as an integral component of military operations, as seen in the following examples.


Using hacked surveillance cameras to kill dignitaries


Some media reported that Israeli intelligence agencies had been hacking almost every traffic surveillance camera in Tehran for years and transmitting footage to their country.[13]


This data was analyzed using algorithms and AI methods, and was used to understand the behavior patterns and movement routes of those involved in the security of dignitaries. An Israeli intelligence official said, "We knew Tehran as we knew Jerusalem."[14]


Meanwhile, U.S. intelligence agencies such as the Central Intelligence Agency (CIA) monitored the actions of Khamenei, political leaders, and senior military officials. On the day of the attack, the CIA conveyed to Israel that those targets would gather in a specific location. Based on this information, the Israeli army killed Khamenei and others during the day instead of the night as originally planned. [15]



Impact on the information and communication environment and app infringement


The military attack has also caused great disruption in the information and communication environment that supports Iran's civilian life.


IRNA (state-run Iranian News Agency) sites, critical infrastructure, and secure communication systems were shut down. Similar events were also observed in some regions in digital services provided by the government and apps for residents. Cyber attacks also occurred one after another. In addition to "DDoS", which generates a large amount of communication from multiple computers and causes the target web service to malfunction, and hacking data systems related to energy and aviation infrastructure, it was reported that "destructive messages" to Khamenei were displayed on the website of the Tasnim news agency, which is connected to the Islamic Revolutionary Guard Corps.[16]


The infringement of the "BadeSaba Calendar" also attracted attention. It is a mobile app that informs Islamic prayer times and has been downloaded more than 5 million times in Iran. The app's notification feature was abused by someone, and immediately after the first bombing of Iran, a series of Persian messages with the subject line "Help came" were sent to users. Among them was a call to the soldiers: "Don't be afraid of your brothers in Iran, if you protect them, they will protect you."


Persian message with the subject "Help Has Come" displayed consecutively in the "BadeSaba Calendar"
Figure 1: Persian message with the subject "Help Has Come" displayed consecutively in the "BadeSaba Calendar"


1.5 Summary

What is noteworthy in this case is that cyber attacks are not limited to assisting in combat, but also seem to have played a role in influencing the decision of whether or not to carry out physical attacks and the success or failure of such attacks. According to reports, the information obtained from surveillance cameras and other sources provided clues to the whereabouts of the leadership, including Khamenei and senior government and military officials, which may have led to the decision to carry out an initial attack targeting the leadership. This is due to intelligence activities that have been going on for several years since peacetime, and civilian infrastructure such as surveillance cameras and communication networks can also be targeted by cyber attacks in case of emergency. This case case can be said to highlight once again the reality that activities in cyberspace continue to be carried out regardless of peacetime and emergencies, and that cybersecurity measures from peacetime are essential for organizations and nations.

References

[1] Source: National Institute for National Defense Studies, "History of the Gulf War Chapter 1: The Outbreak of the Crisis: Iraq's Invasion of Kuwait

[2] Source: Stimson Center "What Drives Israel-Iran Hostility? How Might it be Resolved?』

[3] Source: Asahi Shimbun "The rise and fall of the 'axis of resistance' predicting the whereabouts of the Middle East: The true face of armed organizations between the United States and Iran"

[4] Source: Council on Foreign Relations "U.S. Aid to Israel in Four Charts

[5] Source: Task & Purpose 『US, Iran move out of 'shadow war' but threat from proxy militias may remain』

[6] Source: The Economist 『Tracking the Israel-Iran war』

[7] Source: BBC News JAPAN "Looking Back on the '12-Day War': Questions for the Future"

[8] Source: BBC News JAPAN "Foreign Minister of Oman, an intermediary country, says 'big progress' has been made after U.S.-Iran nuclear talks end"

[9] Source: United Nations 『Iran strikes 'squandered a chance for diplomacy': Guterres』

[10] Source: Center for Strategic & International Studies 『Operation Epic Fury and the Remnants of Iran's Nuclear Program』

[11] Source: Royal United Services Institute 『Rapid Reaction to US-Israeli Joint Strikes on Iran』

[12] Source: TWZ (The War Zone) 『War With Iran Now In Its Third Day』

[13] Source: Iran International 『Israel hacked security cameras, phones to track Khamenei - FT』

[14] Source: The Times of Israel 『Report: Israel hacked Tehran traffic cameras to track Khamenei ahead of assassination』

[15] Source: CNN.co.jp "How the CIA Killed the Extremely Cautious Khamenei"

[16] Source: The Jerusalem Post 『Israel plunges Iran into darkness with largest cyberattack in history during attack against Iran』

[17] Source: WIRED JAPAN "Is the prayer time app hacked?


Iranian hacktivists fight back against U.S. companies: geopolitical implications in cyberspace



2.1. outline

On March 11, the hacktivist group "Handala" claimed on its website that it had carried out a cyberattack on Stryker, a major US medical device company. A "hacktivist" is a person who conducts cyberattacks or information manipulation based on political and social claims. The group compromised the legitimate administrator account.[18]


, which was abusing Microsoft Intune, a device management platform. As a result, a large number of terminals were initialized at the company's business bases in Japan and overseas, and major operations were suspended. [19], [20]


Handala's statement of crime (partial) It states that offices in "79 countries," which are more than the actual locations, have been forced to close.
Figure 2: Handala's statement of crime (partial) It states that offices in "79 countries," which are more than the actual locations, have been forced to close.


2.2. About Handala's attack

On February 28, a girls' elementary school in Minab, Hormozgan province in southern Iran was hit by a missile attack, killing more than 175 people. The Iranian government claims the attack was carried out by the United States and Israel, and several media outlets have also said that the US military likely accidentally attacked the school. [21]


Handala said it carried out a cyberattack on Stryker in retaliation for the missile attack.


Timeline


March 11

At around 3:30 a.m. EST, Handala performed a mass wipe through Microsoft Intune, a cloud-based service that centrally manages and secures employees' PCs, smartphones, and apps, which was used by Stryker [19]


The group had previously compromised Intune's administrator account, and it is believed that they abused Intune's legitimate features by using the privileges granted to this account. [18]


As a result, at least 200,000 devices (notebook PCs, smartphones, servers, personal terminals, etc.) were initialized almost simultaneously in the 61 countries where Stryker operates. [20]


The Handala logo appeared on the login screen of the employee's terminal, effectively halting Stryker's business activities. [22]


Handala also claimed that the group had stolen about 50 TB of data before performing the mass wipe.[20]


In response to this cyber incident, Stryker filed an extraordinary report on Form 8-K with the U.S. Securities and Exchange Commission (SEC), reporting the impact on its business activities.

[23]


March 12 onwards

Orders, manufacturing, and shipment disruptions continued to disrupt the operations of nearly all of Stryker's 56,000 employees worldwide.20 For example, in Ireland, the largest location outside the United States, more than 5,000 employees were placed at home. [19]


March 18

The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning and directed organizations in the United States to strengthen their endpoint management systems, including Microsoft Intune. If the management infrastructure is misused as in this case, the impact can be widespread. For this reason, CISA recommended measures include the "principle of least privilege" to grant administrators only the access rights they really need, enforcement of phishing-resistant multi-factor authentication, and involvement of multiple people in the approval process for critical operations such as device initialization. [24]


March 20

The U.S. Department of Justice said it had seized four domains used by MOIS as part of a crackdown on hacking and other illegal activities involving Iran's Ministry of Information and Security (MOIS). One of them was included in the URL of a site where Handala posted a statement of crime against Stryker, revealing that Handala's activities were part of MOIS's cyber operations. [25]


Why Stryker was targeted


Stryker is a global manufacturer of a wide range of medical devices directly involved in the treatment of surgical, orthopedic, neurological, and other departments. [26]


The company's devices are used annually for more than 150 million patients and play a crucial role in clinical practice. [27]


In its statement to the crime, Handala said that Stryker is a company rooted in Zionism (with strong ties to Israel). The security research firm cites the company's acquisition of Israel's OrthoSpace in 2019 and the $450 million supply contract between the U.S. Department of Defense and Stryker, which plays a central role in military operations against Iran. [20]


Based on these reasons, Handala chose Stryker as a target not only because it is a large U.S. company, but also because its business activities are related to Israel and the U.S. government, which are at odds with Iran.


2.3. What is Handala?

The name Handala has been used in social and political contexts since before it refers to actors in cyberspace.


"Handala" as a symbol


"Handala" is a character in the form of a 10-year-old boy created by Palestinian cartoonist Naji al-Ali in 1969 and is a national symbol of Palestinian resistance. The depiction of "Handala" forever at the age of 10 reflects the age at which the artist lost his homeland in 1948 due to forced relocation by the founding of Israel, and the figure of him standing with his back to represent his rejection of the solutions imposed by the outside world. Barefoot and shabby clothing are considered symbols of refugees and poverty, and continue to be used as "icons of resistance" in protests and murals around the world.[28]


Figure 3: "Handala" by Naji al-Ali [29]
Figure 3: "Handala" by Naji al-Ali [29]


A group of hacktivists using the name "Handala"


The hacktivist group Handala, which uses the symbol's name, began its activities at the end of 2023. Multiple threat intelligence firms have analyzed that the group is an online persona posing as a hacktivist and is controlled by MOIS. [30]


Handala's modus operandi is characterized by a combination of various techniques, such as publishing data stolen through hacking, using custom wiper malware, and phishing. [30]


In addition, strongly asserting their own ideology and flaunting the execution of attacks goes beyond mere information dissemination, but functions as psychological warfare and influence operations against hostile countries and organizations. Furthermore, the adoption of the group name "Handala" is presumed to be aimed at justifying its actions with the story of "righteous resistance" while making the fact that it is a state subject less conspicuous. [25]


Figure 4: Hacktivist group Handala's logo (Telegram icon image)
Figure 4: Hacktivist group Handala's logo (Telegram icon image)


2.4. Impact on Business Continuity and Patient Safety

As mentioned above, after the incident, Stryker's production management operations were disrupted for a while, but the product itself was not affected by the attack and was safe to use, and it was repeatedly announced on the company's website.[20


]However, although no damage was caused to patients, emergency medical officials in Maryland, USA, reported widespread communication failures in Stryker's electrocardiogram data transmission platform.[31]


It was also reported that some hospitals had disconnected the company's equipment from their networks as a precautionary measure.[32]


The cyberattack caused significant disruption both inside and outside Stryker, but on April 1, the company announced that its global manufacturing network was fully operational, and also said that it had "sufficient inventory on most product lines," indicating that it was not significantly affecting business continuity and supply structure.[33]


2.5 Summary

This incident is an example of how the core business of private companies can be widely affected as geopolitical conflicts spill over into cyberspace. In order to achieve its goal of disrupting operations rather than defrauding money, Handala compromised legitimate administrator accounts and seized Stryker's device management infrastructure, forcing the company to go into a major business shutdown. In order to deal with such a serious situation, in addition to reviewing the design of access permissions and taking measures against unnecessary authentication, it is necessary to strengthen security measures such as strengthening the management platform, including the endpoint management system.[34]


It is also important to separate the environment where privileged operations are possible from general business terminals and to use terminals dedicated to management work.

References

[18] Source: Smarttech247 『 Handala Destructive Remote Wipes via Hijacked Intune and Entra』

[19] Source: Krebs on Security "Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker"

[20] Source: Securonix 『Iran-backed Handala wiper attack devastates Stryker globally』

[21] Source: TIME 『More Than 100 School Children Were Killed in Iran. Evidence Points to a U.S. Missile Strike』https://time.com/article/2026/03/11/iran-school-strike-minab-tomahawk/

[22] Source: ZERO DAY 『Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems』

[23] Source: U.S. Securities and Exchange Commission "FORM 8-K - Stryker Corporation (March 11, 2026)"

[24] Source: CISA "CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization"

[25] Source: U.S. Department of Justice "Justice Department Disrupts Iranian Cyber Enabled Psychological Operations

[26] Source: Stryker 『Our history』

[27] Source: Stryker "Our Company"

[28] Source: NPR "Who is Handala, the barefoot, spiky-haired boy who symbolizes Palestinian resistance?"

[29] Source: Egyptian Streets "How Naji al-Ali's Cartoon 'Handala' Became an Emblem of Palestinian Resistance"

[30] Source: Check Point Software Technologies ""Handala Hack" – Unveiling Group's Modus Operandi"

[31] Source: State of Surveillance "Iran-Linked Hackers Wiped 200,000 Stryker Devices in One Night"

[32] Source: FOX 17 "Some health systems take Stryker equipment offline after company targeted in cyberattack"

[33] Source: Stryker "Customer Updates: Stryker Network Disruption"

[34] Source: BleepingComputer 『How CISOs Can Survive the Era of Geopolitical Cyberattacks』https://www.bleepingcomputer.com/news/security/how-cisos-can-survive-the-era-of-geopolitical-cyberattacks/


Disguised Ransomware Infection: Man arrested for obstruction of business


3.1. outline

On March 5, a 38-year-old man was arrested on suspicion of obstruction of business such as damage to an electronic computer. Six months earlier, the suspect had misused his workplace's server to disguise a ransomware infection, causing great confusion at the scene.[35]


3.2. About the incident


Imitation of ransomware attacks

The suspect, who lives in Nagahama City, Shiga Prefecture, worked as an in-house system manager at an IT company in Osaka City.


In August 2025, he used his colleague's ID and password to gain unauthorized access to the company's file server from his work (supposedly) PC. After that, a message appeared on the company's PC screen that started with "Ooops, your important files are encrypted." The content and design of this were similar to those displayed on PC screens when infected with the ransomware "WannaCry". [37]


Figure 5: Fake ransomware warning screen (released by the Osaka Prefectural Police)[35]
Figure 5: Fake ransomware warning screen (released by the Osaka Prefectural Police)[35]

However, in fact, this incident was unrelated to the ransomware attack, as the suspect had done some kind of manipulation or manipulation on the file server to display fake messages. The suspect also set up a timed program to force the server to shut down three hours after activation to disguise the attack. Regarding these crimes, the suspect said at the time of his arrest, "I did it out of dissatisfaction with the president and a desire for revenge." WannaCry is known to have been used in large-scale attacks in May 2017, when ransomware damage became prominent in the world. It has a record of infecting 230,000 computers in 150 countries in one day, and large companies and public institutions have also been affected [38]


Damages reported

Based on the aforementioned events, the company to which the suspect belonged determined that the server was infected with ransomware. He was forced to suspend his work due to investigation of the cause. In addition, they had to pay at least about 20 million yen for external investigations and data recovery consignments.


It is thought that the reason why the suspect was able to manipulate to cause this commotion was that he was familiar with the organization's network configuration as a person in charge of internal systems. It is not clear why he was able to use his colleague's ID during the unauthorized login, but it is speculated that the account management was inadequate and that the suspect was able to hear or spy on the ID of his colleague.


In addition, whether log monitoring was properly conducted to detect unauthorized manipulation by insiders, and whether security training, including internal fraud issues, was conducted regularly, may have affected the extent of the damage in this case. In fact, the suspect also stated that he wanted to make employees aware of the low security awareness of the company.


3.3. Summary

This case is a classic example of an "insider cyberattack" in which an organization's employees abused their position and knowledge. Despite the fact that no data was encrypted or stolen, the sudden fake warning was enough to instill psychological fear in the organization and make them believe in a ransomware infection.


It is difficult to distinguish between such insider fraud and legitimate business. Many organizations are sensitive to countermeasures that assume external attacks, but they tend to be vigilant against internal crimes. This incident, which has caused time and economic losses to the organization, shows that the risk of internal crimes should not be taken lightly.

References

[35] Source: Kobe Shimbun NEXT "Ransom Infection and Suspicion of Business Obstruction Arrest of Former Employee of IT-related Company"

[36] Source: Sankei Shimbun "'Dissatisfaction and Vengeance' Arrest of Former IT Office Worker Preparing Forced Shutdown Program at Workplace"

[37] Source: Lenovo "WannaCry Detection and Preventive Measures"

[38] Source: Akamai, What is WannaCry Ransomware?

[39] Source: Sankei Shimbun "'Dissatisfaction and Vengeance' Arrest of Former IT Office Worker Preparing Forced Shutdown Program at Workplace"


  1. Disclaimer

Please note that while we do our best to ensure that the content of this article is accurate, we do not guarantee the content and do not compensate for any damages or losses incurred as a result of the use of this article. If you have any inquiries such as typographical errors, content errors, or other points in the article, please contact us at the following address.


Inquiries

NTT Security Japan Corporation

Professional Services OSINT Monitoring Team

 
 
bottom of page