自2026年2月底美国与以色列对伊朗发动空袭以来，网络报复迅速升级。伊朗黑客组织Handala发动了一次针对美国医疗技术公司Stryker的重大攻击，据报道使该公司全球运营受到严重影响，并导致多达数万台计算机瘫痪。Handala在公开声明中将行动描述为对一次造成至少165名平民死亡的导弹袭击及持续网络攻击的报复。自战争开始约两周内，该组织已公开声称对超过十几起攻击负责，其中大多数针对以色列目标，显示出冲突升级后网络行动频率显著增加。

安全研究人员认为Handala很可能是伊朗情报部（MOIS）的掩护组织，是国家支持的黑客行动与“黑客行动主义”混合模式的一部分。该组织的品牌首次在2023年底出现，此后通过Telegram、X和公开网站宣传其攻击。分析显示它与一个更大的国家支持黑客网络有关，该网络被Check Point称为Void Manticore，并在行业中也被称为Red Sandstorm或Cobalt Mystique。该网络至少自2022年起活跃，当时针对阿尔巴尼亚政府的攻击使用了数据擦除恶意软件。其行动结合心理战信息泄露与破坏性技术，例如Coolwipe、Chillwipe和Bibiwiper等数据删除工具。

Handala的行动模式显示出快速机会型攻击与宣传驱动的策略。研究人员指出其行动并不总是具有长期战略规划，而是寻找容易入侵的目标并迅速制造影响。例如在最近的战争中，该组织与另外两个伊朗黑客组织一起尝试利用联网监控摄像头漏洞，在巴林、阿联酋、以色列和塞浦路斯等地区进行侦察活动。这些行动时间与军事空袭高度一致，表明网络入侵可能被用于情报收集或协助导弹与无人机打击。整体趋势显示伊朗网络行动越来越依赖代理组织、否认性结构和公开宣传，以在军事冲突期间扩大心理与运营影响。

Since US and Israeli air strikes across Iran began in late February 2026, cyber retaliation has escalated rapidly. The Iranian hacker group Handala launched a major attack against US medical technology firm Stryker that reportedly disrupted global operations and disabled as many as tens of thousands of computers. In public statements the group framed the operation as retaliation for a missile strike that killed at least 165 civilians and for ongoing cyber operations against Iran. Within roughly two weeks of the conflict’s escalation, Handala publicly claimed responsibility for more than a dozen attacks, most targeting Israeli organizations, indicating a sharp increase in cyber activity linked to the war.

Security researchers widely believe Handala functions as a front linked to Iran’s Ministry of Intelligence (MOIS), representing a hybrid model combining state-sponsored hacking with hacktivist branding. The Handala identity first appeared in late 2023 and promoted its operations through Telegram, X, and public websites. Analysts connect it to a broader state-backed hacking network labeled Void Manticore by Check Point, also known as Red Sandstorm or Cobalt Mystique. That network has been active since at least 2022, when cyberattacks against Albanian government agencies used destructive wiper malware. Its operations combine psychological hack-and-leak campaigns with destructive tools such as Coolwipe, Chillwipe, and Bibiwiper designed to erase data.

Handala’s operational pattern emphasizes rapid opportunistic attacks combined with public messaging. Researchers note its campaigns often lack long-term strategic planning and instead target vulnerable systems that can quickly demonstrate impact. During the current conflict the group, along with two other Iranian hacker teams, attempted to exploit internet-connected security cameras across Bahrain, the United Arab Emirates, Israel, and Cyprus. These intrusion attempts closely aligned with the timing and geography of military strikes, suggesting that compromised cameras may support surveillance or targeting for missile and drone operations. Overall, Iranian cyber operations increasingly rely on proxy groups, deniability structures, and public propaganda to amplify psychological and operational effects during armed conflict.