Three days into Operation Epic Fury, Iran's domestic internet is functionally destroyed. Connectivity sits at 4%. State media is silent. Military communications are crippled. By every conventional measure, Iran's ability to project force has been neutralized.
And yet, on Sunday, the Iranian-affiliated hacktivist group Cyber Islamic Resistance launched DDoS and data-wiping attacks against U.S. and Israeli military logistics providers. CrowdStrike confirmed it is "already observing conduct with Iranian threat actors and hacktivist groups performing reconnaissance and initiating DDoS attacks." Flashpoint tracked the activity in real time.
The assumption that degrading Iran's infrastructure would degrade its cyber capability was always wrong. And the sector most exposed to that miscalculation is healthcare.
The Proxy Problem
I wrote last week about why the strikes on Iran put every American enterprise on the battlefield. The general threat is real and well documented. But what's emerged in the 72 hours since is more specific: healthcare is being explicitly singled out, and the threat actors doing the targeting aren't in Tehran.
Gary Barlet, public sector CTO at Illumio, put it directly to Politico: "It's important to remember this isn't just about the Iranian government acting directly." Proxy and hacktivist groups are not "impacted in the same way by kinetic strikes or domestic disruptions."
This is the detail that should reshape how healthcare security teams think about the current threat. Iran's state-sponsored APT groups, APT42 and APT33, have already begun deploying wiper attacks against Israeli targets, according to Anomali. But the broader ecosystem of proxy groups operating from Lebanon, Iraq, Yemen, and diaspora networks across Europe and Asia functions independently of Iranian domestic infrastructure. Check Point Research warns that these groups receive tools, targeting intelligence, and operational resources directly from IRGC-linked sponsors.
Phil Englert, vice president of medical device security at Health-ISAC, confirmed that Iranian hacktivist groups "may be operating more closely with state entities as Iran explores asymmetric responses to U.S. and Israeli actions."
The scale is staggering. Palo Alto's Unit 42 estimates 60 individual hacktivist groups were active as of March 2, many operating through an "Electronic Operations Room" formed the day of the strikes. Kathryn Raines, a former NSA expert now leading threat intelligence at Flashpoint, described the decentralized reality to Fortune: Iranian cyber retaliation is now "in the hands of a 19-year-old hacker in a Telegram room with really no oversight or direction."
This isn't a loose network of sympathizers with basic tools. This is state-backed hacktivism with state-grade capabilities, distributed across dozens of groups that no single military operation can neutralize.
Why Healthcare Can't "Go Dark"
When a financial services firm detects an active intrusion, it can take systems offline, redirect traffic, and operate in a degraded state while the incident response team works. The business impact is significant but survivable. Customers experience delays, not danger.
Hospitals don't have that option.
When a DDoS attack overwhelms a hospital network, it doesn't just slow down a website. It can take down electronic health records, disable patient monitoring systems, disrupt medication dispensing, and sever communication between emergency departments and trauma teams. A major cyber incident that degrades hospital networks can slow emergency care, delay surgeries, and compromise diagnostics. The New York State Department of Health issued an urgent advisory cautioning hospitals, treatment centers, and healthcare practitioners of a "high likelihood of increased cyberattacks" and urging providers to tighten physical and IT security controls.
Indiana's cybersecurity office issued a parallel advisory identifying elevated risk to healthcare providers, insurers, and third-party vendors.
The attack surface is staggering. CISA identifies healthcare as especially vulnerable because organizations hold vast amounts of sensitive patient data and operate environments where system outages can compromise life-saving care. Their dependence on electronic health records, cloud vendors, and telehealth platforms expands the attack surface available to threat actors.
In my eight years in Navy EOD, the most dangerous scenarios were never the ones where the adversary had one way to hurt you. They were the ones where the operating environment itself constrained your options. You couldn't just back away from the device because civilians were in the blast radius. Healthcare security teams face the same constraint: you can't take the systems offline because patients are in the blast radius.
The Attack Playbook Against Hospitals
Based on the threat intelligence from CrowdStrike, Anomali, Check Point, and Palo Alto's Unit 42, here's what healthcare organizations should expect:
DDoS attacks on patient-facing systems. Hospital websites, patient portals, VPN gateways, and scheduling systems are the most likely initial targets. These attacks serve dual purposes: disrupting operations and testing defensive responses. The Cyber Islamic Resistance's attacks on Sunday against logistics providers followed exactly this pattern.
Wiper malware disguised as ransomware. Iranian groups, particularly Agrius and Cotton Sandstorm, deploy destructive malware that masquerades as criminal ransomware. The goal isn't payment; it's destruction. Anomali's threat briefing catalogs 15+ wiper malware families in Iran's arsenal, including ZeroCleare, Meteor, Dustman, and Apostle. A hospital that assumes it's dealing with a ransomware negotiation when it's actually facing a state-sponsored wiper operation will lose critical time.
Credential harvesting through spearphishing. APT42's primary initial access method remains spearphishing and MFA push bombing. Healthcare workers, already operating under stress during a period of heightened security alerts, are prime targets for urgent-looking emails about security updates, credential resets, or compliance notifications. Check Point identifies WezRat, a custom modular infostealer, as a key tool delivered via these campaigns.
Direct healthcare targeting. This isn't hypothetical. The Iran-linked group Handala claimed it targeted Clalit, Israel's largest healthcare network, stealing patient data. Health-ISAC expects further attacks against both Israeli healthcare providers and U.S. health networks, particularly organizations with affiliations to Israel or Jewish communities.
Medical device and OT targeting. Health-ISAC is specifically monitoring for activity targeting remote access, OT, and IoT environments that support medical devices and critical hospital infrastructure. Iranian operators demonstrated their interest in industrial control systems when they breached Israeli-made Unitronics PLCs in U.S. water treatment facilities in 2023. Medical devices running on hospital networks share the same vulnerability profile: legacy firmware, default credentials, and minimal monitoring.
Supply chain compromise through third-party vendors. Healthcare's vendor ecosystem, from EHR providers to billing services to telehealth platforms, creates cascading attack vectors. A compromised vendor with VPN access to multiple hospital networks gives an attacker a force multiplier that a direct assault on a single hospital doesn't.
What Healthcare Security Teams Need to Do This Week
The HIPAA Security Rule overhaul already mandated many of the controls that would mitigate these specific threats. If your organization treated compliance as a checkbox exercise rather than an operational discipline, the gap between your documentation and your actual security posture is now a direct liability.
Here's what matters right now:
1. Activate your DDoS mitigation plan. If you don't have one, contact your ISP and CDN provider today. Cloudflare, Akamai, and AWS Shield can absorb volumetric DDoS attacks, but only if they're configured before the attack arrives. Cloudflare has stated that roughly 20% of the web runs through its network and its CEO expressed readiness to absorb Iranian DDoS campaigns. Make sure your critical patient-facing systems are behind a protection layer.
2. Enforce MFA on every clinical system. Not just email. VPN access, EHR logins, administrative consoles, telehealth platforms, medical device management interfaces. APT42 specifically targets MFA fatigue through push bombing; switch to phishing-resistant MFA (FIDO2/WebAuthn) where possible.
3. Segment medical devices from the clinical network. Every infusion pump, imaging system, and patient monitor connected to the same network as your EHR is a potential entry point. Network segmentation with strict access controls between IoT/OT segments and clinical systems is the single most effective control against lateral movement from a compromised device.
4. Brief your clinical staff on spearphishing. Not a generic awareness email; a specific, timely briefing explaining that Iranian-linked groups are actively targeting healthcare organizations with credential harvesting campaigns. Provide concrete examples of what these phishing emails look like. Make it clear that clicking a suspicious link during this threat window could directly impact patient care.
5. Verify your backup restoration process. Iranian wiper malware is designed to make systems unrecoverable. Your backups need to be air-gapped (not just offsite), tested under time pressure, and capable of restoring clinical operations within hours, not days. If your last restoration test was more than 90 days ago, you don't actually know whether your backups work.
6. Audit your vendor connections. Identify every third-party VPN connection, API integration, and remote access pathway into your network. The Fortinet SSO bypass demonstrated how a single authentication vulnerability in a perimeter device can give attackers full network access. Your vendors' security posture is now part of your attack surface.
The Uncomfortable Reality
Recorded Future's assessment that Iranian cyber operators may currently be in a "defensive posture" due to internet blackouts offers cold comfort. Alexander Leslie noted that the blackouts "amplify their lack of visibility," meaning Iran's own operators may be flying blind domestically. But the proxy networks, the hacktivist cells, the IRGC-sponsored groups operating from third countries, they have full internet access and they've already started.
CrowdStrike's Adam Meyers described the current activity as "a surge in claimed activity from Iran-aligned and sympathetic hacktivist groups", including DDoS operations, defacements, and alleged interference across targets in the U.S. Flashpoint warns that critical infrastructure and financial sector firms "should remain vigilant for follow-on activity that moves beyond nuisance-level disruption into more coordinated or destructive operations."
Healthcare sits at the intersection of all three risk factors: high-value data, life-safety dependencies, and constrained ability to take systems offline. That combination makes it the highest-leverage target for an adversary whose conventional military options have been eliminated.
The strikes destroyed Iran's missile facilities. They didn't destroy Iran's proxy networks. And this week, those networks are pointed at American hospitals.
