Allan Grant | SOC Analyst | 2 April 2026        

‍

The month of March 2026 was defined by a single event: the US-Israeli military campaign against Iran and the cyber operations that accompanied, enabled, and followed it. Beyond the conflict, the month also delivered a reminder that the broader threat landscape continues to evolve regardless of geopolitics, with supply chain compromises, ransomware activity across multiple sectors, and Australia crossing a significant regulatory threshold in IoT security.

The Cyber Dimension of the US-Israeli War Against Iran

The US-Israeli campaign against Iran, which opened on 28 February 2026 with the killing of Supreme Leader Khamenei, has a significant and still-evolving cyber dimension spanning intelligence operations, kinetic strikes on digital infrastructure, and a broad wave of state-backed and proxy hacktivist retaliation.

The precise nature of the cyber operations that accompanied the opening strikes is unclear. What has been confirmed is that cyber capabilities played a role. US Chairman of the Joint Chiefs of Staff General Dan Caine confirmed that coordinated space and cyber operations effectively disrupted communications and sensor networks in Iran prior to the main kinetic strikes, with the explicit goal of leaving the adversary "disrupted, disoriented and confused."

There was also widespread reporting that Israel had hacked Tehran's traffic cameras for years, with footage encrypted and transmitted to servers in Israel. Israeli intelligence then used AI tools and algorithms to map a pattern of life for Khamenei and his protection detail, including travel routes, duty hours, and the identities of assigned officials, enabling the precision strike that opened the campaign. (Wikipedia) (Iran International) (The Jerusalem Post)

Iran's kinetic response against commercial infrastructure

On 1 March, Iranian Shahed drones struck two AWS data centres in the UAE and a third in Bahrain, the first time a country has deliberately targeted commercial data centres during wartime. The strikes took out two of three availability zones in AWS's UAE region.

Iran explicitly cited the facilities' role in hosting US military AI systems, deliberately blurring the line between commercial cloud and military infrastructure. Cascading outages hit major UAE banks, payments platforms, and consumer services across the Gulf.

On 11 March, Israel reportedly conducted a reciprocal strike against a data centre in Tehran, targeting bank services used to pay IRGC members. (Network World) (The Conversation) (Tech Policy Press)

Hacktivist activity

Iran's state cyber capability was constrained in the opening days of the conflict by a near-total internet blackout, with connectivity dropping to between 1 and 4 percent of normal levels, driving greater tactical autonomy among cells operating outside the country. Despite this, proxy groups have conducted significant attacks across the US, Israel, and allied nations.

Iran's cyber retaliation has played out primarily through proxy hacktivist groups, with Handala the most prominent.

Handala presents publicly as a pro-Palestinian hacktivist group, using the imagery of a defiant child that has become a symbol of Palestinian resistance. In practice, multiple Western threat intelligence firms assess it to be an operational front for Void Manticore, a threat actor linked to Iran's Ministry of Intelligence and Security, giving Tehran plausible deniability for destructive cyber operations. (7ai)

Confirmed attacks by Handala include:

• ‍Stryker Corporation (11 March). Handala obtained administrative access to Microsoft Intune and used its native remote wipe capability to factory reset devices across 79 countries - no custom malware required. The group claimed to have wiped more than 200,000 systems and exfiltrated 50 terabytes of data, framing the attack as retaliation for the US strike on the Minab school and Stryker's Israeli business ties. (SecureWorld) (HIPAA Journal)
• FBI Director Kash Patel (27 March). Handala breached Patel's personal Gmail account, publishing photographs and over 300 emails. The FBI confirmed the breach, noting the content was historical and contained no government information. The attack was framed as retaliation for the FBI and Justice Department's seizure of the group's domains the prior week. (CNBC) (Axios)

Claimed but unverified or denied operations include:

• ‍Hebrew University of Jerusalem (early-mid March). Handala claimed to have wiped more than 40 terabytes of data from university servers. (Euronews)
• Israeli energy and fuel infrastructure (early March). Handala claimed to have compromised an Israeli energy exploration company and Jordan's fuel systems. (Palo Alto Networks)
• IDF personnel data (early March). The Justice Department alleged Handala posted the names and sensitive data of approximately 190 Israeli Defence Force personnel and government employees. (CBS News)
• Verifone (mid-March). Handala claimed a breach of payments company Verifone, which denied any compromise. (Euronews)
• Lockheed Martin (late March). Handala claimed access to F-35 Block 4 technical documentation and issued physical threats to Lockheed Martin engineers in the Middle East. Lockheed Martin denied any breach. (Flare)

Broader hacktivist action

Handala is not operating alone. As of 2 March, an estimated 60 hacktivist groups had mobilised under a coordinating structure called the Cyber Islamic Resistance, organising operations through a shared channel on Telegram. (Palo Alto Networks)

• Pro-Russian group NoName057(16) joined operations on 2 March, targeting Israeli defence and municipal organisations including defence contractor Elbit Systems. (Axios)
• The 313 Team, an Iraq-based pro-Iranian group, targeted Kuwaiti government websites. DieNet, a pro-Iran group active across the Middle East, claimed attacks on airports in Bahrain, Saudi Arabia, and the UAE. (Palo Alto Networks)·
• At the more sophisticated end of the spectrum, IRGC-backed groups CyberAv3ngers, APT33, and APT55 have targeted US industrial control systems, including the computer systems that run physical infrastructure such as power grids and water treatment plants. (Euronews)·  
• The MuddyWater group, linked to Iranian intelligence, has focused on telecommunications, energy, and government targets, acting as an entry point for other attackers by breaking into networks and passing on access credentials. (Euronews)

Implications for Australian organisations

Australian organisations should be aware that Iranian cyber actors are not a new concern.

In October 2024, well before the current conflict, the Australian Federal Police and ASD's Australian Cyber Security Centre co-signed a joint advisory with the FBI, CISA, NSA, and Canada's Communications Security Establishment, warning critical infrastructure operators of Iranian threat actors using brute force and MFA-based techniques to compromise networks across government, healthcare, energy, and technology sectors. (AFP/ACSC)

While Australian authorities have not yet issued public advisories relating to the current conflict, many other allied governments have issued warnings:

• ‍USA. The FBI has published a FLASH advisory confirming Handala as an Iranian-controlled operation and warning network defenders of continued malicious activity. (FBI FLASH Advisory)
• UK. The UK National Cyber Security Centre has warned that there is "almost certainly a heightened risk of indirect cyber threat" for organisations with a presence or supply chains in the Middle East, and that Iranian state actors retain cyber capability despite the internet blackout inside Iran. (NCSC)
• Canada. The Canadian Centre for Cyber Security has warned critical infrastructure operators that states expressing public support for the campaign should expect to be viewed as legitimate targets for opportunistic disruptive activity. (Canadian Centre for Cyber Security)

The warnings issued by allied governments and the nature of the attacks observed to date suggest that Australian organisations, particularly those in the defence and critical infrastructure sectors, and those with supply chain links to US or Israeli entities in particular should review their exposure and ensure that their cyber controls are in place and operating effectively.

International Cyber Threat Environment

Trivy Supply Chain Attack Turns Security Tool into Threat

Trivy is a widely used open source security tool that helps software development teams scan their code and infrastructure for known vulnerabilities. On 19 March 2026, a threat actor known as TeamPCP compromised Trivy, injecting credential-stealing malware into official releases across GitHub, Docker Hub, and Amazon's container registry simultaneously.

The attack targeted CI/CD pipelines, which are the automated systems that software teams use to build, test, and deploy code, which typically hold broad access to cloud credentials, keys, and infrastructure. The malicious code was injected into over 10,000 CI/CD workflows globally, running before the legitimate scan so pipelines appeared to complete normally while credentials were being stolen in the background. At least 1,000 enterprise SaaS environments are reported to have been affected, and the campaign subsequently expanded to compromise the Checkmarx KICS scanner and LiteLLM Python packages with the same infostealer malware.

The root cause was incomplete remediation of an earlier breach that left residual attacker access in place. Any organisation that ran Trivy between 19 and 23 March 2026 should treat all secrets accessible from those pipelines as compromised and rotate them immediately. (Microsoft) (Arctic Wolf) (Aqua Security)

Notable International Breaches and Incidents

• LexisNexis (early March). LexisNexis Legal and Professional - a global provider of legal, regulatory, and business intelligence used by law firms, governments, and courts in more than 150 countries including Australia - confirmed a breach after a threat actor exploited an unpatched vulnerability to access its AWS infrastructure. The attackers exfiltrated 2GB of structured data and claimed access to around 400,000 cloud user profiles including names, emails, phone numbers, and job functions, with more than 118 accounts belonging to US government employees including federal judges, Department of Justice attorneys, and SEC staff. LexisNexis stated the data was mostly legacy information predating 2020 and did not include financial or identity data. (BleepingComputer) (The Register)
• AstraZeneca (late March). AstraZeneca is a British-Swedish multinational pharmaceutical company and one of the world's largest drug makers. The cybercrime group Lapsus$ claimed responsibility for a breach, allegedly stealing around 3GB of data including credentials, access tokens, internal source code, and employee information. AstraZeneca has not confirmed the breach, but if accurate the exposed data could enable follow-on phishing and system targeting. Lapsus$ is linked to around 10 to 12 confirmed major breaches, mostly during its peak activity in 2022, and despite past arrests of several members continues to operate. (SecurityAffairs)
• Mazda (March). The Japanese automotive company reported a breach of a warehouse system in its Thailand operations, exposing 692 employee and partner records. No ransomware or operational disruption occurred, but the exposed names, IDs, and email addresses create phishing risk. Mazda has patched the vulnerability. (Techradar)
• Starbucks (March). A phishing campaign compromised login credentials for the coffee chain's internal staff portal, exposing employee personal and financial data. The incident reinforces the ongoing risk of credential phishing against corporate portals, particularly where MFA is weak or absent. (Maine.gov) (CyberSecurityNews)
• French Healthcare - 15 Million Records (2025, reported March 2026). A breach linked to healthcare software provider Cegedim Santé exposed data on approximately 15 million individuals across around 1,500 medical practices in France, including sensitive medical notes for around 169,000 patients. The incident highlights the ongoing risk to healthcare software supply chains. (CyberDaily)
• Aura - 900,000 Records (March). Aura is a US-based identity protection company that helps consumers monitor and protect their personal information online. Despite being in the business of security, the company confirmed a breach affecting around 900,000 records after a ShinyHunters-linked threat actor gained access through a one-hour phone phishing attack on a legacy Salesforce marketing system. Passwords and financial data were not compromised, but the incident illustrates how even brief access to a legacy system can produce significant data exposure. (CyberDaily)

Australian Incidents

March saw Australian organisations continue to feature on ransomware group leak sites, with healthcare remaining a consistent target and two separate organisations pursuing court injunctions to prevent stolen data from being published, which is an emerging legal response that is gaining traction in Australia.

• ‍Smile Team Orthodontics (March). Ransomware group SafePay listed a NSW orthodontic practice on its dark web leak site on 6 March, publishing stolen data on 10 March. The leaked files included staff personal details, medical certificates, DentiCare patient payment plans, and patient treatment histories. (Rankiteo Blog)
• Hazeldenes (February/March). Hazeldenes is one of Australia's largest poultry producers. The cyberattack, which began on 19 February, caused immediate supply disruption, with pubs and butchers across Victoria reporting shortages of chicken products. The attacker, DragonForce, published a 78.98 gigabyte dataset on its dark web leak site on 11 March, at which point Hazeldenes confirmed that personal data had been accessed. The company obtained a worldwide interim court injunction prohibiting anyone from accessing or publishing the stolen material. (Hazeldenes) (Just Food)
• Fairfield City Council (October 2025, ongoing). Fairfield City Council, a Western Sydney local government authority, suffered a ransomware attack in October 2025 in which attackers encrypted council systems and exfiltrated sensitive personal, financial, and employment data before issuing a ransom demand. The council refused to pay and pursued a legal response instead, obtaining a court injunction through the NSW Supreme Court that restrains the attackers and any third party from publishing or disseminating the stolen data. As of March the data had not appeared on the clear or dark web, though an injunction is not a guarantee it never will. (Fairfield City Council) (DataBreaches.net)

Australian Policy Developments

For the first time, baseline IoT security is a legal requirement. Manufacturers must now ensure devices ship without universal default passwords, publish a  vulnerability disclosure process, and disclose how long security updates will be provided. The regime applies not only to Australian organisations but to any overseas manufacturer or supplier whose products are sold into the Australian consumer market. standards align closely with the internationally recognised ETSI EN 303 645 baseline for consumer IoT security, placing Australia alongside the UK, EU, and other jurisdictions moving in the same direction (Department of Home Affairs)

4 March 2026 marked the commencement of the Cyber Security (Security Standards for Smart Devices) Rules 2025, established under the Cyber Security Act 2024. The rules introduce mandatory cyber security standards for most smart devices acquired in Australia by a consumer, following a 12-month transition period.

This is a welcome development. These requirements directly target some of the most persistently exploited weaknesses in consumer IoT - default credentials have long powered large-scale botnets  and opaque update lifecycles leave consumers running devices with known vulnerabilities long after vendors have moved on. By making these obligations enforceable rather than voluntary, and extending them to any vendor seeking access to the Australian market, the rules represent a meaningful uplift in baseline security.

ACSC cyber updates

The ACSC published two notable alerts during March 2026. Australian organisations should review these directly at cyber.gov.au and apply recommended mitigations where relevant.

• ‍INC Ransom – Joint Advisory (6 March). A joint advisory from the ACSC, New Zealand's NCSC, and CERT Tonga warned that INC Ransom affiliates have compromised 11 Australian organisations between July 2024 and December 2025, primarily targeting healthcare and professional services, using double-extortion tactics and compromised accounts to move laterally and exfiltrate medical and personal data before deploying ransomware.(ACSC)
• Cisco SD-WAN – Critical Alert (6 March). A critical-rated joint alert co-sealed by the ACSC, NSA, CISA, NCSC-NZ, and NCSC-UK warned of active exploitation of Cisco Catalyst SD-WAN vulnerabilities including CVE-2026-20128 and CVE-2026-20122, with threat actors exploiting an authentication bypass to add rogue peers and establish long-term persistence. (ACSC)

‍