Since the outbreak of the Middle East conflict on 28 February 2026, Akamai has seen a surge of 245% in cyberattacks against key businesses and institutions in North America, Europe, and some Asian Pacific countries.
One group in particular, Handala (widely believed to have ties to Iranian intelligence) has claimed responsibility for a destructive data-wiping attack on Stryker, the global medical technology firm based in Michigan.
At the same time, geopolitically motivated hacktivists are increasingly routing activity through proxy infrastructure in countries such as Russia and China, generating billions of connection attempts specifically engineered for abuse.
The bulk of this malicious traffic is hitting a familiar set of industries. Banking and financial services, ecommerce, and gaming together account for roughly 80% of targets, with banking and ecommerce alone making up more than half.
On the defensive side, Akamai says its customers have blocked billions of unwanted and potentially malicious packets using the Prolexic Network Cloud Firewall, helping them maintain a strong security posture at the network edge.
With tensions still high, the message is to stay vigilant. Organizations need to take a proactive, end-to-end approach to security to avoid disruption, downtime, or performance issues.
Because if this conflict is proving anything, it’s that modern warfare doesn’t stop at physical borders. Increasingly, the real damage is being done in the digital domain, where attacks can just as easily undermine businesses, critical infrastructure, and public trust.
Assume This Activity Will Persist
Sunil Gottumukkala, CEO of Averlon, said: “The surge in activity following geopolitical tensions is consistent with what we typically see in these environments. Early-stage signals like reconnaissance, credential harvesting, and infrastructure probing tend to increase significantly as attackers look for initial access opportunities.”
He added that enterprises should assume this activity will persist and focus on preparedness. “That means staying on top of attack surface and exposure management to reduce exploitable vulnerabilities and ensure known weaknesses cannot be used to gain initial access. It also means strengthening identity security and monitoring for credential misuse, since many of these campaigns rely on stolen credentials.
“The organizations that fare best are the ones that treat this activity as a precursor to more targeted attacks and invest in visibility into their exposure and rapid remediation of high-risk issues.”
This Isn’t Just Iranian Retaliation
Michael Bell, Founder & CEO of Suzu Labs, commented: “The 245% number is real but the breakdown underneath it matters more than the headline. Only 14% of the malicious traffic Akamai observed originated from Iranian IPs. Russia accounted for 35% and China 28%, which tells you this isn’t just Iranian retaliation. Russia and China are taking a “never let a good crisis go to waste” approach, using the conflict as operational cover to ramp up scanning, credential harvesting, and infrastructure mapping while defenders are focused on the named adversary.”
Bell says the attack mix confirms it. “Botnet discovery traffic up 70% and automated reconnaissance up 65% means most of what Akamai is measuring is the setup phase, not the main event. The actual attacks that follow this reconnaissance, using the access and mapping being built right now, will be worse than the current numbers suggest.”
A ‘Loud vs. Quiet’ Strategic Pivot
Jacob Warner, Director of IT at Xcape Inc, added: “The recent surge in Iranian cyber activity following Operation Epic Fury highlights a sophisticated ‘loud vs. quiet’ strategic pivot. High-profile ‘wiper’ attacks, where large amounts of data are deleted, on entities like Stryker dominate headlines and cause immediate operational paralysis. Meanwhile, state-sponsored actors are simultaneously executing quiet, long-term espionage campaigns.”
He said for security professionals, the danger lies in the “loud” attacks serving as a massive smoke screen, drawing incident response resources away from deep-seated persistence in critical infrastructure.
“Defenders must look past the immediate carnage of defacements and wipers to hunt for ‘living off the land’ techniques and compromised administrative tools like UEM and MDM platforms. Prioritizing identity security and behavioral analytics is the only way to catch the quiet intruder while the sirens are blaring. In modern conflict, the wiper attack is just a loud invitation to a heist that has been running for months.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.