March 29, 2026

Cyber Operations

Iran-linked cyber campaign reaches 5,800 attacks since start of war. A Washington Post investigation published today details how hacking, disinformation, and AI-generated content have become embedded in the U.S.–Israel–Iran conflict. Investigators at security firm DigiCert have tracked nearly 5,800 cyberattacks by roughly 50 Iran-linked groups since the war began last month, targeting U.S., Israeli, and Gulf state organizations. Iranian hackers and their proxies are targeting supply chains supporting the war effort, as well as critical infrastructure including ports, rail stations, water plants, data centers, and hospitals.

Stryker medical device attack disrupted Maryland hospitals. As part of the broader Iranian cyber campaign, hackers wiped more than 200,000 devices at medical device manufacturer Stryker on March 11, directly impacting emergency medical services and hospitals in Maryland. Some hospitals reportedly postponed surgeries because Stryker implants became unavailable. A separate Iran-linked ransomware group encrypted a U.S. healthcare provider's systems in under three hours in late February.

Iran-linked Handala group claims breach of FBI Director Patel's email. The Handala Hack Team, which the U.S. has linked to Iranian intelligence, claimed responsibility for breaching the personal Gmail account of FBI Director Kash Patel. The group published photographs, a work resume, and personal documents. The FBI stated the information is "historical in nature" from the early 2010s and does not include government information. Handala framed the breach as retaliation for the FBI's seizure of several Handala domains and the announcement of a $10 million reward for information on group members.

FDD analysis finds Iranian cyber operations exploiting weakened U.S. defenses. The Foundation for Defense of Democracies published an assessment noting that the dismantling of the State Department's Global Engagement Center and the FBI's Foreign Malign Influence Task Force under the current administration has reduced the U.S. government's capacity to monitor and counter Iranian cyber and influence operations during the conflict.

Espionage

China-linked APT embeds stealthy backdoors in global telecom infrastructure. Rapid7 Labs disclosed that the Chinese APT group Red Menshen has deployed upgraded BPFdoor backdoor implants inside telecom networks across South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East. The implants operate at the kernel level using Berkeley Packet Filter functionality, activating only when they receive a specially crafted "magic packet." Newer variants monitor SCTP signaling traffic used in 4G and 5G core networks and disguise themselves as legitimate HPE ProLiant or Kubernetes processes. Rapid7 coordinated with national CERTs and released a detection script.

Three charged with smuggling AI-capable Nvidia chips to China. A federal indictment unsealed this week charges three individuals with conspiring to divert high-performance AI server hardware assembled in the United States to China through Super Micro Computer, in violation of U.S. export control laws. Separately, a Chinese national and two U.S. citizens were arrested and charged with attempting to procure millions of dollars' worth of restricted computer chips for export to China.

Information Operations & Foreign Influence

Iran deploys AI-generated deepfakes as part of wartime influence campaign. The Foundation for Defense of Democracies reported that Iranian government-linked networks are producing AI-generated videos and imagery propagated through state-affiliated channels and inauthentic social media accounts. These are then amplified by Russian bot networks and echoed by Chinese state-aligned media accounts, demonstrating the coordinated information alliance among the three states.

Russia, China, and Iran ramp up spending on influence infrastructure. According to a Small Wars Journal analysis, Russia's 2026 budget increased state media and information operations funding by 54 percent (an additional $458 million), Iran's broadcasting budget rose 46 percent year-over-year to approximately $580 million, and China is restructuring its operations into a "Cognitive Domain" framework under its 15th Five-Year Plan.

Sanctions Enforcement

Three sentenced in North Korean IT worker fraud scheme. A federal court sentenced three U.S. nationals — Alexander Paul Travis, Jason Salazar, and Audricus Phagnasay — for conspiracy to commit wire fraud after they allowed North Korean IT workers to use their identities to gain remote employment at U.S. companies. Travis, a former Fort Gordon soldier, received 12 months in prison. The scheme used identity fraud and remote access software to bypass corporate hiring safeguards, with revenue believed to support North Korean weapons programs.