Iran-linked hackers take aim at US and other targets, raising risk of cyberattacks during war

WASHINGTON (AP) — Pro-Iranian hackers are targeting sites in the Middle East and starting to stretch into the United States during the war, raising the risk of American defense contractors, power stations and water plants being swept into a wave of digital chaos that could expand if Tehran's allies join the fray.

Hackers supporting Iran claimed responsibility for a significant cyberattack Wednesday against U.S. medical device company Stryker. Since the war began Feb. 28, they also have tried to penetrate cameras in Middle Eastern countries to improve Iran's missile targeting. They have targeted data centers in the region, as well as industrial facilities in Israel, a school in Saudi Arabia and an airport in Kuwait.

Iran has invested heavily in its offensive cyber capabilities while cultivating ties to hacking groups. In recent years, groups working for Tehran have infiltrated the email system of President Donald Trump's campaign, targeted U.S. water plants and tried to breach the networks used by the military and defense contractors.

The goal is to wear down the American war effort, drive up the costs of energy, strain cyber resources and cause as much pain as possible for American companies that depend on the defense industry.

“Something is going to happen because the gloves are off," said Kevin Mandia, founder of the cybersecurity companies Mandiant and Armadin.

Pro-Iranian, pro-Palestinian hackers claimed credit for disrupting systems at Stryker, a Michigan-based medical technology company. A group known as Handala said the attack was in retaliation for suspected U.S. strikes that killed Iranian schoolchildren.

Like other ideologically motivated hackers, profit is not Handala’s goal, according to Ismael Valenzuela, vice president of threat intelligence at the cybersecurity company Arctic Wolf.

“What distinguishes this group is its clear focus on data destruction rather than financial extortion,” he said in an email.

Polish authorities are investigating a recent cyberattack — on a nuclear research facility — that may have ties to Iran, though they acknowledge that another group could be behind the attack and using the Iran war to mask its identity.

Going forward, U.S. defense contractors, government vendors and businesses that work with Israel are likely targets, as is critical infrastructure such as hospitals, ports, water plants, power stations and railways.

Pro-Iranian hackers openly discuss their plans in Telegram and other online message boards.

“The datacenters need to be taken out,” wrote one user, as uncovered by researchers at U.S.-based SITE Intelligence Group. “They host the brains of USAs military communication and targeting systems.”

Cyber operations also gather intelligence — for example, Iran's effort to hack into cameras in neighboring countries to aid its missile targeting. Infiltrating U.S. networks, meanwhile, would offer view into military planning or supply chains.

The strikes on Iran's military as well as internet outages may have limited Iran's cyberattacks in the short term. But experts say Iranian hackers and their allies will aim for quick victories by targeting the weakest links in American cybersecurity.

Often, local water plants or health care facilities lack the funds and know-how to install the latest software patches or take other security steps. That has made them a favorite target, both because of the relative ease of penetrating them and because of the panic these disruptions can cause.

This can include denial-of-service attacks, in which hackers try to jam a network so legitimate users cannot use it, and website defacements, which can prevent a company from communicating with customers. Hack-and-leak operations, where hackers threaten to release sensitive stolen material, are another possibility.

The attacks are not that sophisticated, according to Shaun Williams, a former FBI and CIA officer who is now a senior director at the cybersecurity firm SentinelOne. But if a business or government agency has failed to keep up with its cybersecurity, it could pay a steep price, he said.

“Patch your systems. Ensure your firewalls and security solutions are up to date,” Williams said. “Remove your stale accounts. All the cyber hygiene that you should be doing, it’s more critical now than ever. Prepare for disruption.”

Russia and China present the greatest cyber threats to the U.S., while North Korea is a growing concern. But what Iran has lacked in resources it has made up for in ingenuity, experts say.

In recent years, Tehran's digital warriors have impersonated American activists online to covertly encourage protests against Israel on college campuses. They have set up fake news websites and social media accounts primed to spread false and exaggerated claims before big U.S. elections.

In 2024, Iranian hackers infiltrated the email system of the Trump campaign and later tried to disseminate files that the hackers said they stole. Hackers linked to Iran also tried to hack into the WhatsApp accounts of both Trump and his then-Democratic opponent, President Joe Biden.

The activity prompted the Department of Homeland Security to issue a public warning last year about Iranian cyber threats.

“Iran and especially the proxies don’t care how big or smart you are. This is about making an impact, about creating chaos,” said James Turgal, a cybersecurity expert who spent 22 years as an FBI agent and is now a vice president at Optiv, a Denver-based information security firm.

Experts are watching closely to see if Russia, China or hacking groups allied with either country provide hacking assistance to Iran, mounting attacks intended to undermine American operations in Iran and make it harder for the U.S. to sustain its fight.

While China has so far taken a cautious approach, there is evidence that pro-Iranian hackers in Russia are already at work. Researchers at the cybersecurity firm CrowdStrike detected a surge of activity from Russian hackers in support of Tehran since the war began.

One group known as Z-Pentest claimed responsibility for disrupting several U.S. networks, including some involved in closed-circuit video cameras.

The timing of the attack suggests the hackers were targeting U.S. interests because of the war in Iran, according to Adam Meyers, head of counter adversary operations at CrowdStrike.

“Western organizations should continue to remain on high-alert,” Meyers said.

A woman gathers belongings from her family's home after it was damaged by a projectile launched from Lebanon, in Haniel, central Israel, Thursday, March 12, 2026. (AP Photo/Baz Ratner)

FILE - Stryker CEO Kevin Lobo is seen at a groundbreaking ceremony for their building in Portage, Mich., July 24, 2017. (Mark Bugnaski/Kalamazoo Gazette-MLive Media Group via AP, File)

FILE - Rescue workers and residents search through the rubble in the aftermath of a strike on a girls' elementary school in Minab, Iran, Feb. 28, 2026. (Abbas Zakeri/Mehr News Agency via AP, file)

FILE - This photo provided by the Municipal Water Authority of Aliquippa shows the screen of a Unitronics device that was hacked in Aliquippa, Pa., Nov. 25, 2023. (Municipal Water Authority of Aliquippa via AP, File)

FILE - The CEO of FireEye Kevin Mandia gives a tour of the cybersecurity company's unused office space in Reston, Va., March 9, 2021. (AP Photo/Nathan Ellgren, file)

NORFOLK, Va. (AP) — The shooter who opened fire in a classroom at Virginia’s Old Dominion University on Thursday in an attack being investigated as an act of terrorism had a gun with an obliterated serial number, potentially complicating investigators’ efforts to determine how the man with a previous felony conviction obtained a firearm, according to a law enforcement official.

Investigators will have to try to re-surface the number in order to trace the gun, according to the official, who spoke to the Associated Press on condition of anonymity because they were not authorized to discuss the ongoing investigation.

The FBI identified the shooter as Mohamed Bailor Jalloh, a former Army National Guard member who pleaded guilty in 2016 to attempting to aid the Islamic State extremist group.

Jalloh, who yelled “Allahu akbar” before opening fire, was subdued and killed by ROTC students, according to FBI officials who praised the students' bravery for preventing further harm. The shooting killed an ROTC leader who was a professor of military science at ODU, and left two others hurt.

One of them, who was hospitalized in critical condition, has been upgraded to fair condition, according to Sentara Health. The other was treated and released.

Jalloh, who was sentenced to 11 years in prison in the Islamic State group case, was released from federal custody in December 2024. He was on supervised release, which is comparable to probation.

It wasn’t immediately clear why his release from prison was moved up. Inmates can get time off their sentences for a variety of reasons, but it wasn’t immediately clear if that happened in his case.

At a news conference Thursday, a reporter asked the special agent in charge of the FBI’s Norfolk field office, Dominique Evans, if there was a mention of the ongoing war in Iran. “None whatsoever,” she replied. The U.S. and Israel launched a war with Iran with missile strikes on Feb. 28.

The FBI has warned that Iranian operatives may be planning drone attacks on targets in California. Two men brought explosives to a far-right protest outside the New York mayoral mansion on Saturday. Investigators allege they were inspired by the Islamic State group. And on Thursday, a man of Lebanese origin was fatally shot after driving his vehicle into a Detroit-area synagogue in what the FBI called a “targeted act of violence against the Jewish community.”

Old Dominion University Police Chief Garrett Shelton said less than 10 minutes passed between when officers were called about a shooting in the university’s business school building and when responders determined the shooter was dead.

Lt. Col. Jimmy Delongchamp, public information officer for the U.S. Army Cadet Command at Fort Knox, Kentucky, told The Associated Press that two of the people who were shot were part of the Army ROTC at ODU. ROTC is a program where students receive a scholarship to attend college while training to become commissioned officers in the U.S. military.

The victim who died was Lt. Col. Brandon Shah, a 42-year-old from Chesapeake who leaves behind a spouse and a child, the U.S. Army Cadet Command at Old Dominion said in a social media post.

Shah attended ODU as an ROTC student, according to his biography on the university’s website, and had returned in 2022 as a leader for the program. In the Army, Shah piloted helicopters over Iraq, Afghanistan and Eastern Europe.

On Friday morning, in honor of his close friend Shah, Eddie Flack poured out a bottle of Wild Turkey on a lawn where flagpoles stand on campus across from Constant Hall. Flack, also of Chesapeake, said the two became firm friends while enrolled at ODU.

“I love you Brandon. Rest well with the creator. I love you,” Flack said as he poured out the whiskey and looked up at the sky.

“Sorry Brandon. The world needs more love,” Flack said, weeping. “We need to spread more love and not this hatred."

The shooter also had a background in military service. Jalloh, a naturalized U.S. citizen from Sierra Leone, served as a specialist with the Virginia Army National Guard from 2009 until 2015, when he was honorably discharged.

Durkin Richer reported from Washington. Associated Press reporters Michael Biesecker in Washington; Michael R. Sisak in New York City; Adrian Sainz in Memphis, Tennessee; Jonathan Mattise in Nashville, Tennessee; John Raby in Cross Lanes, West Virginia; and Olivia Diaz in Richmond, Virginia, contributed.

This story has been corrected to show the AP reporter in the byline is Allen G. Breed, not Alan.

A person sits at the front door of Constant Hall, where yesterday shooting occurred on Friday, March 13, 2026 at Old Dominion Universiy in Norfolk, Va. (AP Photo/Allen G. Breed).

Police are present at Constant Hall, where yesterday shooting occurred on Friday, March 13, 2026 at Old Dominion Universiy in Norfolk, Va. (AP Photo/Allen G. Breed).

This photo provided by the U.S. Army shows Maj. Brandon Shah, Friday, Jan. 14, 2020, in Illesheim, Germany. (Pfc. Savannah Roy/U.S. Army/DVIDS via AP)