Verticals Targeted: Healthcare
Regions Targeted: US
Executive Summary
Iran-linked cyber threats have elevated risk across the US healthcare sector, driven by the disruptive March 11 attack on Stryker, increased geopolitical tensions, and explicit warning signals from government and industry. A CISA acting director threat brief identifies healthcare as an actively targeted and highly exposed civilian sector, while vendor reporting links recent disruptive activity to MOIS-affiliated actors operating under personas such as Handala. Although widespread direct intrusions into hospitals have not been publicly confirmed, the convergence of supplier disruption, proxy activity, and sector vulnerabilities creates a credible near-term threat environment for healthcare entities and their supporting ecosystem.
Key Takeaways
- Iran-linked group Handala claimed responsibility for the March 11 cyberattack on Stryker, disrupting a major medical technology provider with downstream implications for hospitals and supply chains.
- A CISA acting director threat brief designates healthcare as “ACTIVE – ESCALATING,” identifying hospitals, medtech, and OT-dependent environments as high-risk targets.
- AHA and Health-ISAC have advised healthcare organizations to implement precautionary defensive measures amid heightened geopolitical cyber risk.
- Vendor reporting links Handala activity to Banished Kitten, an MOIS-associated threat cluster with disruptive and psychological operations capabilities.
Overview
Iran-linked cyber operations are increasingly intersecting with the healthcare sector through ecosystem-level targeting rather than direct hospital compromise. The March 11 cyberattack on Stryker provides the clearest operational signal of this shift.
Stryker, a major provider of medical technologies and services used by hospitals globally, experienced system disruptions affecting elements of its IT environment. In response, some healthcare organizations reportedly reviewed or restricted connectivity with Stryker systems to mitigate potential exposure. This reflects a broader reality: disruption of a single upstream provider can create cascading operational risk across multiple healthcare entities.
At the federal level, the threat signal has intensified. A CISA acting director threat brief, which is not available online, explicitly states that Iranian cyber actors are actively targeting the US healthcare sector and identifies it as the most exposed civilian sector in the current threat landscape. The brief highlights increased exposure across rural hospitals, trauma centers, DoD-linked healthcare systems, and medical device manufacturers, particularly those reliant on legacy infrastructure or operational technology. The brief named Refined Kitten, Helix Kitten, and Pioneer Kitten as Iranian threat actor groups that have historically targeted healthcare entities.
The Foundation for Defense of Democracies (FDD) was cited as a source by the CISA acting director. FDD noted similar concerns in a recent policy brief, pointing to Handala’s attack on Stryker and a February ransomware attack on an unnamed US healthcare entity. While public reporting does not confirm widespread Iranian intrusions into hospital networks, both government and industry guidance emphasize heightened preparedness in response to evolving geopolitical dynamics.
Healthcare Targeting Logic
Healthcare represents a strategically valuable target set due to a combination of operational fragility and systemic importance:
- Immediate impact of disruption: interruptions to care delivery can affect patient outcomes and public safety.
- Extensive third-party dependencies: vendors, medtech providers, and remote service connections expand the attack surface.
- Legacy and OT environments: hospitals and device manufacturers frequently rely on systems that are difficult to patch or segment.
- Data value: protected health information and operational data provide both financial and intelligence value.
The Stryker incident reinforces a key analytical shift. Indirect targeting of suppliers and ecosystem nodes can achieve broader disruption than direct attacks on hospitals, while requiring less sustained access to hardened clinical networks.
Threat Actor Activity and TTPs
Recent activity attributed to the Handala persona aligns with operations conducted by Banished Kitten, an Iranian state-linked threat cluster associated with the Ministry of Intelligence and Security.
Observed and reported TTPs include:
- Hands-on-keyboard intrusions with rapid execution timelines
- Destructive activity including data wiping and system disruption
- Data exfiltration followed by public leaks or doxxing
- Use of tunneling tools and remote access mechanisms for persistence
- Abuse of legitimate administrative pathways and remote management infrastructure
This operational model reflects a hybrid approach combining traditional intrusion activity with influence and psychological operations, often amplified through public-facing personas such as Handala.
Defensive Posture and Sector Response
Healthcare sector guidance currently emphasizes proactive risk reduction rather than response to confirmed widespread attacks. The American Hospital Association has stated it is not aware of direct impacts to US hospitals from the Stryker incident but has advised organizations to take precautionary measures given the broader threat environment. Concurrently, CISA has urged organizations to harden endpoint management systems and reduce exposure of centralized administrative infrastructure following the attack.
Key defensive priorities for healthcare entities include:
- Restricting and monitoring third-party and vendor network access
- Hardening identity and privileged access controls
- Segmenting IT and OT environments
- Validating downtime and business continuity procedures
- Monitoring for anomalous administrative activity and lateral movement.
These measures are particularly critical given the potential for indirect disruption via supplier compromise.
Threat Actors to Watch
Banished Kitten
Banished Kitten, also known as Dune, Void Manticore, Red Sandstorm, and Storm-0842, is an Iranian threat actor group active since at least 2008. The group is assessed to operate under or in coordination with the Ministry of Intelligence and Security. The group has evolved from primarily espionage-focused operations into a hybrid actor capable of conducting disruption, data leakage, and influence campaigns.
Banished Kitten represents a hybrid cyber threat actor combining state-backed capability with hacktivist-style execution and messaging. Its use of front personas enables plausible deniability while amplifying psychological and reputational impact. Recent activity linked to Handala indicates a shift toward rapid, disruptive operations aligned with geopolitical events, increasing the relevance of this actor to healthcare and other critical infrastructure sectors.
TTPs
Banished Kitten conducts operations combining intrusion, disruption, and psychological impact. The group:
- Conducts targeted intrusions via spearphishing, credential harvesting, and exploitation of exposed services
- Executes destructive operations including data wiping and system disruption
- Exfiltrates and leaks data to amplify reputational and operational impact
- Operates influence personas such as Handala and Homeland Justice
- Maintains persistence using remote access tools, tunneling, and abuse of legitimate administrative pathways
Targeting
The group targets organizations aligned with Iranian strategic interests, including:
- Government and public sector entities
- Critical infrastructure and industrial environments
- Private sector organizations supporting national resilience, including healthcare and manufacturing
- Media organizations and dissidents
Regions Targeted
Middle East, United States, Europe, and allied nations
Refined Kitten
Refined Kitten, also known as Charming Kitten, APT35, Phosphorus, Mint Sandstorm, and Newscaster, is an Iranian threat actor group active since at least 2014. The group is widely assessed to operate on behalf of or in coordination with the Islamic Revolutionary Guard Corps (IRGC). Refined Kitten is primarily focused on cyber espionage and intelligence collection, with a strong emphasis on social engineering and identity-based targeting. The group is known for targeting individuals rather than just organizations, including researchers, journalists, and government personnel.
TTPs
Refined Kitten conducts operations centered on credential theft, surveillance, and long-term access. The group:
- Conducts highly targeted spearphishing campaigns, often impersonating journalists or researchers
- Builds fake personas and long-term social engineering relationships to gain trust
- Uses credential harvesting pages to capture login information for email and cloud services
- Leverages compromised accounts to expand access and conduct further targeting
- Deploys malware selectively for surveillance and data collection
- Exploits publicly available platforms such as social media and email providers for operational activity
Targeting
The group targets individuals and organizations aligned with Iranian intelligence priorities, including:
- Government officials and diplomats
- Journalists, academics, and policy researchers
- Defense, aerospace, and nuclear-related organizations
- Dissidents and activists
- Technology and telecommunications sectors
Regions Targeted
United States, Europe, Middle East, and global diaspora communities
Helix Kitten
Helix Kitten, also known as APT34, OilRig, Hazel Sandstorm, and IRN2, is an Iranian threat actor group active since at least 2014. The group is assessed to operate on behalf of Iran’s Ministry of Intelligence and Security. Helix Kitten is primarily focused on cyber espionage and long-term network persistence, with a particular emphasis on maintaining access to strategic targets in the Middle East and beyond.
TTPs
Helix Kitten conducts operations focused on persistence, lateral movement, and intelligence collection. The group:
- Uses spearphishing and malicious documents to gain initial access
- Deploys custom malware families and backdoors for persistence
- Conducts credential dumping and lateral movement within compromised environments
- Leverages DNS tunneling and other covert communication channels for command and control
- Maintains long-term access to networks to support intelligence collection
- Exploits known vulnerabilities in enterprise infrastructure
Targeting
The group targets organizations aligned with Iranian intelligence and geopolitical interests, including:
- Government and public sector entities
- Energy, oil, and gas sectors
- Telecommunications and infrastructure providers
- Financial services organizations
- Regional and international businesses operating in strategic industries
Regions Targeted
Middle East (particularly Gulf countries), United States, Europe, and Asia
Pioneer Kitten
Pioneer Kitten, also known as UNC757, Lemon Sandstorm, Parisite, and RUBIDIUM, is an Iranian threat actor group active since at least 2017. The group is assessed to operate in alignment with Iranian state interests, with activity overlapping financially motivated cyber operations and state-directed campaigns. Pioneer Kitten is known for exploiting exposed infrastructure and enabling ransomware and disruptive operations.
TTPs
Pioneer Kitten conducts operations focused on opportunistic access and rapid exploitation. The group:
- Exploits externally exposed services such as VPNs, web servers, and remote access platforms
- Conducts password spraying, credential harvesting, and brute-force attacks
- Uses valid accounts to establish persistence and move laterally
- Deploys ransomware or facilitates access for ransomware affiliates
- Abuses legitimate administrative tools and remote management software
- Targets unpatched vulnerabilities in internet-facing systems
Targeting
The group targets a broad range of organizations, often based on accessibility rather than strict strategic alignment, including:
- Critical infrastructure sectors such as healthcare and energy
- Government and public sector organizations
- Private sector enterprises with exposed remote access services
- Organizations with weak identity security or patch management practices
Regions Targeted
United States, Europe, Middle East, and globally exposed organizations
Analyst Commentary
In our threat bulletin Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks, our analysts previously predicted Handala would become active in retaliation for US and Israeli military operations in Iran and provided a list of hashes of malware samples known to be associated with the group. We later reported on Handala’s activity targeting healthcare entity Stryker in our threat bulletin entitled Footholds, Live Feeds, and Lifelines: Iranian Cyber Operations Surviving, Not Thriving.
We concur with US government entity and vendor assessments that current evidence supports a heightened and credible risk to healthcare, driven by the convergence of:
- A real-world disruptive incident affecting a major healthcare supplier
- Government and industry warning signals elevating healthcare as a priority target
- Known Iranian TTPs aligned with disruption and psychological impact
- The ongoing nature of the conflict between the US/Israel and Iran
While direct, large-scale Iranian attacks on US hospitals have not been publicly confirmed, the threat environment indicates that healthcare entities and their supporting ecosystem are increasingly viable targets for disruptive and opportunistic activity.
IOCs
PolySwarm has multiple samples associated with the Iranian APT groups mentioned in this report. Below is a selection of hashes for those samples.
Banished Kitten
0a5cf97e699c8bfacee7f89ebfaa851ff03dd004a58ffde9c609fcc2cd27f250
6b8a220272382f5481e1900c1c603f67ec9d5fb45ad78bf7788dece1f20dddcd
7d78a59e1310187b8dafd99b8aa6b6f0fabcbdc92456ed51fa7a4869161da227
0c1c553d3542f7cc80b26361d4604c9bda5037e522c664a7e482cc72411bb239
48c7ee7363adced693d46b68142bc749984f668ad5ab84ac44b1775fafd57aca
444e3daa46e7f7055daa221771290ec68eafee6b8d53170d599db8622e3726f1
08ade0872d3f2edecf934c901ceaef3311db73f38b1e7229e54e995d51ff8520
6c0d1268177ebc1ad7b8f34f04b3d38c74cf4b43e18259677759c0ef91615e24
c9110f7bcf8ac8ec9977f97f953291d73d7daaa1ad7ea5f36ad17207a727f1e6
9f0ac7fa30e86b4015de6f77fe219cced164f317799fdc3faaf35af730a48700
bdea2ff578a6fee90f931f1d2e67ab74f84a12b6b54ebc1b8b38ce75204e5533
a7a24435f047ff38310200a058094a903cfccd2f1d2774d7056da349b7f76d98
e8d048f9055f011d17945f630804de45df930a932fed69056d22d6f56f228442
2417738503887374dae9891d26ea7033eb7b44656a14b84f15d4e8fa63e4e830
5be78ca82c9d36d67dce3b8962f96909075356c4b47f39d1f0a36e6450637748
90db84c7e6278cb4e54895e9661b78bde52dc8ec636d739aff6e28d17caf62ef
6b4f59a9d123eac7f8a5830a8e4f7a8f5d32bd73065959bc51c2bfe1ca8fb140
ed3d5cafc7515e51edb90df7abf0953e261c77ebe18f2cb692fb0d41fb8b61b1
ff5f7d414c6e701be02ec546c56fac589902896fe29fa0ef1e3a96d904a65134
227190b7494490ef98c5c18f0a06b2a0e390d060909d5fb99f977391d9461292
fde0baf775c276d9fb51b7448b84edaed46c2add1f0d05b0c183168c208580f1
b243c27378dd334e37c1c2e7421a1f2fc5cc0f8b4792d888bcb62c7e999ad763
Refined Kitten
e7bea41981fbfa81186eba50b182e656bed66acb1103df1b85324b5a40567dae
84b24f76f9fafcda438d8971ebbe68354e3f83f871faa5d20e896b9ac66198b0
e0927806ab5820d9cf1f11d3d45ba7ddef51b91a474da7d9a47c327e1241367d
0f1d2eebcd34d77a6e4938578c7ab6b95c243e87dd20f09adedf40b8ed258e70
ea463dd003087dded83ab8483d43a6062bda20f934bd0291ee0ead0ff5c0f479
561d5036a1ecb3f12f2a0e9a439106b794993273f5775fe801717cd13ceb7631
5782bce800d721b1380f87727da4d767c31c70b981a936b0ab2106219a91165e
55a72b15f478b8c3092a454b3664424b765b469a4340621b5593411d76d4fe88
21e3dba05111c86468bd060a51e6884c0954940d7b2d8f0ca3f72687e2d5fbac
6d39974e149162e28e9df6bf6e3c5c9ba75e6bcdcd0a681c774e6075616ce98c
5288353d7946566a1247f78239a98b2c859071c1547ce3f6db88ebae43db5f40
e1763c22d4a4bad7987552d0327c83c850358f207c7b22d3af67a6af887a9870
220aaec1aece8a619ea3798e047310b0e19832a7af7ee5378df9c8202c68e5f1
3b39884710c182ebffa7e351f84ceabb248ccb79fb1b0fbb610bd4c1927f759d
2cccf76afa98629ec5b4cc7c765c6d2bce22a40b94ce4191f3acd50e55866d60
1aa5785d58eb5aacd449d13a5d59eb23185d2c026f673379c92e28cd802dc8a7
31e65330c019b85bd1027196788c02885273afa41872c8e4fad857456ca1b92f
7540bed5efd55f75271bb4b5a5afb28f343ebe64a816f74f0edba8527dc5e181
8ca9ab59c2e2bf4e77a9c3315903c03a2f2d0a6c6aec5b54dcbebcb924857005
4afee09e1dc80b17e05d3f664e3ce19dbb5e2e6ec6bfbfa3d5554ba552b6e176
fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f
ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4
711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350
7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198
1f17e5a510e0fdd981b2fa38adb3d2fbd8a5415716f2e89441a20e1e0044cdd8
4145e792c9e9f3c4e80ca0e290bd7568ebcef678affd68d9b505f02c6acaab12
6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85
Helix Kitten
fbd3502ae51ab7d70fd2908e218588adc3818752cf3150bbd75fd1623ad18aa5
868ddffb91ca901aa746658fcf378a0170adefb665ea01ddaa7af11205dd4e63
0dc06bf6bbae9a893b63042ef71cc3c4860acbe575ebf71754b4192bca1f465f
86bcf8a52d3ffd819c2a8c07e5142ebee6d618bfb8505c371abbcd0c4d0568bc
e1b79b6e98a3e1ef1b8c20ba05a8e860cbaf1b7b4404527566df5f8f62ed6875
4efe96d7cddcecdd779e7d86bb5ef6442fd6e5ded0390e688818338074afd68c
45bea9458d6c3d61a29898a996c30a2e5f2d7f7c8996b4484b1f8af942c5f9b2
827366355c6429a7fe12d111e240c5bcec3ed61e717fb84ea8b771672dd1f88e
c1c6b9313110d64830bcdb9789b875c9a4c31db7247c041a906584d005034a2e
b15f1c970891e3875aa5174b7046a1b4da047f79ac5b62146ec72bd5cc2ac082
5592cf16b8a67f859396ed81af5e46c471f3e6909b11e63398e84c0ed142e4a4
b17049a34c3fc181c4b56dd2949891a1c4d7da3564c4804caf81d25f6740caff
8cb80ac1f955bac9ccf67e843ddc15322b4aa70e8c98269a8a98a02df4cbd8b7
d4dcbfbab036132eb6c40c56a44c0d3b4b681b19841b81fc4f8e1d62ea5b211d
0ca0febadb1024b0a8961f21edbf3f6df731ca4dd82702de3793e757687aefbc
dd57e9ff5471438491fa106a9216a229cfd98b6c5166d62b2794496629c822b5
022909ebb9ddf9fcb30a07c20cd86361ff46a00ea1e75663fd8d97959b81eaf2
5daf543ae64b38ffba894a9c013e5ab95ec0273733df42b47ddb242dacb34abb
028d3de0f0709a18c9928526519e761a08f6766d1eca386e908588f995f44e7f
93610bd68bb92745760af28c2a05eb8d84493e4100ee92e1477a04cca14bcb12
61458241868915200aa516bd533c6964a0c9de3d43fdddbc116fbcb406ce4256
e624deafc5e24e89ccd45e5363c4d7b652ef619bdf8452c83976bfe18edcd2ff
3a66d4b40cc0fa1e447f19cfd6af08d265397be2256535b6c50a3901bae616f0
7ac894f9440d19682bf4bc1a61cbc798cf5ecfa78013a38a3c1c8a6c2a611351
abe333624afc2b4c972f782c88834242e112e909f09ec9774a5cd0e237192edf
6a54537dd0d5df7b0ddeecc33828e7e24d56a28b4f84f34be8d281de2b2ae532
3428620d6b5064f01c3ae6192beee004702ec6419c570c6ee172fdb62d54a31c
163f1e63c99221ef5eb211b667b1e32f3b2b173da7caf16a843efb652adea440
ccd06fd7e51e1949dcc622e7a0e6f66ee9dd2b02c15a246fda3680b1b86084d9
3ae9355fcc6beccb0485123bea15031e88f512afd2a0978fc58e9f8b2dd762c9
d216ca676e5bb7430650e696bbbf2879aa29a782c9377a8ddcc80380751d9537
0495d4e2b908e273c573f56a345660fcef4333673018888b3fc615eaa5237e07
2a432edfba8a28854b9e3e34be513e96e1dc3426b1bd0976cda71ecfc5a2427c
472fcd0a61269c35b4cf929a03c71fbfd9f558a978dce2fefb8b6d5c26e972ed
4d79c56c25ecd90b039d647141ac6d4fbbbdf5ab83f086587092fe1ce34a8d47
ecc0394987d76be119b8fbd8cdd61e6dcdb5a2290dff38e744b15e406b87024f
042f7b9cb1409f9016e91166b19e29f5e40052ddd804a8dc83b9c2f623adaeff
4a9a5077834bd31783d4fab070c65c8d28555b93ecea2e36c5096985854ebba3
b585c00ebd3cf4f837cad454325c3ed042e495dfe8d7bba3929612a25a386c73
ddf01ac805c163ff195a156cde88e0e42ddb91db6d4b5636ac056111a1866b02
ff2aee8b401a770815ec4a9b76c089f45c5df0c649c57e4b105da46f8b4ab4ec
62ef0611e3eae6f30b6dc829e0cf8ea6d8bac4b3e51b2dbba842e5be76c901ea
79f55e1d0ae8ba9f9a0c210578ff2a100f9a9e6839a4e829986c5579162d94b0
Pioneer Kitten
600b3583d995efa22fe191aed81f260785d097db26edfb449c8e02e448fb21f0
2e3b6a63ee11547f570a8ece78dd46443f48bf674da50adef09aedb428db0a95
ad2dc9be0c056ecd96827fa2b3113ac71db6ad015762ef499c2d8190d0328468
bd5fe4f7e69349b153802474a34ff8604c56ddc92bfd85525df5fba1b9f5a72b
940372ebbca3a314455f219b05371cd4d7a30e22904fa38d4e14e8a95e3e4afc
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
