Iran Hits Cork. Russia Hits Your Inbox. Europe's Cyber Week of Reckoning.
Share
Threat Intelligence · March 2026 · ~7 min read
The past week produced one of the most significant cybersecurity events to directly affect Irish workers since the HSE attack of 2021. It did not involve ransomware. It did not demand money. It was designed purely to destroy.
Ireland: Stryker Cork Taken Offline by Iranian-Linked Wiper Attack
On Wednesday, 11 March, thousands of employees in Ireland were unable to log into their work devices after Stryker, a US medical technology company, was impacted by a cyberattack. The Irish Times The company employs more than 5,000 people in Ireland, the majority of them based in Cork, which serves as Stryker's largest hub outside the United States. The Irish Times
Handala, a pro-Palestinian hacktivist group strongly associated with the Iranian regime, claimed responsibility. The group is known for politically motivated cyberattacks designed to cause economic disruption rather than financial extortion. Dataproof Unlike traditional ransomware — which encrypts files and demands payment — the attack deployed destructive wiper malware that permanently erases data, rendering it irrecoverable. International Business Times
Handala claimed the attack as retaliation for a US military strike on a school in Minab, Iran, that reportedly killed around 160 people amid escalating US-Iran tensions. International Business Times Stryker's previous acquisition of an Israeli medical technology company appears to have made it a target.
In Ireland alone, the sudden outage affected over 5,500 employees, immediately halting product design and engineering activities at major technology hubs. Cyber Security News Taoiseach Micheál Martin described the attack as "shocking" and said it must act as a wake-up call on the threats facing the Irish economy. Irish Examiner
Stryker CEO Kevin Lobo confirmed the attack had been fully contained following around-the-clock efforts by IT experts, though the company was continuing a restoration phase before normal operations could resume. Irish Examiner
The Stryker incident is a reminder that not all attacks come with a ransom note. A wiper attack has one purpose: to cause maximum damage as fast as possible. There is no negotiation, no decryption key. Geopolitical conflict is increasingly fought through the IT systems of companies that happen to be in the wrong sector, the wrong supply chain, or the wrong country's corporate register. Irish-based multinationals with US or Israeli business ties should take note.
Ireland: Defence Forces Warn of Grid Collapse Risk Within Two Hours
A team of engineers and air corps officers told managers of State utilities and engineers working in critical infrastructure that a combined physical and cyberattack on a critical electricity transformer would cause grid collapse within two hours, impact critical services within six hours, and threaten social collapse within 48 hours. Irish Examiner
The Defence Forces experts said it was "likely" that adversaries have already conducted an intelligence operation identifying vulnerabilities in Ireland's electricity grid and other critical sectors. "They may already have more information about your infrastructure than perhaps your own management board," Lieutenant Kieran White told attendees. Irish Examiner
Engineering analysis cited at the event suggests there are fewer than a dozen high-value sub-stations in Ireland. An adversary who has mapped this — and the assessment is that they have — knows exactly which ones they are. Irish Examiner
This is not speculation. It is an evidence-based assessment from the people responsible for defending Irish territory. For business owners: your dependence on grid power, communications, and water supply means a national infrastructure attack is also a business continuity event. Backup power, offline data copies, and tested continuity plans are not optional extras.
Europe: APT28 Exploits Microsoft Office Zero-Day Within Three Days
CVE-2026-21509 is a zero-day vulnerability that allows attackers to exploit unsafe behaviour in Microsoft 365 and Office and execute arbitrary code on affected systems. Microsoft rushed an out-of-cycle patch on 26 January after confirming active zero-day exploitation. Dark Reading
Russia's APT28 — also known as Fancy Bear, and linked to Russia's GRU military intelligence service — began exploiting the flaw just three days later, as part of a campaign tracked as Operation Neusploit. The attacks rely on specially crafted RTF documents to trigger the vulnerability and deliver different malicious payloads, including MiniDoor, a tool built specifically to steal emails from Microsoft Outlook. Dark Reading
The campaign targeted Ukraine, Slovakia, and Romania, delivering email-stealing and backdoor malware enabling data theft and remote access. CERT-EU noted this demonstrates APT28's continued focus on Central and Eastern Europe and its rapid adoption of newly disclosed Microsoft Office vulnerabilities. CERT-EU
Three days from public disclosure to active exploitation in the wild is the new normal for state-linked groups. If your organisation runs Microsoft Office or Microsoft 365 and has not applied the January patch cycle, this vulnerability is still open. Check with your IT provider today.
Europe: Signal Phishing Campaign Targets Politicians and Journalists
On 6 February, German authorities reported a sophisticated phishing campaign impersonating Signal's support communications, urging targets to re-enter PINs or re-register their devices. The attack, suspected to be state-sponsored, targeted politicians, military personnel, and journalists across Europe. CERT-EU
The technique exploits Signal's own reputation for security. A message purporting to come from Signal — warning that your account needs urgent attention — is credible precisely because it is the app people trust. That trust is the attack surface.
The rule here is simple: no legitimate platform will ask you to re-enter credentials or re-register your device via an unsolicited message. If you receive one, open the app directly and check your account settings from there. Do not follow any link in the message.
Europe: EU Cybersecurity Regulation Moves Fast — Ireland Still Catching Up
On 20 January 2026, the European Commission proposed a comprehensive new cybersecurity package aimed at strengthening EU cyber resilience, including a revised Cybersecurity Act and targeted amendments to the NIS2 Directive, in response to growing cyber and hybrid threats affecting essential services and democratic institutions across Europe. Mayer Brown
The package proposes significantly reinforcing ENISA's role, increasing its budget by more than 75%, and requiring Member States to designate liaison officers to facilitate operational cooperation. Member States would also be required to adopt policies for migration to post-quantum cryptography as part of their national cybersecurity strategies. Mayer Brown
Meanwhile, Ireland has yet to transpose NIS2 — which became legally binding across the EU in October 2024 — into domestic law, and is subject to infringement proceedings from the European Commission. An update on the National Cybersecurity Bill is expected in the first half of 2026. The regulation is coming regardless. Organisations in healthcare, financial services, professional services, and digital infrastructure should be reviewing their obligations now, not when the bill passes.
What This Means for Your Business
The Stryker attack is the most immediately relevant story for Irish organisations this month — not because most businesses will be targeted by Iranian hackers, but because it demonstrates that geopolitical conflict lands on Irish soil through the IT systems of the companies operating here. Stryker employed over 5,000 Irish workers. A wiper attack caused days of disruption and a production halt across a global manufacturing operation.
The pattern across all of this month's stories is the same one we have reported before: attacks are moving faster than organisations are patching, staff remain the most common entry point, and the threat actors targeting European organisations are not slowing down. Ireland's Defence Forces are now publicly warning about grid collapse timelines. The EU is restructuring its entire regulatory framework in response to the threat environment.
The question for any Irish business owner is not whether these threats are real. It is whether your organisation would know if someone was already inside.
Not sure? Our Threat Susceptibility Assessment gives you a scored risk report across eight security domains, delivered to your inbox within 24 hours.