WASHINGTON (AP) — Hackers backing Tehran say an uncertain ceasefire between Iran and the United States and Israel won't end their retaliatory cyberattacks, a warning that American cybersecurity experts say potential targets in the U.S. and Israel should take seriously.

One leading hacking group known as Handala said after the ceasefire announcement that it was temporarily postponing attacks on the U.S. but would continue to target Israel. It vowed to revive its efforts against America when the time was right — demonstrating again how digital warfare has become ingrained in military conflict. Already, the two-week ceasefire appears at risk of fraying over significant disagreements between the parties, which each are claiming victory in the war.

A pro-Palestinian, pro-Iranian network that operates independently of Tehran, Handala has claimed credit for disrupting the operations of the U.S. medical manufacturer Stryker and hacking into FBI Director Kash Patel's personal email account, among other cyberattacks. The group is just one of several proxy hacking networks allied with Iran.

"We did not begin this war, but we will be the ones to finish it,” Handala wrote on its X account. “And let it be clear: The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.”

U.S. authorities warned on Tuesday that hackers supporting Iran had burrowed into internet-connected computers used to automate and control technology in a variety of important industrial sectors. The computers, known as programmable logic controllers, are used in ports, power plants and water plants — key targets for foreign hackers looking to disrupt everyday life in the U.S.

In a joint advisory from the FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency, officials urged organizations that use the technology to ensure their security precautions were up-to-date. CISA did not immediately respond to questions Wednesday about the impact that the ceasefire would have on cybersecurity.

Cybersecurity experts say the warning should be taken seriously by potential targets regardless of the sides announcing a temporary truce.

Markus Mueller, a cybersecurity executive at Nozomi Networks, said he anticipates an increase in cyberattacks on American organizations following the ceasefire, not a decrease. That’s because any lull in hostilities would allow hackers to shift from regional targets directly involved in the conflict to efforts to infiltrate U.S. organizations that participated in the war effort in some way, a list that includes data centers, tech companies and defense contractors.

He also predicted that some groups based in Iran or Russia may seek to circumvent the truce by launching a significant cyberattack on a U.S. target that is designed to attract the attention of the American public.

“With a ceasefire, we will likely see an expansion of cyber activity both in scale and scope,” Mueller said. “These groups will likely try to execute a high-profile attack such as what we saw with Stryker.”

So far, the attacks attributed to pro-Iranian hackers have been high in volume but low in impact, designed to boost morale among Iran’s supporters while reminding its opponents of continued vulnerabilities despite their military advantages.

Handala claimed responsibility last month for hacking Stryker, a major medical equipment supply company based in Michigan. Handala claimed the hack was in retaliation for strikes that killed Iranian schoolchildren.

The FBI responded by seizing four internet web addresses used by the group to spread its message. Handala then leaked several old photos of Patel after saying it had hacked into the FBI director's personal email account.

Other pro-Iranian hackers have been linked to efforts to install malware on the phones of Israelis, penetrate cameras in Middle Eastern countries to improve Iran’s missile targeting, and target data centers and industrial facilities in Israel, Saudi Arabia and Kuwait.

Copyright 2026 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.