Situation Summary
Within twelve days of the U.S./Israel February 28 attack on Iran, Iranian-linked actors had already disrupted a Fortune 500 medical device company, knocked out cardiac monitoring systems across Maryland, and issued explicit warnings of more to come. This is not theoretical geopolitical risk—it is active, ongoing, and affecting organizations with no direct connection to the conflict.
The attack on Stryker was fast, destructive, and deliberately public. Handala leveraged compromised administrator-level credentials to reach Microsoft management portals and execute a remote wipe at scale—without deploying any novel malware. This is a high-privilege, living-off-the-land technique that defeats signature-based detection. The operational message: U.S. companies are within reach, regardless of whether they have any direct military connection.
Handala—an Iranian proxy group linked to the Ministry of Intelligence—publicly claimed wiping 200,000+ systems across 79 countries and exfiltrating 50TB of data from Stryker, a $25B medical device manufacturer. Stryker’s stock fell by over 3%.
Why Your Organization May Be in Scope
Nation-state cyber operations during armed conflict are not ransomware. The goals are economic disruption, battlefield intelligence, and psychological pressure. Three patterns explain targeting decisions:
- Intelligence collection: Iranian actors compromised Israeli CCTV networks and camera feeds to support military damage assessment—not to cause disruption, but to watch.
- Economic pressure: Disrupting healthcare supply chains, payment processors, and energy systems imposes societal costs without kinetic strikes.
- Perception management: High-visibility attacks on named companies generate headlines and signal reach. Handala’s public statement after Stryker—that “this is only the beginning”—was intentional messaging, not boasting.
Stryker’s prior acquisition of Israeli medical tech firm OrthoSpace likely increased its visibility as a target. Any organization with Israeli business ties, recognizable brand association with U.S. defense, or sufficient size to generate headlines should treat itself as in scope.
Financial services face an additional risk: Iranian APTs have a documented history of selling compromised credentials on criminal forums. Even if you’re not the primary target, you may be the downstream victim of access sold to financially motivated actors.
Who’s Behind the Attacks
Iran’s offensive cyber capability is organized through the IRGC and the Ministry of Intelligence (MOIS), each maintaining affiliated APT groups with distinct targeting priorities:
- IRGC-affiliated: APT33 (Elfin), APT35 (Charming Kitten / Mint Sandstorm)—focused on espionage, credential theft, and long-term access.
- MOIS-affiliated: APT34 (OilRig), MuddyWater—focused on government, energy, and critical infrastructure.
- Proxy hacktivists: Handala (Void Manticore), CyberAv3ngers, Cotton Sandstorm—used for deniable, high-visibility destructive operations.
Iran deliberately blurs the line between APTs and hacktivist proxies. When deniability matters, proxies execute the campaign. When precision targeting is required, APTs engage directly. The broader ecosystem also includes Russian DDoS operators (Killnet) and pro-Palestinian collectives that have signaled ideological alignment with Iranian objectives—expanding the effective threat surface beyond Iranian nationals.
How They Get In: Key TTPs
CISA advisory AA24-290A (updated June 2025 with NSA, FBI, and international partner input) documents the consistent playbook. These actors are opportunistic and methodical—not exclusively sophisticated:
- Initial access: Password spraying, MFA push bombing, default credential exploitation on internet-facing systems.
- Persistence and movement: Lateral movement, credential harvesting, privilege escalation using legitimate enterprise tools (remote management software, built-in OS utilities).
- Execution: Wiper malware (Hatef, Radthief stealer, Sicarii variant) prioritizes destruction over monetization. Sicarii permanently destroys data due to an encryption key flaw—paying any ransom is futile.
- Reconnaissance: OSINT tools like Shodan are used to identify internet-facing OT devices before deploying any malware. Exposure is the initial threat surface.
- AI-assisted phishing: Unit 42 documented Agent Serpens (CharmingKitten) deploying GenAI-generated lures masquerading as RAND Corporation documents. Quality of phishing has improved markedly.
Detection Challenge: Living-off-the-land (LOTL) techniques are central to the Iranian playbook. Attackers use legitimate enterprise management consoles rather than custom malware, which neutralizes signature-based detection. Behavioral analytics and privileged access governance are the primary defensive levers.
Action Items for Security Leaders
Immediate
- Audit privileged access. Identify who has access to enterprise management consoles and remote device management portals. Remove unused admin accounts, eliminate shared credentials, enforce just-in-time access. The Stryker wipe was executed via compromised admin credentials—not novel malware.
- Harden MFA. Upgrade from push-notification MFA to number matching or phishing-resistant FIDO2/hardware keys. Iranian actors have documented success with MFA push bombing. CISA has published specific hardening guidance aligned to this threat.
- Scan your own OT exposure. Run a Shodan-equivalent scan on your own infrastructure. Any internet-facing PLC, HMI, or legacy OT device is a potential entry point. Patch what you can, isolate what you can’t, and verify OT/IT network segmentation is functioning as designed—not just documented.
Short-Term
- Validate backup integrity. Wiper attacks and destructive ransomware variants make backup restoration the last line of defense. Verify backups are air-gapped or immutable, and test restoration procedures.
- Review third-party exposure. Audit supply chain relationships with organizations in healthcare, defense, financial services, and any entity with Israeli ties. Shared infrastructure with a targeted entity can make you collateral damage.
Ongoing
- Activate behavioral detection. Ensure LOTL technique coverage in your SIEM: anomalous use of enterprise management tools, authentication log anomalies, unusual admin console activity. Signature-based detection alone will not catch this threat.
- Review CISA AA24-290A. The advisory maps directly to active Iranian TTPs and was updated with FBI, NSA, and international partner input through June 2025. Use it to validate detection coverage and identify gaps.
The Bottom Line
Tehran’s playbook is documented, repeatable, and actively being executed: proxy hacktivists for deniability, APTs for precision, LOTL techniques for stealth, wipers for maximum disruption. The Stryker attack is a data point, not an anomaly.
The security community has the advantage that Iranian TTPs are well understood and consistent across CISA advisories, Unit 42, Check Point, and Trellix research. The defense is not mysterious—credential hygiene, phishing-resistant MFA, privileged access governance, OT visibility, and behavioral detection. What’s required is urgency, not complexity.
Sources: CISA AA24-290A, Unit 42, Check Point Research, CyberScoop, Trellix 2026 Iranian Cyber Capability Report, CSIS, Optiv GTIC, SecurityScorecard, Middle East Institute