Cyber threats rise as Iran-linked hackers eye U.S. targets

Pro-Iranian hackers are targeting sites in the Middle East and, during the war that began Feb. 28, are starting to reach into the United States, experts said—an expansion that could increase the odds that American defense contractors and operators of critical infrastructure face disruptive cyberattacks. The risk is especially acute because the war environment can raise the value of digital disruption, from outages that interfere with operations to other forms of disruption that can create prolonged chaos.

The new reporting describes an online campaign attributed to Iran-linked groups that includes claims of responsibility for a cyberattack against Stryker, a medical device company based in Michigan. The hackers also have attempted to penetrate cameras in Middle Eastern countries, a move experts said could support Iran’s missile targeting, and they have targeted data centers and industrial facilities in the region, along with a school in Saudi Arabia and an airport in Kuwait.

In the case involving Stryker, the hackers described the attack as retaliation. A group known as Handala said it targeted Stryker in retaliation for suspected U.S. strikes that killed Iranian schoolchildren, according to the reporting. Ismael Valenzuela, vice president of threat intelligence at Arctic Wolf, said the group’s motives differ from purely financial crime, describing a focus on data destruction rather than financial extortion.

The reporting also placed the Stryker incident in a wider pattern of attempts to penetrate networks used by governments, militaries and defense contractors. It cited Iran’s investment in offensive cyber capabilities and its relationships with hacking groups, including past efforts in which groups working for Tehran infiltrated the email system of President Donald Trump’s campaign and targeted U.S. water plants. The U.S. Department of Homeland Security issued a public warning about Iranian cyber threats last year, according to the report.

Experts said the goal of such cyber activity is to wear down the American war effort and impose costs, including by straining U.S. cyber resources. Kevin Mandia, founder of the cybersecurity companies Mandiant and Armadin, warned that cyber disruption may accelerate, saying, “Something is going to happen because the gloves are off.” James Turgal, a vice president at Optiv, described Iran-linked activity as fundamentally aimed at producing disorder, saying, “Iran and especially the proxies don’t care how big or smart you are. This is about making an impact, about creating chaos.”

Researchers also described the types of attacks that could follow as the war continues. Experts said Iranian hackers and their allies would aim for quick victories by targeting weaker links in American cybersecurity, such as local water plants and health care facilities that may lack the funds or expertise to keep systems patched and protected. The reporting said such disruptions could include denial-of-service attacks, website defacements and hack-and-leak operations in which hackers threaten to release sensitive stolen material.

The reporting also said that some of these operations may not require advanced techniques to cause harm. Shaun Williams, a former FBI and CIA officer and now a senior director at SentinelOne, said the attacks are “not that sophisticated,” but he cautioned that a business or government agency that has fallen behind on cybersecurity could still “pay a steep price.” Williams urged organizations to “Patch your systems. Ensure your firewalls and security solutions are up to date,” to “Remove your stale accounts,” and to “Prepare for disruption.”

Beyond Iran-linked operations, experts said they are watching for whether Russia, China or groups allied with them might provide assistance to Iran and mount attacks intended to undermine U.S. operations in the conflict. The reporting cited evidence that pro-Iranian hackers in Russia are already active since the war began, with CrowdStrike researchers describing a surge in activity, and one group called Z-Pentest claiming responsibility for disrupting several U.S. networks, including ones involved in closed-circuit video cameras. Adam Meyers, head of counter adversary operations at CrowdStrike, said the timing of that activity suggested it targeted U.S. interests because of the war, and he told organizations to remain on “high-alert,” saying: “Western organizations should continue to remain on high-alert.”