Bracing for the Wrong Kind of Attack
Following a Cybersecurity and Infrastructure Security Agency (CISA) advisory warning that Iranian-linked cyber actors were seeking to "cause disruptive effects within the United States," much of the public conversation has centered on the possibility of a sweeping, coordinated strike against American critical infrastructure. Yet that framing may be misleading.
Speaking at the Asness Summit on Modern Conflict and Emerging Threats in Nashville on Friday, two prominent voices in the national security and cybersecurity communities pushed back against the shock-and-awe narrative. Tim Haugh, former director of the National Security Agency, and Kevin Mandia, a longtime cyber incident responder and founder of a new AI-focused cybersecurity venture, argued that Iran's approach is far more methodical — and far more ordinary — than many expect.
Criminal Tactics, State Actor Label
Haugh drew a pointed comparison between Iran's cyber operations and the methods used by financially motivated criminal groups.
"I'd probably draw an analogy right now, that Iran and Iran's cyber capability is closer to a criminal actor. They're going to do targeted opportunity [attacks] and then try to tie that to an information operation to make it big."
That two-step formula — gain access through opportunistic means, then amplify the perceived impact through messaging — is what officials say has characterized Iran's most notable recent activity. Rather than deploying zero-day exploits or custom malware, Iranian-linked actors appear to be leveraging the same low-effort entry points that ransomware gangs and data brokers have used for years.
The Stryker Incident: Destructive but Not Sophisticated
The most high-profile example cited was a recent incident involving Stryker, the medical device company. Researchers identified it as the most significant retaliatory cyberattack linked to Iranian actors observed so far. Reports described hackers disabling thousands of devices — a headline-grabbing outcome that suggested a capable, well-resourced adversary.
But Haugh and Mandia offered a more sobering explanation for how the attack actually worked. According to Haugh, the operation did not depend on a previously unknown vulnerability or advanced intrusion tools. Instead, it began with a human target.
"They social-engineered someone and used legitimate credentials to basically cause an effect. They used a legitimate capability associated with that access to just basically delete things that they had permission to delete."
In other words, the attackers didn't break in — they logged in. The destruction was real, but the method was mundane: valid access credentials, obtained through deception, used to erase data the actor had been authorized to touch. The perception of a sophisticated destructive cyberattack, both officials suggested, exceeded the technical reality.
Dark Web Credentials and the Identity Security Gap
Mandia elaborated on the likely acquisition method for those credentials, pointing to a well-established underground economy.
"They bought valid credentials off the dark web."
He outlined what that means practically for security leaders trying to defend their organizations right now. According to Mandia, the attack pattern organizations should anticipate involves systematically testing stolen login details across as many entry points as possible — login pages, APIs, and any externally accessible service. His prescription for defenders was direct:
"If I'm a CISO right now, I'm finding a service that… tries to log into every login page, every API… and make sure I have MFA everywhere. That's how they're gonna break in. It's low and slow."
He added: "I would argue that is like a criminal element." The implication is that organizations treating Iran's cyber threat as categorically different from ransomware or business email compromise may be preparing for the wrong adversary.
Timing, Perception, and the Art of the Claim
Beyond the technical methods, both Haugh and Mandia highlighted a psychological dimension to these operations that can make them appear far more precise and potent than the underlying activity warrants. A common tactic involves publicly claiming a target that attackers have already successfully compromised, creating the impression of near-real-time offensive capability.
In an active conflict environment, Mandia noted, that perception is further inflated by the broader geopolitical context.
"The cyber domain is a bad neighborhood and, to quote 'Spinal Tap,' they just crank the volume up to 11 now because you have a war going on and all the gloves will come off."
That amplification is strategic. Pairing a genuine intrusion — however basic — with a well-timed public claim and an information operation can produce an outsized effect on morale, market confidence, and public perception of a target organization.
Likely Targets: Selective, Not Sweeping
Rather than broad assaults on power grids, water systems, or financial networks, Haugh and Mandia indicated that Iranian actors are more likely to concentrate on specific organizations perceived to have ties to Israel or the United States. Each intrusion would then be paired with a tailored information campaign designed to maximize impact.
Mandia was explicit about what he believes the dominant attack vector will look like going forward:
"I doubt you're gonna see custom web app attacks done. I think it's gonna be logging in. I really do. It's gonna be an identity security issue."
This framing is significant. It means that the most consequential defensive investments are not necessarily in advanced threat detection platforms or sophisticated monitoring infrastructure, but in ensuring that the most basic access controls — multi-factor authentication, credential monitoring, and identity hygiene — are consistently enforced.
A Persistent Baseline Threat
Even if the current geopolitical tensions between the U.S., Israel, and Iran were to de-escalate, neither official expected the underlying threat posture to meaningfully decrease. Mandia offered a characteristically blunt assessment of the attacker's work ethic:
"My opinion is hackers hack, end of story. They show up every day. They do it for eight to 10 hours."
That consistency, rather than any single high-profile operation, is what makes the threat durable. The actors behind these campaigns are not waiting for a political green light to begin their operations — they are already active, already probing, and already buying credentials.
The Defender's Takeaway
For security teams, the message from Nashville was less about preparing for a novel cyber weapon and more about closing the gaps that have always existed. The most consequential vulnerabilities in the current threat landscape are not zero-days — they are unfederated login pages, credential databases circulating on underground forums, and systems where multi-factor authentication has never been deployed.
- Enforce MFA across all externally accessible services and internal platforms without exception.
- Monitor for credential exposure using commercial services that track leaked username and password combinations on dark web markets.
- Audit access permissions to ensure that even legitimately authenticated users cannot cause catastrophic damage through deletion or modification of critical data.
- Prepare for narrative amplification — understand that an intrusion may be publicly claimed and framed in ways designed to maximize reputational harm.
If Haugh and Mandia are right, the next significant Iran-linked cyber incident will not look like a military-grade digital weapon. It will look like someone logged in with a password they bought for a few dollars, and then told the world they had breached a critical American institution. The technical bar is low. The information operation is the weapon.
Source: The Record