Michigan may be more than 6,000 miles away from war in Iran, but it is, in fact, a long way.
An Iran-linked group calling itself Handala claimed responsibility for a cyberattack on Portage, Michigan-based medical device maker Stryker Corp., carried out on March 11, 2026. Handala said the attack was in retaliation for events related to the Iran war.
The cyberattack affected Microsoft’s internal Stryker system, disrupting corporate governance, production and logistics.
As a cyber-conflict researcher, I have found that in times of national tension such as the current US/Israel-Iran war, cyber operations often sit next to missiles and airstrikes as a tool that government-affiliated groups use to inflict damage, weakness and show resolve on their adversaries.
The Stryker case is notable because it shows how regional conflict can become a hindrance to organizations far from the battlefield. It also shows the weakness of US institutions, including those involved in critical infrastructure.
Modern infrastructure does not only include large obvious targets such as power plants or water utilities. It also relies on suppliers and service providers that sit one or two links up – such as managed information technology providers, cloud and data center operators and specialty component providers – who keep everything from hospitals to transport systems running.
This is one of the reasons why US officials emphasize infrastructure as a public problem, not a government issue. The Cybersecurity and Infrastructure Security Agency’s Shields Up guide is written precisely for this reality: a world where environmental shocks can threaten organizations that never thought they were part of the battlefield.
Cyber operations are often about options
When people think of cyber warfare, most often see dramatic results. The lights went out. The water becomes poisonous. The trains stop. Those situations are real risks. But they are not the only goal, and often not the main one. The real value of strategy is accessibility.
Cyber access is like a set of keys. If you can go online quietly, sit there and learn how it works, setting up options for later. You can steal information, rely on the map and put yourself in a position to cause disruption. You can keep a strike option in your pocket, so that when you are in danger, you can cause or threaten to cause harm.
That is why US agencies took the hacking activity of the China-linked Volt Typhoon group so seriously. In a joint advisory, US officials described a campaign that compromised the organization’s information technology systems across many critical infrastructures and used so-called offshore methods that could interfere with normal administrative operations.
This is an important point. Most government-related online activities are not designed to cause immediate, visible confusion. It is designed to build strength.
How government-sponsored cyber attacks often work
Most government-sponsored cyber operations, including those conducted by the United States, follow a similar pattern.
First, attackers gain initial access through methods such as phishing, exploiting known vulnerabilities or exploiting limited remote access. Once inside, attackers try to learn where important data and sensitive systems are located. They seek higher rights and move sideways, often using legitimate administrative tools to integrate.
That fraudulent activity is one of the reasons campaigns like Volt Typhoon have raised alarms. Defenders may have difficulty distinguishing an attacker from a normal operator in a busy environment, especially when the attacker is deliberately trying to make their actions look like routine work.
Attackers then create persistence, which means they can maintain their access. If the target is strong, the attackers want to survive the attempt to clean the attackers after they find out that they have been stolen. That could mean gaining multiple levels, changing authentication settings or gaining third-party access.
Ultimately, they choose the results they want to have. Consider the “Shamoon” attack in 2012 in Saudi Arabia. After gaining access, the attackers used malware to wipe data from thousands of computers at Saudi Aramco’s oil rig, disrupting business operations.
But not everything that intervenes ends in destruction. Sometimes it ends in data theft, where the reward is information rather than downtime. An example is the 2015 breach of the US Office of Personnel Management, where attackers stole sensitive employee information. Sometimes, the point is an obstacle designed to send a message like the cyberattack on Sony Pictures in 2014, when hackers wanted to prevent the company from releasing the comedy film “The Interview.”
What security does the US have?
The US has a growing environmental protection system, but it’s not the only shield you can open. The Cybersecurity and Infrastructure Security Agency encourages organizations to increase cybersecurity alertness during times of heightened environmental risk. The agency, along with the FBI, the National Security Agency and international partners, also issue warning signs and mitigate situations when they see active campaigns.
Because the most valuable resources are privately owned, federal security is also dependent on cooperation. For example, the Center for Cybersecurity and Infrastructure’s Joint Cyber Defense Collaborative is designed to support coordinated public and private information planning on major cyber threats.
Congress has also pushed the private sector to report incidents more quickly. Cyber Incident Reporting The Critical Infrastructure Act of 2022 sets reporting deadlines that include reporting cyber incidents within 72 hours and ransom payments within 24 hours of payment. The Cybersecurity and Infrastructure Security Agency is implementing these requirements through ongoing rulemaking.
These are meaningful steps, but they do not erase the main obstacles: unequal resources, unequal incentives and the fact that many victims remain outside the direct control of the government.
Lessons from the Stryker hack
The Stryker incident is a reminder that cyber operations have become a constant tool that government-related actors can use to generate power during international crises. They can lead to theft, disruption or display. Sometimes they hit government networks, and sometimes they hit private companies that sit in supply chains.
Either way, the effects can be felt far beyond the conflict itself.
In the online conflict, the quiet part – access, building patience and readiness for deployment – often comes first. Visible disruption often gets the headlines, but it’s the hidden dimension that sets the stage for offensive cyber activity.
Wars today are not only fought with missiles and planes that you can see in the sky. They also fight what you don’t see going through the computer network.
#Iranian #operatives #pose #threat #key #facilities