John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
No exploit. No payload. No zero-day. Just a compromised Microsoft Intune admin account and the device management console Stryker already had running.
That’s how Handala, an Iran state-linked group, erased more than 200,000 devices across 79 countries last month. Stryker makes surgical systems, defibrillators, hospital beds, and EMS communication platforms. Operations went dark.
Unit 42’s threat brief, updated March 26, documents what Stryker represents in context: not a campaign, but a posture. Iran is running six concurrent operation types right now. Phishing. Hacktivism. Cybercrime. Wiper malware. DDoS. AI-assisted attacks. All at once, during active military conflict.
That last category is confirmed, not hypothetical. Iranian actors are incorporating AI into their workflows. The specific tooling hasn’t been named publicly. The capability is deployed.
The FAD Team separately claims SCADA and PLC access in Israeli industrial targets. AWS infrastructure in UAE and Bahrain is flagged as a potential retaliation vector. The surface area is wide.
One distinction worth making clearly: Tarnished Scorpius, the INC Ransomware group that recently listed an Israeli company with a swastika on its leak site, is not a state actor. It’s a criminal RaaS group with ideological motivation. Conflating them with state-sponsored wipers distorts the picture. Both are real threats. They aren’t the same thing.
And it’s bilateral. Ukrainian-aligned Bearlyfy has been hitting 70-plus Russian firms with custom ransomware since January 2025. Kinetic conflict and cyber operations are running in parallel, on multiple fronts, simultaneously.
The sophistication in the Stryker attack wasn’t the technique. It was target selection. Admin access plus a legitimate management tool, aimed at a company whose products live in operating rooms and ambulances.
The tools were mundane. The targets weren’t.
Unit 42’s full breakdown of Iran’s simultaneous six-front cyber posture