After **Cybersecurity and Infrastructure Security Agency (CISA)** issued an advisory about Iranian-linked cyber actors seeking to cause disruption within the U.S., concerns have risen regarding attacks on critical infrastructure. However, officials and cybersecurity experts suggest a different, more subtle threat: opportunistic intrusions designed to appear larger than they are. ## The Nature of the Threat Speaking at the Asness Summit on Modern Conflict and Emerging Threats in Nashville, former **NSA** director **Tim Haugh** and **Kevin Mandia**, founder of a new AI cybersecurity venture, highlighted that Iranian cyber operations often exploit basic security gaps and amplify the results, rather than using novel capabilities. "I'd probably draw an analogy right now, that Iran and Iran's cyber capability is closer to a criminal actor,” Haugh said. “They're going to do targeted opportunity [attacks] and then try to tie that to an information operation to make it big.” This approach focuses on gaining access first, then shaping the narrative later, which has been a recurring pattern. ## The Stryker Incident: A Case Study The recent incident involving medical device company **Stryker** exemplifies this. Hackers reportedly disabled thousands of devices. However, according to Haugh and Mandia, this operation didn't rely on sophisticated malware or unknown vulnerabilities. Instead, it began with social engineering. “They social-engineered someone and used legitimate credentials to basically cause an effect,” Haugh explained. They used a “legitimate capability associated with that access to just basically delete things that they had permission to delete.” While described as a destructive cyberattack, the incident highlighted a more common issue: attackers using valid credentials to cause damage from within. ## Defense Strategies: Focus on Fundamentals Mandia emphasized that organizations should expect this pattern of attacks rather than highly tailored exploits. “They bought valid credentials off the dark web,” he said. “So if I'm a CISO right now, I'm finding a service that… tries to log into every login page, every API… [and] make sure I have MFA everywhere. That's how they're gonna break in. It's low and slow,” he added. “I would argue that is like a criminal element.” Attackers often publicly claim a target they have already compromised to create the illusion of speed and precision, especially in conflict situations. Mandia drew a parallel: “The cyber domain is a bad neighborhood and, to quote ‘<a rel="noopener noreferrer" href="https://www.youtube.com/watch?v=4xgx4k83zzc">Spinal Tap</a>,’ they just crank the volume up to 11 now because you have a war going on and all the gloves will come off.” ## Likely Targets and Future Outlook Instead of large-scale attacks on critical infrastructure, Iran is more likely to target specific organizations with ties to Israel or the U.S., combining intrusions with information campaigns. “I doubt you're gonna see custom web app attacks done,” Mandia said. “I think it's gonna be logging in. I really do. It's gonna be an identity security issue.” Even with easing tensions, this baseline is unlikely to change. “My opinion is hackers hack, end of story,” Mandia said. “They show up every day. They do it for eight to 10 hours.” For defenders, the key takeaway is clear: the next phase of cyber conflict may depend less on new tools and tactics, and more on closing the basic security gaps that attackers have long exploited.