Three weeks after the outbreak of the US-Israel-Iran conflict, the cyber dimension continues to evolve. New reporting has clarified the mechanics of the Stryker breach, revealed additional targets, and confirmed what security professionals have long known: state-sponsored actors adapt their tooling, but they rarely abandon their underlying playbook.
For CISOs, the developments of late March and early April are not a signal to panic. They are a reminder to look closely at mechanisms that may have drifted down the priority list.
What Has Changed
The Stryker Attack: No Malware Required
When Handala - the Iranian-linked group widely assessed as a persona for Void Manticore - claimed the Stryker breach in mid-March, the initial analysis focused on wiper malware. The scale was striking: over 200,000 devices disrupted across 79 countries.
Subsequent reporting from Palo Alto Networks' Unit 42 and others has established a more precise technical picture. The attackers did not deploy compiled wiper malware. Instead, they compromised Global Admin credentials in Stryker's Microsoft environment and used Intune and Entra ID to remotely wipe enrolled devices at scale. No malware signature. No endpoint execution. Just legitimate administrative tools used maliciously.
This is a tactical evolution, not a revolution. Iranian actors have always followed the path of least resistance. If that path now runs through cloud identity platforms rather than endpoint payloads, the defensive imperative shifts accordingly.
PSK Wind and Defence Supply Chains
On 2 April, Handala claimed a breach of PSK Wind Technologies, an Israeli engineering firm that develops command and control systems for air defence infrastructure. The group alleges it exfiltrated sensitive technical documents and passed them to "Axis of Resistance" missile units.
Whether the operational claim is fully accurate matters less than the targeting pattern. Iranian groups are probing the defence industrial base and its adjacent suppliers with increasing aggression. Organisations that sell into, buy from, or partner with defence contractors should assume their risk profile has risen.
Gulf Infrastructure Under Pressure
Beyond cyber-physical breaches, the conflict has spilled into cloud and regional infrastructure. Iranian drone strikes reportedly damaged AWS data centres in the UAE and Bahrain in early March, with further disruption to the Bahrain facility in late March and early April. Airport systems in Kuwait, Bahrain, Saudi Arabia and the UAE have faced disruptive attacks from pro-Iran groups including DieNet and the Islamic Cyber Resistance (313 Team).
For organisations with operations or cloud footprints in the Gulf, these incidents underscore a point that applies to physical security as much as cyber: proximity to conflict zones elevates risk.
What Has Not Changed
The fundamentals of effective security remain the same.
Identity is the perimeter. It always has been. The Stryker breach did not exploit a zero-day vulnerability or a novel protocol flaw. It exploited privileged credentials and the absence of sufficient behavioural controls around administrative tools.
Supply chain risk is your risk. Stryker's 2019 acquisition of Israeli medical technology firm OrthoSpace appears to have contributed to its targeting calculus. PSK Wind sits in the defence supply chain. When threat actors map their target sets, they rarely stop at the prime contractor.
Detection must cover behaviour, not just binaries. A wiper malware file is easy to detect. A legitimate Intune wipe command issued from a compromised Global Admin account is not. This has always been true for living-off-the-land techniques. The current conflict simply provides a high-profile reminder.
What CISOs Should Revisit Now
Privileged Identity Governance
The Stryker incident demonstrates that a single compromised Global Admin or Intune Administrator credential can produce organisation-wide destruction. Review your privileged access management with specific attention to:
This is not a new requirement. It is a well-established control that the Stryker breach brings back into sharp focus.
EDR Limitations and Identity Detection
If your detection strategy relies primarily on endpoint telemetry and malware signatures, you have a gap. Native administrative tool abuse generates no malware execution alerts. Conventional EDR will not catch an Intune wipe command.
Consider this a prompt to evaluate:
These investments protect against far more than Iranian actors. They close the same gaps that ransomware groups and business email compromise operators exploit every day.
Supply Chain Diligence
Review your third-party risk programme with two questions in mind:
If the answer to either question is uncertain, tighten your contractual security requirements, accelerate your supplier security reviews, and monitor for indicators of compromise shared by threat intelligence feeds.
Geographic Risk Assessment
Organisations with infrastructure, personnel, or data centres in the Gulf should treat the current environment as elevated risk. This does not necessarily mean evacuating cloud regions or halting operations. It does mean confirming that your incident response plans, backup strategies, and communication protocols account for regional disruption.
The Bigger Picture
It is tempting to treat every tactical shift by Handala or Void Manticore as a new threat paradigm. It is not. State-sponsored actors have used compromised credentials and native administrative tools for decades. The Stryker breach is a large-scale, well-publicised example of a familiar pattern.
What changes is the urgency of attending to these controls. Conflict creates noise, resource pressure, and distraction. CISOs should use this moment to remind their boards and executive teams that the most consequential security investments are often the least glamorous: identity governance, logging, segmentation, and backup verification.
Iranian cyber actors will continue adapting their tools. Your job is to ensure that your fundamentals are solid enough that the specific mechanism does not matter.