The US-Iran war in the Middle East has seen a rather unusual turn — a surge of cyberattacks in companies sitting far away from the main battleground. On 11 March, a cyberattack on Portage, Michigan-based medical device maker Stryker shook the company. Days later, a pro-Iranian group calling itself the Handala, claimed responsibility for the attack stating that it was in retaliation to the attacks on Iran.
The cyberattack on affected the company’s internal Microsoft software system, disrupting its order processing, manufacturing and shipping.
Not just Stryker, Handala also claimed to have hacked an email account of FBI director Kash Patel and leaked private information, including personal videos.
According to an article on The Conversation, which appeared on news agency PTI, many state-linked cyber activity is not designed to create immediate, visible chaos. It is designed to build leverage.
The recent cyber attacks have made it clear that are not being fought in just the skies, seas and ground anymore. It has taken a digital turn, where you cannot see what’s coming.
How state-backed cyber attacks usually work
Most state-linked cyber attacks, including the ones launched by the US, follow a common sequence, says William Akoto, Assistant Professor of Global Security at American University School of International Service, who authored the article on The Conversation.
The first step is for the attackers to gain initial access. This can be done through methods like phishing, exploiting known vulnerabilities or abusing weak remote access.
Once the attacker is inside the system, they try to locate the valuable data and sensitive systems. Often using administrative tools to blend in with the system, these hackers then seek higher privileges and move laterally.
This stealthy manoeuvring can give defenders a hard time finding out the actual hacker and separate them from an administrator, especially when the intruder is deliberately trying to make their actions look like ordinary activity.
The next step is establishing persistence so that the hacker can access the software for a prolonged period of time. If the goal is leverage, the attackers want to survive defenders’ cleanup efforts after they discover they’ve been hacked.
Finally, the attacker can choose what effect they want the cyberattack to have. In case of Stryker, the company’s critical operation was halted. However, sometimes, the goal can be data theft rather than causing downtime. This was seen in the cyberattack case that leaked FBI Director Kash Patel’s private information.
What is the solution?
In terms of the , the country is growing its defence ecosystem, but it is more complicated than it looks.
The Cybersecurity and Infrastructure Security Agency encourages organisations to heighten their cybersecurity vigilance during periods of elevated geopolitical risk.
The agency, along with the FBI, the National Security Agency and international partners, also publishes advisories with indicators and recommended mitigations when they see active campaigns.
However, most critical infrastructure is owned by private companies. This has prompted federal defence to depend on partnerships to do tasks like support coordinated public-private planning and information sharing around major cyber risks.
The US Congress has also called on the private sector to report security incidents more quickly so that information can be shared. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 sets reporting timelines that include reporting cyber incidents within 72 hours and ransomware payments within 24 hours after payment.
- Cyberattacks represent a new form of warfare, targeting critical infrastructure without traditional military tactics.
- The importance of public-private partnerships in cybersecurity is paramount for protecting sensitive data and operations.
- Organizations must enhance their cybersecurity measures, particularly during periods of heightened geopolitical tensions.
