The Middle East conflict moved decisively into the digital realm, where cyberattacks sit alongside kinetic strikes as primary instruments of state power. The wiper malware attack on U.S. medical technology giant Stryker Corporation by the Iranian‑aligned Handala hacktivist collective – which resulted in a global disruption to Stryker’s entire Microsoft environment – is not an anomaly, but a visible flashpoint in a much longer, largely unseen cyber confrontation between Iran and its adversaries.
Such cyber warfare has been covertly unfolding for many years, with intrusions and malware implants quietly accumulating inside the systems of oil majors, airlines, logistics hubs, hospitals and government agencies. Only occasionally does this stealth activity surface as an outage, data leak or destructive attack.
The sites being hit now are not new targets. Critical national infrastructure – from energy grids and ports to telecoms and healthcare – has been on the radar of state‑backed actors for years. Many of these networks have already been infiltrated. As such, the Stryker incident should be read less as a fresh breach and more as the activation of access that has likely existed for some time, chosen for its symbolic value and its importance to Western healthcare systems.
But what has changed is the willingness of attackers to move from quiet presence to active disruption. Cyber operations are being planned as integral parts of broader combat campaigns: a missile strike here, a disinformation push there, and a wiper attack against a symbolic corporate target to signal that no part of the opponent’s economy is truly out of reach.
Old Tools, New Levels of Damage
Despite having years to bolster their defenses, companies and governments are still being caught out by well-established attack methodologies. Wiper malware that irreversibly destroys data, credential‑harvesting keyloggers, spear‑phishing emails, and remote‑access trojans are again knocking large organizations offline and putting patient care, flight operations or fuel logistics at risk.
Blackwired’s Jeremy Samide: A methodical path forward.
The persistent vulnerability reflects a deep structural problem, including aging software, unheeded patches and increasing dependencies. Plus, vendors ship products with exploitable flaws, while buyers bolt new applications onto fragile foundations. Over time, enterprises end up with a hotchpotch of legacy systems and technical debt that is extremely difficult to unpick.
Maintaining – let alone securing – this landscape, while also integrating cloud, mobile and operational technologies, is a daunting, multi‑year effort. In this environment, even “classic” tools – when smartly applied – can have an outsized impact on cyber resilience.
The result is a dangerous combination of complacent defense and an increasingly coordinated offense.
On the attacking side, state‑sponsored units – nominally independent hacker groups and ideologically-motivated volunteers – have started to function as a loose, adaptive ecosystem. They share tools, infrastructure and sometimes targets, probing critical infrastructure and commercial supply chains for weaknesses. Campaigns that may appear chaotic from the outside are often linked by common infrastructure and playbooks, reflecting an underlying strategic intent.
Deeper Significance
Handala’s cyberattack on Stryker, a Fortune 500 company, has a broader significance in this context. Stryker sits at the crossroads of healthcare, high‑tech manufacturing and, through its global footprint, Western economic and political influence.
Attacking such a company sends a message that Iran and aligned actors can touch not only obvious military or government targets, but also the medical supply chains that civilians rely on daily. It demonstrates reach into a sector that citizens assume to be neutral and protected, amplifying psychological and political impact.
Positioning the attack as a retaliation for actions by the U.S. and Israel underscores another reality: In this geopolitical environment, cyber offensives are increasingly framed as proportionate responses. When one side launches a kinetic strike or covert operation, the other may respond by flipping a switch inside a foreign network to disrupt and create chaos. Every long‑lived implant or dormant backdoor becomes a bargaining chip or weapon, ready to be activated when the political timing is right.
Insurance: The Systemic Fault Line
Nowhere is the current systemic fragility more apparent than in insurance.
Cyber insurers are increasingly reluctant to underwrite the type of conflict‑driven, state‑linked risk that Middle East cyber offensives represent. From their perspective, the threat is too fast‑moving, the probability of catastrophic, correlated failure too high, and attribution too contested.
War and state‑actor exclusions have quietly expanded, leaving many organizations to discover only after an incident that the scenario is not covered by their policy.
This matters because insurance is one of the bedrocks on which modern economies rest. It allows companies to take risk, investors to provide capital and complex supply chains to operate with some confidence that tail events will not prove ruinous.
If insurers step back from underwriting large categories of cyber risk, the shock absorber disappears. Risk that was assumed to be transferred is abruptly dumped back onto corporate balance sheets, lenders and, in extremis, taxpayers. An entire layer of risk‑sharing begins to crumble precisely when states are turning up the heat.
Yet this is not unsolvable. New approaches such as direct threat intelligence and evidence‑based direct threat risk management offer a way to get much closer to a particular organization’s real, current exposure. By continuously identifying which adversaries are active against which targets, how far their campaigns have progressed, and where implants or misconfigurations create genuine paths to impact, threat‑led models can turn a vague, correlated “cyber war risk” into something more granular and able to underwrite.
Threat visualization and live risk scoring, tied to concrete mitigation steps, make it possible to reward better security with better terms, rather than retreating behind ever‑broader exclusions.
Every Company a Potential Target
There is a temptation to see these events as the work of a few rogue states or unusually aggressive groups. In reality, every country with offensive cyber capability is placing “hooks” inside the networks of potential adversaries. The underbelly that no one sees is not limited to a handful of utilities; it runs through the back offices, plants and cloud tenants of thousands of organizations – often uninsured against the very scenarios that now seem most plausible.
For boards and executives, this demands a mindset shift. Cyber risk is no longer just about protecting customer data or avoiding fines. It is about recognizing that your infrastructure may be part of someone else’s playbook in an international conflict, and that conventional risk transfer may not save you when that playbook is executed.
The path forward is methodical: Reduce legacy dependence, enforce disciplined patching, segment critical systems, insist on security‑by‑design, invest in detection and recovery, and work with insurers on more dynamic, intelligence‑led coverage models.
Cyber is the fifth dimension in modern warfare, and private companies are unwittingly in the line of fire. It is time to move from detect and respond to predict, prevent and defeat. Direct threat intelligence provides the means to scale effective prevention, which is a clear path to resilience in these uncertain times.
Jeremy Samide is CEO and co-founder of Blackwired. He is a serial entrepreneur whose advocacy of a disruptive “predict, prevent and defeat” cybersecurity paradigm led him to create Blackwired’s ThirdWatch platform, which leverages AI and machine learning to thwart threat actors before they reach the attack surface. He has worked on clandestine security and intelligence operations with organizations including GCHQ, Interpol, Canadian Security Intelligence Service, U.S. Intelligence and federal defense bodies, and has lectured on cyber warfare at Harvard University and the Military University of Technology in Warsaw, delivering training to NATO forces.
Topics: Cybersecurity, Geopolitical, Resilience