U.S. Intelligence and security agencies are warning that Iranian-backed hackers are shifting their focus toward “low-hanging fruit”—vulnerable targets in critical infrastructure, energy and tourism—to sow domestic instability and apply political pressure on the U.S. Government.
The shift in strategy comes as the FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Energy issued a joint advisory alerting the private sector that Iran-sponsored actors are specifically targeting water and power plants. While the agencies did not name individual targets, they noted that these operations are designed to cause “disruptive effects” and have already resulted in financial losses and operational failures.
This campaign of disruption is not limited to industrial systems. In late March, the Handala Hack Team, a pro-Palestinian and Iran-linked group, targeted the personal email of FBI Director Kash Patel. The breach released more than 300 messages from 2010 to 2019, along with travel documents and a professional résumé. The attack also leaked personal photos, including images of Patel holding a baby and another with a cigar.
For those of us who have spent years in the trenches of software engineering, these attacks highlight a frustrating reality: the most damaging breaches often aren’t the result of “movie-style” hacking. Instead, they rely on basic security lapses—an open port or an unpatched legacy system—that allow attackers to walk right through the front door.
The Strategy of Collateral Damage
Experts suggest that these cyber operations are not intended to provide a traditional military advantage, but are instead a form of asymmetric warfare. By targeting the services that citizens rely on daily, Iran aims to create friction and uncertainty within the American population, potentially pressuring the government to alter its involvement in regional conflicts.
Nikita Shah, a senior fellow at the Center for Strategic and International Studies and a former U.K. National security official, noted that the goal is to target organizations that appear sophisticated from the outside but possess technical vulnerabilities. Beyond water and energy, Shah identified the tourism industry—specifically the defacement of airline websites—as a likely next target.
The impact of this strategy was felt acutely on March 11, when the Handala Hack Team attacked Stryker, a medical technology company. The breach brought operations to a standstill for the company’s 56,000 employees across 61 countries. Manufacturing, shipping, and order processing were halted, and the company remained partially non-operational for three weeks. In a filing with the SEC, Stryker reported that the event had a material impact on its first-quarter earnings.
Identifying the Targets
The selection of targets is often systematic. In March, Iran’s Islamic Revolutionary Guard Corps (IRGC) published a list of potential infrastructure and office targets in the Middle East operated by U.S. Firms. The list included several major technology giants:
- Microsoft
- Palantir
- IBM
- Nvidia
- Oracle
However, Robert Olsen, managing director of Hilco Global Cyber Advisors, warns that the most “personal” attacks may hit closer to home. He argues that attacking local critical infrastructure, such as a municipal water system, is the most effective way to instill terror and uncertainty because it directly affects the daily lives of ordinary citizens.
The technical barrier to entry for these attacks has dropped significantly. Olsen points out that hacks requiring PhD-level expertise a decade ago can now be executed by less skilled actors due to the simplification of development tools. The integration of AI is now accelerating the scale and speed at which these vulnerabilities can be identified and exploited.
| Target | Type of Attack | Reported Impact |
|---|---|---|
| Kash Patel (FBI Director) | Email Breach | Leak of 300+ messages and personal documents |
| Stryker | Operational Shutdown | 3-week disruption; material impact on Q1 earnings |
| U.S. Critical Infrastructure | Joint Agency Advisory | Operational disruption and financial loss |
| U.S. Tech Firms (Middle East) | IRGC Target Listing | Designation of offices as potential targets |
Information Warfare and Projecting Power
This cyber offensive is part of a broader “information warfare” strategy. According to Shah, Iran is increasingly using fake videos and AI-generated content on social media to project power. This digital posturing serves as a substitute for traditional military capabilities that have been significantly degraded.
The scale of this degradation was highlighted this week by Gen. Dan Caine, chairman of the Joint Chiefs of Staff, who stated that the U.S. Military has struck more than 13,000 targets and destroyed approximately 80% of Iran’s air defense systems.
Despite these military losses, the cyber threat remains potent. The “collateral damage” caused by hitting private companies and public utilities is, in many ways, the primary objective. As long as the U.S. And its allies participate in the conflict, experts expect the targeting of civilian and corporate entities to continue, depending largely on Iran’s remaining internet and computing capacity.
The immediate next step for the private sector is to align with the guidelines provided in the joint advisory from CISA and the FBI. Organizations managing critical infrastructure are urged to audit their external-facing ports and legacy equipment to ensure they aren’t leaving “open windows” for opportunistic attackers.
We invite readers to share their thoughts on the resilience of U.S. Infrastructure in the comments below.
