Iran's Escalating Cyber War Against U.S. Companies

Iran-linked operators are weaponizing legitimate enterprise tools, moving from access to destruction in hours, and treating U.S. companies as legitimate wartime targets. Here's how fast it has escalated.

Three weeks ago, we posted about the Stryker attack — an Iran-linked group called Handala weaponized the company’s own Microsoft Intune platform and wiped over 200,000 devices across 79 offices worldwide. That was just the opening move.

How Fast This Has Escalated

Late February. Pay2Key, an Iranian-linked ransomware group, hit a U.S. healthcare organization, encrypting its entire environment in under three hours. Disruption, not exfiltration, appeared to be the objective.
March 11. Handala struck Stryker, wiping 200,000+ devices and claiming 50TB of exfiltrated data. Manufacturing and shipping shut down across 79 countries.
March 21. The DOJ formally attributed the attack to Iran’s Ministry of Intelligence and Security (MOIS). The FBI seized four Handala domains. Hours later, Handala launched replacement infrastructure and mocked the seizure on Telegram.
March 24. Stryker filed an 8-K with the SEC confirming containment. Palo Alto Networks Unit 42 identified malicious files that allowed attackers to execute commands while hiding inside the Stryker environment.
March 27. Handala breached FBI Director Kash Patel’s personal email and published over 300 emails and photos — explicitly calling it retaliation for the domain seizures.

Iranian state-backed operators are demonstrating that takedowns and indictments don’t deter them. And their targeting has shifted from disruption of a single company to direct provocation of U.S. law-enforcement leadership.

These groups are using legitimate enterprise tools as weapons, moving from access to destruction in hours, and treating U.S. companies as legitimate wartime targets.

Three Questions Every CISO Should Be Asking Right Now

Do we have visibility into how our own device-management and identity platforms could be weaponized against us?
Can we detect an adversary living inside legitimate admin tools before they pull the trigger?
Have we tested our response plan against a wiper scenario and not just ransomware?

What Sphinx Is Doing About It

Sphinx built the Evolved Security Playbook to answer these questions.

RECON identifies how your enterprise tools create attack surface — including the same Intune, Entra, and EDR platforms that Handala turned against Stryker.
RedShift adversary emulations replicate the specific TTPs that Handala and Pay2Key are using right now, including admin-tool weaponization and rapid wiper deployment.
Helix bolsters your defenses to catch the pre-positioning before it becomes destruction — with detect, protect, and respond offerings tuned to current actor tradecraft.

Sources

DOJ Office of Public Affairs · Palo Alto Networks Unit 42 Threat Brief · Beazley Security / Halcyon Research · Stryker SEC 8-K Filing · Krebs on Security

Contact Sphinx: contact@sphinxsecure.com

Test your defenses against the actors operating right now.

Engage Sphinx for a RECON assessment, RedShift emulation, or Helix managed defense.

Get Started →