Iran’s cyber threat may be less ‘shock and awe’ than ‘low and slow,’ officials say

NASHVILLE — After the Cybersecurity and Infrastructure Security Agency issued an advisory that said Iranian-linked cyber actors were looking to “cause disruptive effects within the United States,” the U.S. has been bracing for a major cyberattack against its critical infrastructure. 

But officials and cybersecurity experts told reporters on Friday that the more likely threat is not a digital shock-and-awe campaign, but something quieter: opportunistic intrusions, dressed up to look bigger than they are.

Speaking at the Asness Summit on Modern Conflict and Emerging Threats in Nashville, former NSA director Tim Haugh and Kevin Mandia, a longtime cyber first responder and founder of a new AI cybersecurity venture, said Iran’s cyber operations have tended to rely less on novel capabilities than on exploiting basic security gaps — and then amplifying the results.

“I'd probably draw an analogy right now, that Iran and Iran's cyber capability is closer to a criminal actor,” Haugh said. “They're going to do targeted opportunity [attacks] and then try to tie that to an information operation to make it big.”

That approach — gain access first, shape the narrative later — has defined much of what officials have seen so far.

Consider a recent incident involving the medical device company Stryker, which is the most high-profile retaliatory cyberattack spotted by researchers so far. Hackers reportedly disabled thousands of devices. Haugh and Mandia said that while the operation made lots of headlines, it didn’t hinge on sophisticated malware or a previously unknown vulnerability. Instead, it started with a person.

“They social-engineered someone and used legitimate credentials to basically cause an effect,” Haugh said. They used a “legitimate capability associated with that access to just basically delete things that they had permission to delete.”

The episode was widely described as a destructive cyberattack, but in practice, they said, it reflected a more familiar problem: attackers using valid credentials to do damage from the inside. 

Mandia said that pattern — rather than highly tailored exploits — is what organizations should expect. “They bought valid credentials off the dark web,” he said. “So if I'm a CISO right now, I'm finding a service that… tries to log into every login page, every API… [and] make sure I have MFA everywhere. That's how they're gonna break in. It's low and slow,” he added. “I would argue that is like a criminal element.”

Both he and Haugh said there is also a timing element that can make these operations appear more sophisticated than they are. Attackers often publicly claim a target they have already successfully cracked into to give the impression of speed and precision.

And in a conflict setting, that perception can be amplified. “The cyber domain is a bad neighborhood and, to quote ‘Spinal Tap,’ they just crank the volume up to 11 now because you have a war going on and all the gloves will come off,” Mandia said.

The likely targets reflect that pragmatism. Rather than attempting large-scale, disruptive attacks on critical infrastructure, Iran is more likely to focus on specific organizations with ties to Israel or the U.S. — and then pair any intrusion with an information campaign.

“I doubt you're gonna see custom web app attacks done,” Mandia said. “I think it's gonna be logging in. I really do. It's gonna be an identity security issue.”

Even if tensions ease, that baseline is unlikely to shift. “My opinion is hackers hack, end of story,” Mandia said. “They show up every day. They do it for eight to 10 hours.”

For defenders, the implication is straightforward: the next phase of cyber conflict may not hinge on new tools or tactics, but on whether organizations have closed the most basic gaps — the ones attackers have been exploiting all along.