In March, an Iran-linked group calling itself Handala claimed a cyberattack on the medical device maker Stryker, disrupting a company most people would never connect to a conflict in the Middle East. Weeks later, CISA and the FBI reported Iranian-affiliated actors disrupting programmable logic controllers across US water, energy, and government systems.
As Leon Trotsky once famously observed, "You may not be interested in war, but war is interested in you." For your company, this means you can no longer opt out of global conflicts just because you aren't in any way involved in them. Today, cyber operations ride alongside physical missiles and airstrikes, making ordinary commercial networks the new collateral damage. And the organizations caught in the blast radius are rarely the ones expecting it.
That is the ground this first issue covers. Drawing on our conversation with former US diplomat Armand Cucciniello III, we lay out how states turn cyber operations into instruments of statecraft, and the concrete steps security leaders should take before the next escalation reaches them.
Welcome to the first issue of InfoSec Leadership by InfoSec Relations. Each issue carries a careful analysis that cybersecurity leaders and policy professionals can actually use. Let's get started.
Geopolitics Adds New Intensity to an Old Cyber Threat
A former US diplomat on how the Iran war pushed cyber retaliation onto ordinary companies. Here is what that changes for your threat model, and how to respond.
For most of the last two decades, a CISO could treat geopolitics as someone else's problem. And why shouldn't they? Sanctions, diplomatic standoffs, and regional conflict belong to governments, and probably to the companies that sold to them. But that separation collapsed with the escalating Iran war, where US and Israeli strikes have pushed the retaliation onto their allies and the private companies tied to them. The same nation-states that once reserved their cyber capability for government and defense targets now route their operations through ordinary commercial companies. That is where the access and the leverage actually sit.
"The threat model directly determines what a CIO or CISO these days should be prioritizing," said Armand Cucciniello III, former US diplomat, emphasizing that understanding a state actor's playbook is not an academic exercise for security leaders but a practical input into how they set defensive priorities.
The insights in today's issue are drawn from our interview, Cyber Operations as Statecraft, using Iran as the working case to contextualize the wider pattern most clearly.
Your Threat Level Tracks Your Proximity to Washington
The first thing Cucciniello wants leaders to internalize, speaking from his years as a US diplomat in the Middle East, is that their exposure is not a function of their security maturity alone. It is a function of who they are perceived to be connected to. A company's risk level, he argues, is "directly correlated with your proximity to US government contracts, Israeli business ties, energy sector operations, financial services, or any industry that could be publicly perceived as being hostile to Tehran's interests." That perception matters more than the org chart, because an adversary assigning targets works from the outside in and reads a company by its associations rather than its self-image.
The practical consequence is that a great many companies underrate their own threat level. A mid-size firm with no defense contracts and no obvious political profile can still sit one supplier relationship away from a target that an adversary cares about. Leaders who assume distance from the Middle East or the federal government buys them safety are reasoning from the wrong map. The safer default, especially after any period of US or allied military action, is to assume an elevated threat level and resource accordingly, rather than waiting for an incident to reveal the connection an adversary already saw.
Unpatched Edge Devices Are the Front Door
Much of what state actors do at the initial access stage is unglamorous and entirely preventable. Cucciniello points to mass scanning of internet-facing infrastructure as a primary entry vector, highlighting the IRGC-linked exploitation of Palo Alto Networks and GlobalProtect VPN appliances as a recurring example. These are not bespoke, targeted operations against a chosen victim. They are wide sweeps for any exposed system running a known, unpatched vulnerability, and the companies that fall into them are usually the ones that treated patch cadence as a routine IT task rather than a security priority.
The same actors lean on password spraying, multifactor authentication push bombing, and brute force, all of which succeed against organizations that have not closed obvious gaps. None of this requires a sophisticated defense to counter. It requires discipline on the basics, applied consistently to the systems that face the public internet. For security leaders, the takeaway is that the highest-leverage work here is often the least exciting, and that a fast, well-governed patching program does more to shrink the attack surface than any single new tool.
Operate as If You Are Already Inside the Breach
The most uncomfortable piece of his advice is also the most important. Companies should not assume they are safe and clean. Organizations "already may be compromised," he warns, and adversarial state actors have been "weaponizing pre-existing access inside US critical infrastructure for a few years now." Pre-positioned access of this kind is not an attack in progress. It is an option an adversary is holding in reserve, waiting for a moment when using it would serve a larger purpose.
That reframes the defensive job from prevention alone to active hunting. Under an assume-compromise posture, a security team conducts proactive threat hunting for indicators of compromise, audits privileged access, and watches for unusual lateral movement rather than waiting for an alert to fire. Cucciniello also points leaders toward their sector's information sharing and analysis centers, the ISACs, as a way to see what peers in the same industry are detecting. The shift in mindset is the point. Treating a quiet network as a clean network is exactly the assumption a patient adversary is counting on.
Paying a Ransom Breaks the Law Before It Restores the Data
Ransomware is where the geopolitical and the operational collide most sharply, and where the risk extends well past the technical. A significant share of recent ransomware against US organizations, Cucciniello notes, traces back to IRGC-linked actors such as Pioneer Kitten and Lemon Sandstorm, groups that broker network access and blend state intelligence work with financially motivated crime. That blending creates a legal exposure most incident response plans never accounted for, because a company that pays such a group may be sending money to a sanctioned entity without knowing it.
His guidance in our conversation is worth building into policy before an incident forces the question. Screen any ransomware group "against the SDN lists the US Treasury Department manages before paying," referring to the Treasury's Specially Designated Nationals list, and report the incident to the FBI and CISA immediately so the government can advise on sanctions risk. A payment that looks like a fast path back to operations can quietly become a violation of US sanctions law, which means the decision to pay belongs with legal and leadership, not solely with a technical team under pressure to restore service.
Sophisticated Social Engineering Targets Your People
If we trace the most advanced capability in this space, it does not point at malware. History instead points at people. Cucciniello describes the Iranian group Charming Kitten as among "the most sophisticated social engineering actors in the world," which tells security leaders where to concentrate their human-layer defenses. The target is rarely the rank and file. It is executives, government-facing staff, policy researchers, and anyone whose work touches the Middle East or sensitive contracts.
The defenses he recommends are practical and trainable. Teach high-exposure staff to verify the identity of unexpected inbound contacts before engaging, move the organization onto enterprise password managers, and brief executives and board members specifically on geopolitically targeted spear phishing rather than generic awareness content. The distinction matters because a board member who understands they are a named target behaves differently from one who has sat through a standard phishing module. The most capable adversaries spend their effort on the human path, and that is where a leader's attention and training budget should follow.
Keep the Operational Side Walled Off
For organizations that run industrial systems alongside their corporate networks, Cucciniello flags operational technology as a priority target in its own right. State actors have gone after industrial control systems and programmable logic controllers across critical sectors, water and energy among them, and the intrusions that became public have prompted sanctions precisely because they demonstrated reach into physical infrastructure. The risk is not data theft. It is the ability to affect something in the physical world.
The defensive principle is straightforward to state and harder to enforce. Organizations with both IT and OT environments need strict network segmentation between the two, so that a compromise on the corporate side cannot pivot into the systems that run a plant or a utility. Where that segmentation is weak or assumed rather than verified, it is worth treating as a standing project rather than a one-time configuration, because the consequences of a crossover sit in a different category from a conventional data breach.
When News Breaks, Your Risk Amplifies
The final piece of advice ties the rest together and turns headlines into a planning signal. Drawing on his experience advising the Joint Staff and the Defense Information Systems Agency, Cucciniello urges leaders to "assume that geopolitical escalation is going to affect your threat level." When global coverage reports strikes against Iran or a sharp turn in the relationship, the pattern over more than a decade is that Iranian cyber activity surges in response. A company need not have any direct connection to the events to feel the second-order effect, because retaliation in this domain is broad and opportunistic rather than narrowly aimed.
For a security team, that converts the news cycle into an operational input. A period of heightened tension is the moment to raise alert thresholds, accelerate patching on exposed systems, and brief leadership that the threat level has moved. The connection between a kinetic event abroad and a spike in scanning or phishing at home is consistent enough to plan around, and treating it as predictable rather than surprising is what separates a prepared organization from a reactive one.
Assumption to Operate Upon
We asked Cucciniello for a single takeaway for private-sector leaders. He keeps it broad and unsentimental. "If you are in any way affiliated with the United States," he says, whether US-based or US-owned, "there is a potential for your company and your operations to be attacked." And he extends the same logic to Israeli and British firms inside that alliance, formal or informal. The point is not fear. It is posture. Adversarial states, he says, are "not just looking to go tit for tat at the state level or the kinetic level, but also targeting US companies."
That is the assumption to build a program around. The geopolitical and the commercial are no longer separate risk registers, and the companies that absorb that early will be the ones reading their own threat level correctly while the rest are still treating it as someone else's problem.
CISO Action Plan
Geopolitics sets your threat model, but defense happens on the network. Here are five non-negotiable actions to harden your environment against state-linked escalation.
- Screen ransomware groups against the SDN list before any payment. Treasury continues to sanction ransomware actors, and paying anyone on OFAC's Specially Designated Nationals list can trigger strict-liability penalties even if you didn't know. Route every payment decision through legal, screen the group against the list, and report to the FBI and CISA immediately, which OFAC treats as a mitigating factor.
- Patch internet-facing appliances on a security timeline, not an IT one. In June, CISA gave federal agencies three days to patch an actively exploited Check Point VPN zero-day tied to the Qilin ransomware group. Exposed VPN and edge devices are the fastest-growing initial access vector, so close the gap between disclosure and patch as tightly as you can.
- Inventory and retire end-of-support edge devices. CISA, the FBI, and the UK's NCSC jointly warned that nation-state actors are exploiting end-of-support routers, firewalls, and VPN gateways as entry points. Devices that no longer receive vendor patches cannot be defended, so inventory them, update what you can, and decommission the rest.
- Segment IT from OT and verify it. CISA's guidance for critical infrastructure is explicit that OT networks should deny all connections from IT by default unless a specific path is explicitly allowed through a monitored intermediary. State actors targeting industrial systems aim for physical disruption, so segmentation has to be tested, not assumed.
- Hunt under an assume-compromise posture. State-backed actors pre-position quietly, and a clean alert queue is not proof of a clean network. Run proactive threat hunting for indicators of compromise, audit privileged access, watch for unusual lateral movement, and use your sector ISAC to see what peers are detecting.
Thank you for reading the first issue of InfoSec Leadership on cyber operations as statecraft. Issue 02 is coming soon.
If you found this analysis useful, please subscribe to the InfoSec Leadership newsletter so you never miss an update.
Lead with clarity, defend with purpose.
Shant Ebenezer
Technical Contributor and Volunteer Host