Part 1: Threat Actors Don't Pick You. You Just Happen to Be There.

There's this idea that floats around—usually in boardrooms and in forums—that advanced threat actors operate like surgeons. They pick a target, they plan it out, they execute. Super deliberate. Undeniably cinematic. It implies that a breach is something that happens to important, specifically chosen organizations, which is genuinely great news for everyone who's convinced they aren't one of those.

It's a comforting bedtime story. It's also very (mostly) wrong.

Stryker is a good example of why, and it's worth slowing down on instead of just pointing at it. Fortune 500 company. $25 billion in revenue. 56,000 employees. Products touching more than 150 million patients across 61 countries. Handala, an Iranian-linked group with documented ties to the Ministry of Intelligence and Security, comes out claiming they wiped 200,000 servers, mobile devices, and systems and forced shutdowns across 79 countries.

Then the speculation machine kicks on: was it the recent OrthoSpace acquisition? The Israeli connections? A supply chain statement? Retaliation for strikes on Iranian soil? Everyone has a theory, and they're all working backwards from the assumption that someone sat in a room and wrote "Stryker" on a whiteboard.

Here's what actually happened: Handala knew exactly what they had and when to use it. Active US-Israeli military operations against Iran were underway. The timing was as good as it was going to get. They didn't stumble into a Fortune 500 company by accident and get surprised when the lights went out. They pulled the trigger on purpose.

What they almost certainly didn't do is decide they wanted Stryker specifically, and then go find a way in.

That's the part that keeps getting glossed over. CyberScoop quoted Check Point Research's Sergey Shykevich calling it "the hallmarks of an opportunistic one," noting Handala is "known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets." IBM's X-Force Exchange describes their operations as focused on generating disruptive and psychological impact, not long-horizon espionage. After the attack, the FBI seized Handala's sites and the Justice Department confirmed they were running psychological operations on behalf of Iranian intelligence—built around fear and perception, not just technical capability.

A group that found access, knew it was good, and used it at the best possible moment. Frankly, that's smart. That's calculated. Just not the same thing as a deliberate targeting decision made from scratch.

Even well-resourced, capable groups can't will their way into any network they want. Capability determines what you do once you're inside—getting in is a separate problem entirely, and access has to come from somewhere. In a lot of cases, it comes from someone who already did the work and is selling it.

That's what Initial Access Brokers do, and if it's not already part of how you explain this stuff to clients, it should be. IABs break into environments and sell that access to whoever wants it. They're not running the ransomware campaign or the wiper attack. They're the people who copied your keys and put them on a dark web auction. The buyer—a nation-state group, a ransomware crew, a hacktivist outfit, whoever—just decides if the listing is worth the price. Usually it is.

This isn't a small-time underground hobby. A recent review of publicly observable IAB activity found listings representing a minimum of $6.3 million in corporate access for sale, and that number only reflects what was visible on monitored forums. The private channel stuff doesn't get counted. Corporate access goes for anywhere from a few hundred dollars for basic VPN or RDP credentials up to $50,000 for domain admin access at a large organization. The average transaction sits around $1,328. For reference, that's cheaper than most business laptops (at least until AI kicked prices up) and a lot cheaper than the incident it enables.

Industrialized cybercrime isn't just a catchy phrase; it's an accurate description.

By the time a sophisticated threat actor is doing anything with your environment, the part where they "got in" may have already been handled by someone they've never met. The access was found, listed, bought, and ready. Everything after that—the wiper, the data pull, the Handala logo showing up on login screens—looks intentional and targeted because the actor absolutely knew what they were doing with the access once they had it. The decision about which access to buy? That was a shopping cart.

The takeaway here isn’t that sophisticated actors are out to get you. It’s that they don’t have to be.

If access to your environment can be found, it can be listed. If it can be listed, it can be bought. And if it can be bought, someone will eventually decide whether it’s worth using, whether you were the intended target or not. That changes the question organizations should be asking.

Not “who would want to attack us?” But “what would our access be worth to someone who already has it?” The first question has a flattering assumption buried in it: that hackers have to care about your business specifically. The second one doesn't give you that comfort. And that is the point.

Because in a market where initial access is bought and sold every day, security isn’t just about preventing breaches. It’s about making sure your environment never ends up on a hacker’s shopping list in the first place.

In Part 2, we'll get into what happens when opportunity scales—and why MOVEit, supply chain compromises, and that ancient server nobody wants to touch are all symptoms of the same problem.