Insights: Increased Risk of Wiper Attacks

Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US. For the latest intelligence on cyberattacks associated with this conflict, review our Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran. The primary vector for recent destructive operations from the Handala Hack group (aka Void Manticore, COBALT MYSTIQUE and Storm-1084/Storm-0842) reportedly involves the exploitation of identity through phishing and administrative access through Microsoft Intune. Handala Hack first emerged in late 2023. Despite initial hacktivist-aligned messaging, the group is currently assessed by the threat intelligence community to be a state-directed front for Iran’s Ministry of Intelligence and Security (MOIS). On March 6, Israel’s National Cyber Directorate warned of Iranian cyberattacks targeting Israeli organizations with wipers: “The National Cyber ​​Command has received reports of several cases in which attackers gained access to corporate networks and deleted servers and workstations, with the aim of disrupting the operations of the attacked organizations. In some cases, the attacker had access data from legitimate corporate users, which was used to gain initial access to the network.” — Translated from source: Israel’s National Cyber Directorate. The following recommendations are based on the information reported publicly so far and threat intelligence from Palo Alto Networks Unit 42, specifically addressing the tactics observed by the Iranian-linked threat actor Handala. Proactive Hardening Recommendations Eliminate Standing Privileges Persistent administrative rights are the single greatest risk factor in modern identity attacks. Attackers such as Handala target high-value accounts with "standing" (always-on) permissions to facilitate immediate impact. Just-in-time (JIT) access: Implement a JIT model for all administrative roles. Credentials should have zero permissions by default and only gain elevated rights through a formal activation process. A cloud infrastructure and identity management (CIEM) solution can help pinpoint identity risk in cloud resources. Microsoft Entra Privileged Identity Management (PIM): Use Entra ID PIM to manage eligible role assignments. Require multi-factor authentication (MFA), business justification and, for high-risk roles, manual approval before activation. CyberArk Privileged Access Management (PAM): For organizations with hybrid or complex multi-cloud environments, use CyberArk to vault administrative credentials and manage session isolation. CyberArk can provide a secure landing zone for administrators, designed to ensure that credentials for platforms like Intune never reside on a potentially compromised endpoint. Harden Entra ID Administrator Accounts Limit count: Reduce the number of Global Administrator and Intune Administrator accounts to the fewest possible based on business needs. A tool like the Cortex Identity Security dashboard can help discover which identities hold administrative privileges. Cloud-native accounts: Use cloud-only accounts (e.g., admin@tenant.onmicrosoft.com) for administrative roles to prevent lateral movement from on-premises Active Directory via synchronized account compromise. Break-glass accounts: Maintain two emergency-access accounts that are excluded from standard conditional access policies, but protected by hardware-based MFA and monitored with high-severity alerts. Consider allowing mass wipe capabilities only from break-glass accounts. Enable multi-administrator approval (MAA): MAA requires a second, different administrator to review and approve high-impact actions before they are executed. Create an access policy for actions like wipe or delete. Enhance Azure Specific Security Controls Role-based access control (RBAC): Use the Intune Administrator role specifically, rather than granting Global Administrator rights to device management staff. Inventory Service Principals with permissions for device management such as DeviceManagementManagedDevices.ReadWrite.All. PIM for Groups: Instead of assigning roles to individuals, use PIM for Groups (formerly Privileged Access Groups). Assign the Intune Administrator role to a security group and make users Eligible for membership in that group. This allows for unified auditing and approval workflows. Conditional access for elevation: Enforce authentication strength policies during PIM activation. Require FIDO2 hardware keys (YubiKeys) or Windows Hello for Business to activate roles that have the power to issue wipe commands. And allow sign-ins only from corporate IP address ranges or trusted locations. Leverage Secure Administrative Workstations (SAWs) and require Global Administrators to access Azure from hardened Privileged Access Workstations (PAWs). Leverage dedicated machines used only for administrative and sensitive data handling activities. Use enforced endpoint compliance before access is allowed. Session and Token Security Reduce session lifetimes: Shorten session duration for sensitive administrative portals (e.g., Intune, Entra and Azure portals) to under 1 hour. This helps limit the area of impact for a stolen session token. Token Protection: Enable Token Protection (currently in preview for Entra ID) to cryptographically bind session tokens to the specific device from which they were issued, to help prevent an attacker from replaying them on a different machine. Tools such as the Cortex XDR authentication bypass module can help protect against attacks that attempt to circumvent authentication controls such as tokens. Implement Data Governance and Data Protection Programs Discover and label sensitive data: Use data security posture management (DSPM) capabilities to scan and label sensitive data in the corporate hybrid environment. This classification enables granular segmentation, persistent encryption and automated security controls. Doing so helps ensure the organization’s most critical assets are protected regardless of where they reside. Leverage data loss prevention (DLP): Implement technologies such as the Palo Alto Networks AI-powered Enterprise DLP to alert and proactively block data exfiltration attempts. If storage accounts send significantly more data outbound than usual, organizations should immediately investigate. Monitoring and Response Preparedness Managed detection and response (MDR)/extended detection and response (XDR) integration: Ensure audit logs (specifically RemoteWipe and FactoryReset actions) from device management tools such as Intune, are ingested into your security information and event management (SIEM)/XDR platform. Leverage automation, such as a security orchestration, automation and response (SOAR) platform, to rapidly respond to malicious events. A SOC platform such as Cortex XSIAM can perform these functions within one solution. Anomalous activity alerts: Configure specific alerts for mass wipe events. If more than a specific threshold of devices (e.g., five or 10) is targeted for a wipe within a short window, the system should trigger an immediate automated lockout of the initiating administrator account. Monitor Entra sign-in logs that would allow for detections and alerting if an administrator signs in from a different location (such as signing in from a new country) or outside of approved networks. Offline backups: Maintain immutable, air-gapped, offline backups of critical data. As the threat actor’s goal is often pure disruption (wiper activity) rather than financial extortion, the ability to restore from an immutable source may be the only guarantee of recovery. End-user training and tabletop exercises: Perform frequent phishing exercises, conduct staff cybersecurity training and hold tabletop exercises focused on destructive threat actor activities. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) UK: +44.20.3743.3660 Europe and Middle East: +31.20.299.3130 Asia: +65.6983.8730 Japan: +81.50.1790.0200 Australia: +61.2.4062.7950 India: 000 800 050 45107 South Korea: +82.080.467.8774 Updated March 13, 2026, at 1:05 p.m. PT to add links to resources.  Back to top TAGS Hacktivism Wiper Threat Research Center Next: Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia TABLE OF CONTENTS Proactive Hardening Recommendations Eliminate Standing Privileges Harden Entra ID Administrator Accounts Enhance Azure Specific Security Controls Session and Token Security Implement Data Governance and Data Protection Programs Monitoring and Response Preparedness RELATED ARTICLES Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran An AI Based Solution to Detecting the DoubleZero .NET Wiper Related General Resources INSIGHTS October 14, 2025 Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment Manufacturer BlackSuit ransomware Ignoble Scorpius Reconnaissance Read now INSIGHTS October 7, 2025 Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 Global Incident Response Report Cloud Infrastructure Protection Cloud Security Unit 42 Incident Response Report Read now INSIGHTS September 26, 2025 Threat Insights: Active Exploitation of Cisco ASA Zero Days Cisco CVE-2025-20333 CVE-2025-20362 Read now INSIGHTS March 16, 2026 Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization Agonizing Serpens Agrius Curious Serpens Read now INSIGHTS February 24, 2026 Bring the Fight to the Edge: Turning Time Into an Advantage in OT Security Defense Operational Technology Threat detection Read now INSIGHTS January 23, 2026 Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense Cyber Threat Alliance Unit 42 Read now INSIGHTS January 8, 2026 Securing Vibe Coding Tools: Scaling Productivity Without Scaling Risk GenAI Read now INSIGHTS December 16, 2025 Stay Secure: Why Cyber Hygiene Should Be Part of Your Personal Hygiene Cybersecurity MFA Patchwork Read now INSIGHTS December 2, 2025 The Browser Defense Playbook: Stopping the Attacks That Start on Your Screen Cloud Security Defense Read now INSIGHTS October 14, 2025 Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment Manufacturer BlackSuit ransomware Ignoble Scorpius Reconnaissance Read now INSIGHTS October 7, 2025 Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 Global Incident Response Report Cloud Infrastructure Protection Cloud Security Unit 42 Incident Response Report Read now INSIGHTS September 26, 2025 Threat Insights: Active Exploitation of Cisco ASA Zero Days Cisco CVE-2025-20333 CVE-2025-20362 Read now INSIGHTS March 16, 2026 Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization Agonizing Serpens Agrius Curious Serpens Read now INSIGHTS February 24, 2026 Bring the Fight to the Edge: Turning Time Into an Advantage in OT Security Defense Operational Technology Threat detection Read now INSIGHTS January 23, 2026 Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense Cyber Threat Alliance Unit 42 Read now INSIGHTS January 8, 2026 Securing Vibe Coding Tools: Scaling Productivity Without Scaling Risk GenAI Read now INSIGHTS December 16, 2025 Stay Secure: Why Cyber Hygiene Should Be Part of Your Personal Hygiene Cybersecurity MFA Patchwork Read now INSIGHTS December 2, 2025 The Browser Defense Playbook: Stopping the Attacks That Start on Your Screen Cloud Security Defense Read now INSIGHTS October 14, 2025 Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment Manufacturer BlackSuit ransomware Ignoble Scorpius Reconnaissance Read now INSIGHTS October 7, 2025 Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 Global Incident Response Report Cloud Infrastructure Protection Cloud Security Unit 42 Incident Response Report Read now INSIGHTS September 26, 2025 Threat Insights: Active Exploitation of Cisco ASA Zero Days Cisco CVE-2025-20333 CVE-2025-20362 Read now