Insights: Increased Risk of Wiper Attacks

Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US. For the latest intelligence on cyberattacks associated with this conflict, review our Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran.

The primary vector for recent destructive operations from the Handala Hack group (aka Void Manticore, COBALT MYSTIQUE and Storm-1084/Storm-0842) reportedly involves the exploitation of identity through phishing and administrative access through Microsoft Intune. Handala Hack first emerged in late 2023. Despite initial hacktivist-aligned messaging, the group is currently assessed by the threat intelligence community to be a state-directed front for Iran’s Ministry of Intelligence and Security (MOIS).

On March 6, Israel’s National Cyber Directorate warned of Iranian cyberattacks targeting Israeli organizations with wipers:

“The National Cyber ​​Command has received reports of several cases in which attackers gained access to corporate networks and deleted servers and workstations, with the aim of disrupting the operations of the attacked organizations. In some cases, the attacker had access data from legitimate corporate users, which was used to gain initial access to the network.”

— Translated from source: Israel’s National Cyber Directorate.

The following recommendations are based on the information reported publicly so far and threat intelligence from Palo Alto Networks Unit 42, specifically addressing the tactics observed by the Iranian-linked threat actor Handala.

Proactive Hardening Recommendations

Eliminate Standing Privileges

Persistent administrative rights are the single greatest risk factor in modern identity attacks. Attackers such as Handala target high-value accounts with "standing" (always-on) permissions to facilitate immediate impact.

• Just-in-time (JIT) access: Implement a JIT model for all administrative roles. Credentials should have zero permissions by default and only gain elevated rights through a formal activation process.
• Microsoft Entra Privileged Identity Management (PIM): Use Entra ID PIM to manage Eligible role assignments. Require multi-factor authentication (MFA), business justification and, for high-risk roles, manual approval before activation.
• CyberArk Privileged Access Management (PAM): For organizations with hybrid or complex multi-cloud environments, use CyberArk to vault administrative credentials and manage session isolation. CyberArk can provide a secure landing zone for administrators, designed to ensure that credentials for platforms like Intune never reside on a potentially compromised endpoint.

Harden Entra ID Administrator Accounts

• Limit count: Reduce the number of Global Administrator and Intune Administrator accounts to the fewest possible based on business needs.
• Cloud-native accounts: Use cloud-only accounts (e.g., admin@tenant.onmicrosoft.com) for administrative roles to prevent lateral movement from on-premises Active Directory via synchronized account compromise.
• Break-glass accounts: Maintain two emergency-access accounts that are excluded from standard conditional access policies, but protected by hardware-based MFA and monitored with high-severity alerts. Consider allowing mass wipe capabilities only from break-glass accounts.
• Enable multi-administrator approval (MAA): MAA requires a second, different administrator to review and approve high-impact actions before they are executed. Create an access policy for actions like wipe or delete.

Enhance Azure Specific Security Controls

• Role-based access control (RBAC): Use the Intune Administrator role specifically, rather than granting Global Administrator rights to device management staff. Inventory Service Principals with permissions for device management such as DeviceManagementManagedDevices.ReadWrite.All.
• PIM for Groups: Instead of assigning roles to individuals, use PIM for Groups (formerly Privileged Access Groups). Assign the Intune Administrator role to a security group and make users Eligible for membership in that group. This allows for unified auditing and approval workflows.
• Conditional access for elevation: Enforce authentication strength policies during PIM activation. Require FIDO2 hardware keys (YubiKeys) or Windows Hello for Business to activate roles that have the power to issue wipe commands. And allow sign-ins only from corporate IP address ranges or trusted locations.
• Leverage Secure Administrative Workstations (SAWs) and require Global Administrators to access Azure from hardened Privileged Access Workstations (PAWs). Leverage dedicated machines used only for administrative and sensitive data handling activities. Use enforced endpoint compliance before access is allowed.

Session and Token Security

• Reduce session lifetimes: Shorten session duration for sensitive administrative portals (e.g., Intune, Entra and Azure portals) to under 1 hour. This helps limit the area of impact for a stolen session token.
• Token Protection: Enable Token Protection (currently in preview for Entra ID) to cryptographically bind session tokens to the specific device from which they were issued, to help prevent an attacker from replaying them on a different machine.

Implement Data Governance and Data Protection Programs

• Discover and label sensitive data: Use data security posture management (DSPM) capabilities to scan and label sensitive data in the corporate hybrid environment. This classification enables granular segmentation, persistent encryption and automated security controls. Doing so helps ensure the organization’s most critical assets are protected regardless of where they reside.
• Leverage data loss prevention (DLP): Implement technologies to alert and proactively block data exfiltration attempts. If storage accounts send significantly more data outbound than usual, organizations should immediately investigate.

Monitoring and Response Preparedness

• Managed detection and response (MDR)/extended detection and response (XDR) integration: Ensure audit logs (specifically RemoteWipe and FactoryReset actions) from device management tools such as Intune, are ingested into your security information and event management (SIEM)/XDR platform. Leverage automation, such as a security orchestration, automation and response (SOAR) platform, to rapidly respond to malicious events.
• Anomalous activity alerts: Configure specific alerts for mass wipe events. If more than a specific threshold of devices (e.g., five or 10) is targeted for a wipe within a short window, the system should trigger an immediate automated lockout of the initiating administrator account. Monitor Entra sign-in logs that would allow for detections and alerting if an administrator signs in from a different location or outside of approved networks.
• Offline backups: Maintain immutable, air-gapped, offline backups of critical data. As the threat actor’s goal is often pure disruption (wiper activity) rather than financial extortion, the ability to restore from an immutable source may be the only guarantee of recovery.
• End-user training and tabletop exercises: Perform frequent phishing exercises, conduct staff cybersecurity training and hold tabletop exercises focused on destructive threat actor activities.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107
• South Korea: +82.080.467.8774