The March edition of the Unit 42 Threat Bulletin is now live, delivering the latest insights and analysis on emerging cyber threats and security trends.
This month, we start with an update from Unit 42, tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US.
You’ll also find this month’s CISO Unscripted, where I sit down with Unit 42 Managing Director Chris George to pressure-test what the 2026 IR Report data means for identity-first intrusions, SaaS blast radius, non-human identities, and the browser as an entry point.
Then, Adam Robbie, head of OT threat research, shares what the latest OT telemetry is signaling, why the average “precursor phase” before physical impact matters, and how intelligence-driven defense can help teams disrupt attack chains earlier.
What’s Happening
Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US.
The primary vector for recent destructive operations from the Handala Hack group (aka Void Manticore, COBALT MYSTIQUE and Storm-1084/Storm-0842) reportedly involves the exploitation of identity through phishing and administrative access through Microsoft Intune.
Handala Hack first emerged in late 2023. Despite initial hacktivist-aligned messaging, the group is currently assessed by the threat intelligence community to be a state-directed front for Iran’s Ministry of Intelligence and Security (MOIS).
On March 6, Israel’s National Cyber Directorate warned of Iranian cyberattacks targeting Israeli organizations with wipers:
“The National Cyber Command has received reports of several cases in which attackers gained access to corporate networks and deleted servers and workstations, with the aim of disrupting the operations of the attacked organizations. In some cases, the attacker had access data from legitimate corporate users, which was used to gain initial access to the network.”
— Translated from source: Israel’s National Cyber Directorate.
What Security Teams Can Do
The following recommendations are based on the information reported publicly so far and threat intelligence from Palo Alto Networks Unit 42, specifically addressing the tactics observed by the Iranian-linked threat actor Handala.
Read the full threat insights blog.
This month for CISO Unscripted, Mitch Mayne sits down with Chris George, Managing Director of Global Customer Support at Unit 42 for a candid executive conversation grounded in the 2026 Unit 42 IR Report. Together, they unpack why attackers aren’t “hacking in” as much as logging in, with identity weaknesses implied in nearly 90% of investigations and a high volume of identity-driven initial access. They also examine: How SaaS sprawl expands impact, and how it has grown since 2022 (brace for it: from 6% to 23%); how non-human identities and over-permission multiply risk, especially in the cloud; and why the browser is now a consistent entry point in intrusions that frequently span multiple surfaces
Watch the video to dig into this year’s insights.
“The future is now—we need to constantly question how to be better about AI security.”
Securing the Future of AI Agents
Mitch Mayne: Your research highlights a staggering 332% increase in internet-exposed OT devices. For a CEO or board member who believes their industrial environment is “air-gapped” or isolated, how should this data fundamentally change their perception of their company’s digital attack surface?
Adam Robbie: The core takeaway is simple: if you’re assuming “air-gapped” is the default state today, that assumption is increasingly untenable. This 332% increase is year-over-year, and it reflects a broader reality we see across industrial environments: connectivity is expanding, often faster than governance keeps up. Technology convergence is a major driver; OT systems are being integrated with IT and IoT for visibility, efficiency and modernization, and that shift can unintentionally create paths to the internet. The practical message for executives is to replace “we think it’s isolated” with “we have verified it’s isolated.” There are ways to test whether environments are truly segmented, and leaders should insist on that evidence, not the mythology. This isn’t a five-year problem—exposure is expanding now, faster than governance cycles.
MM: You advocate for “Intelligence-Driven Active Defense” and tools like the Attack Chain Estimator (ACE). For an executive looking at a crowded budget, how does moving toward this model actually simplify the security stack or improve the efficiency of their OT-SOC operations?
AR: “Intelligence-driven active defense” is really about reducing waste: fewer guesses, fewer reactive pivots, and more focus on the next most likely adversary move. ACE (Attack Chain Estimator) is a predictive analysis approach developed by Idaho National Labs that uses historical attack-chain knowledge and real-world telemetry to estimate what an attacker is likely to do next. In a SOC, that translates into practical efficiency: instead of treating every alert as equal, teams get a structured way to prioritize actions that stop progression. The OT-SOC framework is designed as a starting point built from real scenarios and pitfalls, offering a clear operating model for shared IT/OT responsibility without collapsing the boundary between them.
MM: Looking toward 2026 and beyond, if a company successfully adopts the OT-SOC framework outlined in this paper, how does that move them from a “defensive crouch” to a position where security becomes a competitive advantage for their uptime and reliability?
AR: When OT security becomes operational, not ad hoc, you move from “hoping nothing happens” to running reliability as a discipline. The OT-SOC framework is aimed at creating repeatable routines: clearer ownership across IT and OT, better prioritization during the precursor window, and response motions that are rehearsed instead of invented mid-incident. Over time, that improves confidence in uptime: fewer surprises, faster containment, and less disruption when something does break through. For executives, that’s where security becomes advantage—not as a marketing claim, but as measurable performance: more predictable operations, reduced downtime risk, and higher resilience in the face of inevitable intrusion attempts.
UNIT42 THREAT BULLETIN