How CISOs Can Stop Iranian Wiper Attacks in 5 Steps
Published March 13, 2026
Benny Lakunishok Co-Founder & CEO
A practical containment playbook based on the tactics used by Handala
Iranian wiper attacks are nothing new – I've seen them many times in the past. Wiper attacks always surface the same question for CISOs: when an attacker's entire goal is to destroy your environment, how do you keep the business running?
Iranian wiper attacks are built to destroy data and paralyze critical infrastructure, causing long-term outages and far-reaching, global repercussions. Unlike ransomware groups that need time to monetize an intrusion, destructive operators move fast – their goal is disruption on the largest scale possible, not financial gain. Once they gain access to a network, they move laterally, escalate privileges, and wipe as many systems as possible before defenders understand what is happening.
The scale of these attacks is not theoretical. In March of 2026, the Iran-linked group attacked Stryker, a Fortune 500 manufacturer of essential healthcare products whose lifesaving devices are found in operating rooms and hospitals around the globe. Handala wiped more than 200,000 devices across Stryker’s global network, cascading into an operational shutdown across 79 countries. 50 Terabytes of data were extracted and 56,000 employees have been affected – manufacturing, order processing, and shipping ground to a halt.
In a recent CyberHub podcast, James Azar framed the consequences for CISOs clearly: “Wiper malware is real... these are going to be questions that are coming from your boardroom, from your executive leadership. When system goes down, the ripple effects can reach hospitals and medical providers globally.”
In this article, we break down consistent wiper attack patterns, controls that help block malicious lateral movement, and outline 5 steps CISOs can take to defend their networks. There’s also a Wiper Defense Checklist for CISOs to refer to.
Recent Attacks: How they Succeed and the Controls Needed to Block Them
Recent research into the Iranian-linked Handala / Void Manticore threat cluster highlights how these attacks actually unfold. The group relies heavily on manual, hands-on operations inside victim environments, often using common administrative tools and publicly available software rather than highly sophisticated malware (Check Point Research).
These attacks succeed not because the malware is advanced, but because organizations often cannot see or control what attackers are doing once they get inside the network.
Stopping destructive attacks therefore requires two capabilities:
- Knowing what is happening inside the network in real-time
- Controlling how identities and systems can connect to each other
When those controls exist, attackers may still get in. But they cannot move.
The Reality of Modern Iranian Wiper Attacks
Threat intelligence around Handala shows a consistent pattern:
- Initial access through VPN
- Rapid hands-on activity within the environment
- Lateral movement using native administrative protocols such as RDP
- Deployment of multiple wiping methods simultaneously
The attackers frequently combine custom wipers with publicly available deletion tools and scripts, making indicators short-lived and detection difficult.
Researchers have also observed operators tunneling into victim networks using tools such as NetBird, allowing them to maintain stealthy access paths while executing destructive activity.
The implication for defenders:
- Traditional perimeter defenses and malware detection alone will not stop these attacks
- You must control how access is used once inside the environment
The CISO’s Wiper Defense Checklist
The following checklist maps common attacker tactics to defensive controls that stop destructive campaigns before they spread.
| Attacker Tactic | Defensive Control | Result |
|---|---|---|
| VPN Credential Theft | Identity-aware access with MFA enforced at the service or port level | Stolen credentials alone cannot open internal administrative services |
| Lateral Movement via RDP and Admin Tools | Segmentation that keeps administrative ports closed by default and opened on demand after strong validation (MFA) by admins | Attackers cannot pivot between systems |
| Privileged Account Abuse | Identity segmentation – revoking all admin logon capabilities and thinly JIT provision of admin rights after strong validation (MFA) | Compromised credentials cannot reach the entire network |
| Network Tunneling and Persistence | Allow listing which processes can communicate to the internet and continuous monitoring of east-west connectivity attempts and access paths | Unauthorized tunnels and unusual connections are quickly identified |
| Mass Data Wiping | Automated containment that isolates compromised hosts | Destructive activity is contained before it spreads |
1. Stop Credential Theft From Becoming Network Access
Most destructive attacks begin with compromised credentials.
"The National Cyber Command has received reports of several cases in which attackers gained access to corporate networks and deleted servers and workstations, with the aim of disrupting the operations of the attacked organizations. In some cases, the attacker had access data from legitimate corporate users, which was used to gain initial access to the network."
— Translated by Unit 42 from Israel’s National Cyber Directorate
Iran-linked campaigns frequently rely on phishing, stolen passwords, or access purchased from criminal brokers. Once attackers authenticate successfully, they attempt to reach internal administrative services. Many organizations still grant broad internal network access after VPN authentication. This is exactly what attackers rely on.
What CISOs should implement
- Identity-aware access instead of flat network connectivity
- MFA enforced when accessing administrative services, not just at login
- Continuous visibility into which identities are connecting to which systems
What this changes
Even if attackers authenticate successfully, they cannot connect to sensitive services like RDP, SMB, or administrative shells without additional verification. Credentials alone are no longer enough.
2. Prevent Lateral Movement Through Privileged Ports
Iranian operators typically move laterally using standard administrative tools already present in the environment.
These include:
- RDP
- PowerShell remoting
- WMI
- SMB
- SSH
Because these services are commonly left open for operational convenience, attackers can often move rapidly across the network.
As CyberHub's James Azar put it: "Flat networks don't always hold up as resilient in the event of these types of attacks... Segmentation pays off"
What CISOs should implement
- Default-deny access to administrative ports
- Access that opens only when administrators explicitly authenticate
- Real-time mapping of which systems can communicate with each other
What this changes
Instead of hundreds of open pathways across the network, administrative access becomes temporary, verified, and controlled.
Attackers attempting to pivot encounter closed doors.
3. Restrict Privileged Accounts to the Systems They Actually Manage
Handala campaigns often involve manual operations conducted by attackers interacting directly with compromised systems. If a privileged account is compromised during this phase, the damage can spread rapidly. In many environments, administrators still have access to nearly every system. That is operationally convenient but operationally dangerous.
What CISOs should implement
- Segmentation based on identity and role
- Restrictions that bind administrators to specific systems or environments
- Continuous monitoring of privileged access activity
What this changes
Even if attackers compromise an administrator account, they cannot reach the entire environment. The blast radius shrinks dramatically.
4. Detect and Shut Down Unauthorized Access Paths
Recent research shows Iranian operators using network tunneling tools to maintain covert connectivity inside victim environments. These tunnels can bypass traditional perimeter monitoring. Organizations therefore need visibility not just at the edge of the network, but inside it.
What CISOs should implement
- Continuous visibility into east-west network connectivity
- Baselines for normal administrative communication
- Detection of unusual connection paths or tunnels
What this changes
Attackers attempting to establish hidden access channels become visible quickly, allowing defenders to intervene before destructive activity begins.
5. Contain Destructive Activity Before It Spreads
When Iranian wipers execute, they often deploy multiple wiping mechanisms simultaneously to maximize damage.
The speed of these attacks means that response time matters more than detection time.
The most effective organizations focus on containment.
What CISOs should implement
- Automated isolation of suspicious systems
- Immediate restriction of administrative access paths
- Ability to quickly ring-fence compromised hosts
What this changes
Instead of wiping hundreds of machines, the attack is trapped within a small portion of the network. The organization survives the incident.
The Strategic Lesson for CISOs
Iranian destructive campaigns highlight that attackers do not need sophisticated malware when networks allow unrestricted internal access. The most effective defense is not simply detecting malicious files earlier. It is removing the attacker’s ability to move.
Organizations that consistently stop destructive attacks share three capabilities:
- Visibility into who can access what across the environment
- Control over administrative ports and privileged access
- Automated containment that limits blast radius
When those capabilities exist, attackers may still get in. But they cannot move. And when attackers cannot move, destructive attacks fail.