Handala Expands Destructive Cyber Operations Beyond Israeli Targets

A rising wave of destructive wiper attacks is currently threatening organizations across the United States and Israel, driven by the Iranian-linked threat group known as Handala.

While the group initially masqueraded as an independent hacktivist collective when it emerged in late 2023, security analysts now assess that Handala also tracked as Void Manticore, COBALT MYSTIQUE, and Storm-1084 is a state-directed front for Iran’s Ministry of Intelligence and Security

(MOIS).

On March 6, Israel’s National Cyber Directorate issued a stark warning regarding these tactics, confirming that attackers are successfully gaining access to corporate networks and deleting critical servers and workstations to halt business operations.

According to the latest threat intelligence from Palo Alto Networks Unit 42, Handala has shifted its focus to aggressive data-wiping campaigns aimed at pure operational disruption.

The Attack Vector

Rather than relying on highly sophisticated software vulnerabilities, Handala’s primary attack vector targets human error and administrative oversight.

The group heavily leverages phishing campaigns to steal the login credentials of legitimate corporate users to gain an initial foothold.

Once access is secured, the attackers focus on compromising administrative identities, particularly targeting Microsoft Intune environments.

By taking over high-level administrative accounts, Handala weaponizes legitimate network management tools to issue mass-wipe commands across an organization’s infrastructure.

Because the threat actors use valid corporate identities, their devastating activities often blend in with normal administrative traffic until it is too late.

Proactive Defense and Mitigation Strategies

Defending against state-sponsored wiper attacks requires a zero-trust approach to identity management and strict controls over administrative privileges. Organizations should implement the following targeted mitigations to protect their networks:

• Eliminate standing privileges: Transition to a Just-In-Time (JIT) access model where administrative credentials have zero default permissions and only gain elevated rights through a formal, approved activation process.
• Harden administrator accounts: Limit the number of Global and Intune Administrator accounts, use cloud-only accounts to prevent lateral movement from on-premises networks, and secure them with hardware-based multi-factor authentication, such as FIDO2 keys.
• Require multi-administrator approval: Enforce policies that require a second, distinct administrator to review and approve high-impact actions, such as device wipes or data deletions, before they can be executed.

As geopolitical tensions continue to influence the cyber threat landscape, Palo Alto Networks organizations must prioritize hardening their cloud and identity infrastructure.

Stripping attackers of the administrative access they need to deploy wiper malware is the most effective way to neutralize the Handala threat.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Handala Expands Destructive Cyber Operations Beyond Israeli Targets appeared first on Cyber Security News.