UNIT 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple incidents impacting organisations in Israel and the US. The primary threat actor described is the Handala Hack group (aka Void Manticore, COBALT MYSTIQUE and Storm-1084/Storm-0842), whose recent destructive operations are reported to exploit identity via phishing and gain administrative access through Microsoft Intune.
Handala Hack first emerged in late 2023 and is currently assessed by the threat intelligence community to be a state-directed front for Iran’s MOIS, according to Unit 42. On 6 March, Israel’s National Cyber Directorate warned of Iranian cyberattacks targeting Israeli organisations with wipers, stating that attackers gained access to corporate networks and deleted servers and workstations to disrupt operations.
The article also outlines proactive hardening recommendations, including just-in-time access, MFA, and enhanced controls for Entra ID, Azure, and Intune, aimed at reducing the risk of mass wipe events. For the latest intelligence on cyberattacks linked to this conflict, it directs readers to its Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran.