A five-step playbook to stop Iranian wiper campaigns before they spread

Geopolitical tensions are increasingly spilling into cyberspace. For CISOs, that means preparing for attacks that are not motivated by money but by disruption.

Nation-state actors and politically aligned groups are increasingly deploying destructive malware designed to cripple organizations and critical infrastructure. Unlike ransomware groups that want payment, these attackers want operational chaos.

Iranian wiper campaigns are a clear example of this shift.

These attacks are designed to destroy systems, halt operations, and create cascading real-world consequences. They often target organizations that sit in critical supply chains, healthcare ecosystems, or national infrastructure.

For security leaders, the question is no longer just how to prevent intrusions—it is how to survive them.

Recent incidents highlight the potential scale. In March 2026, the Iran-linked group Handala attacked Stryker, a Fortune 500 manufacturer of medical technologies used in hospitals worldwide.

The attackers reportedly wiped more than tens of thousands of devices across the company’s global network, disrupting operations in 79 countries. Thousands of employees were impacted as manufacturing, order processing, and logistics slowed dramatically.

Events like this reflect a new reality: cybersecurity incidents are increasingly tied to geopolitical conflict.

But despite the headlines, destructive cyber campaigns follow predictable operational patterns. When defenders understand those patterns, they can limit the damage—even when attackers successfully breach the perimeter.

How Iranian wiper attacks typically unfold

Threat intelligence research into the Handala / Void Manticore cluster shows that many Iranian destructive campaigns rely heavily on manual operations rather than advanced malware.

Attackers typically:

• Gain initial access through stolen VPN credentials
• Conduct hands-on activity inside the environment
• Move laterally using administrative tools
• Escalate privileges
• Deploy multiple wiping mechanisms simultaneously

Operators frequently rely on tools already present in enterprise environments, including:

• RDP
• PowerShell remoting
• WMI
• SMB
• SSH

Because these tools are legitimate administrative utilities, attackers can often move across networks without triggering traditional malware detection systems.

Researchers have also observed operators establishing covert access paths using tunneling tools such as NetBird, enabling them to maintain persistent connectivity inside victim environments.

In other words, destructive attacks often succeed not because the malware is sophisticated, but because attackers can move freely inside networks once they gain access.

Stopping these campaigns therefore requires focusing on containment and internal control—not just perimeter defense.

A five-step containment strategy for CISOs

Based on observed tactics in recent campaigns, CISOs can significantly reduce the impact of destructive attacks by implementing several key controls.

1. Stop credential theft from becoming full network access

Most destructive campaigns begin with compromised credentials obtained through phishing, credential reuse, or access brokers.

In many environments, successful VPN authentication grants broad internal network access. This is exactly what attackers rely on.

Organizations should instead implement:

• Identity-aware access controls rather than flat network connectivity
• MFA enforced when accessing administrative services, not just during VPN login
• Continuous visibility into which identities are accessing which systems

Even if attackers authenticate successfully, they should not be able to immediately reach administrative services.

2. Prevent lateral movement through administrative ports

Iranian operators frequently move laterally using standard administrative protocols already present in the environment.

Because these services are often left open for operational convenience, attackers can pivot rapidly between systems.

A more resilient model includes:

• Default-deny policies for administrative ports
• Access that opens only after verified authentication
• Real-time visibility into system-to-system connectivity

This significantly reduces the number of pathways attackers can exploit.

3. Restrict privileged accounts to the systems they actually manage

Many environments still grant administrators broad access across large portions of the network.

That convenience creates risk.

If attackers compromise a privileged account during an intrusion, they can often reach nearly every system in the environment.

Organizations should instead:

• Segment privileged access based on role and environment
• Limit administrators to the specific systems they manage
• Continuously monitor privileged access activity

Reducing the scope of administrative access dramatically limits potential blast radius.

4. Detect unauthorized access paths and tunnels

Recent threat intelligence reports show Iranian operators using tunneling tools to maintain covert connectivity inside victim networks.

These tunnels can bypass traditional perimeter monitoring.

Defenders therefore need visibility inside the network, including:

• Monitoring east-west connectivity
• Establishing baselines for administrative communication
• Detecting unusual connection paths or tunneling behavior

When abnormal connectivity patterns appear, defenders can intervene before destructive activity begins.

5. Contain destructive activity before it spreads

When wiper malware begins executing, attackers often deploy multiple wiping methods simultaneously to maximize damage.

At this stage, speed matters.

Organizations that survive destructive incidents focus on containment.

Key capabilities include:

• Automated isolation of compromised systems
• Immediate restriction of administrative access paths
• Rapid ring-fencing of affected hosts

If containment happens quickly enough, the attack may impact only a limited number of systems instead of spreading across the entire environment.

The strategic lesson for CISOs

Iranian destructive campaigns highlight an uncomfortable truth: attackers do not need sophisticated malware when networks allow unrestricted internal access.

The most effective defense is not simply detecting malicious files earlier.

It is removing the attacker’s ability to move.

Organizations that consistently limit the impact of destructive attacks share three core capabilities:

• Visibility into who can access what across the environment
• Control over administrative services and privileged access
• Automated containment that limits blast radius

Attackers may still get inside the network.

But if they cannot move, they cannot destroy the environment.

And in an era of geopolitical cyber conflict, that capability may determine whether an organization shuts down—or keeps operating.

Sponsored and written by Zero Networks.