Insights: Increased Risk of Wiper Attacks

Unit 42 warns of heightened risk and reported incidents of destructive wiper attacks attributed to the Handala Hack group (aka Void Manticore/COBALT MYSTIQUE), assessed as an Iranian state-directed actor; primary vectors include identity exploitation via phishing and abuse of Microsoft Intune administrative access. The advisory provides practical mitigations and detection controls—JIT/PIM for admin access, limiting Global/Intune admins, break-glass accounts, conditional access and FIDO2, hardened privileged workstations, reduced session lifetimes and token protection, data classification/DLP, ingesting Intune audit logs into SIEM/XDR, immutable offline backups, and tabletop exercises—to reduce impact and enable rapid response.