Handala Expands Destructive Cyber Operations Beyond Israeli Targets

Handala, an Iranian-linked threat group, is behind a growing number of destructive wiper attacks that are threatening businesses in the US and Israel This article explores attackers getting corporate. . When the group first appeared in late 2023, they pretended to be an independent hacktivist group.

However, security experts now believe that Handala, which also goes by Void Manticore, COBALT MYSTIQUE, and Storm-1084, is actually a front for Iran's Ministry of Intelligence and Security (MOIS). On March 6, Israel's National Cyber Directorate gave a very clear warning about these tactics. They said that attackers are getting into corporate networks and deleting important servers and workstations to stop business operations.

Palo Alto Networks Unit 42's most recent threat intelligence report says that Handala has changed its focus to aggressive data-wiping campaigns that are meant to cause operational disruption. The Attack Path Handala's main attack vector doesn't rely on very advanced software vulnerabilities; instead, it targets human error and administrative oversight. The group uses phishing campaigns a lot to steal the login information of real corporate users so they can get a foot in the door.

After getting in, the attackers focus on getting into administrative accounts, especially in Microsoft Intune environments. Handala uses real network management tools to issue mass-wipe commands across an organization's infrastructure by taking over high-level administrative accounts.

Threat actors use real corporate identities, which makes it hard to tell when their harmful actions are happening because they look like normal business traffic. Strategies for proactive defense and mitigation To protect against state-sponsored wiper attacks, you need to manage identities with a zero-trust approach and have strict rules for who can do what with administrative privileges. To protect their networks, businesses should use the following targeted mitigations: Get rid of standing privileges: Move to a Just-In-Time (JIT) access model where administrative credentials don't have any default permissions and can only get higher rights through a formal, approved activation process.

Make administrator accounts more secure by limiting the number of Global and Intune Administrator accounts, using cloud-only accounts to stop lateral movement from on-premises networks, and using hardware-based multi-factor authentication, like FIDO2 keys.

Require approval from more than one administrator: Make sure that a second, separate administrator looks over and approves high-impact actions, like wiping devices or deleting data, before they can be carried out. Palo Alto Networks organizations need to make their cloud and identity infrastructure stronger because geopolitical tensions are still affecting the cyber threat landscape. The best way to stop the Handala threat is to take away the administrative access that attackers need to install wiper malware.