How CISOs Can Survive the Era of Geopolitical Cyberattacks

Recorded: March 20, 2026, 5 p.m.

Original

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

Varonis Atlas: Securing AI and the Data That Powers It

Microsoft Exchange Online service change causes email access issues

Block ads and trackers on 9 devices for only $16 in this deal

FBI warns of Handala hackers using Telegram in malware attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Sponsored by Zero Networks

March 20, 2026
10:01 AM
0

A five-step playbook to stop Iranian wiper campaigns before they spread
Geopolitical tensions are increasingly spilling into cyberspace. For CISOs, that means preparing for attacks that are not motivated by money but by disruption.
Nation-state actors and politically aligned groups are increasingly deploying destructive malware designed to cripple organizations and critical infrastructure. Unlike ransomware groups that want payment, these attackers want operational chaos.
Iranian wiper campaigns are a clear example of this shift.
These attacks are designed to destroy systems, halt operations, and create cascading real-world consequences. They often target organizations that sit in critical supply chains, healthcare ecosystems, or national infrastructure.
For security leaders, the question is no longer just how to prevent intrusions—it is how to survive them.
Recent incidents highlight the potential scale. In March 2026, the Iran-linked group Handala attacked Stryker, a Fortune 500 manufacturer of medical technologies used in hospitals worldwide.
The attackers reportedly wiped more than tens of thousands of devices across the company’s global network, disrupting operations in 79 countries. Thousands of employees were impacted as manufacturing, order processing, and logistics slowed dramatically.
Events like this reflect a new reality: cybersecurity incidents are increasingly tied to geopolitical conflict.
But despite the headlines, destructive cyber campaigns follow predictable operational patterns. When defenders understand those patterns, they can limit the damage—even when attackers successfully breach the perimeter.
How Iranian wiper attacks typically unfold
Threat intelligence research into the Handala / Void Manticore cluster shows that many Iranian destructive campaigns rely heavily on manual operations rather than advanced malware.
Attackers typically:
Gain initial access through stolen VPN credentials
Conduct hands-on activity inside the environment
Move laterally using administrative tools
Escalate privileges
Deploy multiple wiping mechanisms simultaneously
Operators frequently rely on tools already present in enterprise environments, including:
RDP
PowerShell remoting
WMI
SMB
SSH
Because these tools are legitimate administrative utilities, attackers can often move across networks without triggering traditional malware detection systems.
Researchers have also observed operators establishing covert access paths using tunneling tools such as NetBird, enabling them to maintain persistent connectivity inside victim environments.
In other words, destructive attacks often succeed not because the malware is sophisticated, but because attackers can move freely inside networks once they gain access.
Stopping these campaigns therefore requires focusing on containment and internal control—not just perimeter defense.

Cyber Resilience Simplified: How to Build a Self-Defending Network
Reactive security can’t keep up with modern attacks - cyber resilience requires limiting lateral movement before damage spreads.
Join Zero Networks to learn how automated containment and identity-driven controls can quickly reduce risk and help you prove resilience to auditors, regulators, and the business.
Register for the Webinar

A five-step containment strategy for CISOs
Based on observed tactics in recent campaigns, CISOs can significantly reduce the impact of destructive attacks by implementing several key controls.
1. Stop credential theft from becoming full network access
Most destructive campaigns begin with compromised credentials obtained through phishing, credential reuse, or access brokers.
In many environments, successful VPN authentication grants broad internal network access. This is exactly what attackers rely on.
Organizations should instead implement:
Identity-aware access controls rather than flat network connectivity
MFA enforced when accessing administrative services, not just during VPN login
Continuous visibility into which identities are accessing which systems
Even if attackers authenticate successfully, they should not be able to immediately reach administrative services.
2. Prevent lateral movement through administrative ports
Iranian operators frequently move laterally using standard administrative protocols already present in the environment.
Because these services are often left open for operational convenience, attackers can pivot rapidly between systems.
A more resilient model includes:
Default-deny policies for administrative ports
Access that opens only after verified authentication
Real-time visibility into system-to-system connectivity
This significantly reduces the number of pathways attackers can exploit.
3. Restrict privileged accounts to the systems they actually manage
Many environments still grant administrators broad access across large portions of the network.
That convenience creates risk.
If attackers compromise a privileged account during an intrusion, they can often reach nearly every system in the environment.
Organizations should instead:
Segment privileged access based on role and environment
Limit administrators to the specific systems they manage
Continuously monitor privileged access activity
Reducing the scope of administrative access dramatically limits potential blast radius.
4. Detect unauthorized access paths and tunnels
Recent threat intelligence reports show Iranian operators using tunneling tools to maintain covert connectivity inside victim networks.
These tunnels can bypass traditional perimeter monitoring.
Defenders therefore need visibility inside the network, including:
Monitoring east-west connectivity
Establishing baselines for administrative communication
Detecting unusual connection paths or tunneling behavior
When abnormal connectivity patterns appear, defenders can intervene before destructive activity begins.
5. Contain destructive activity before it spreads
When wiper malware begins executing, attackers often deploy multiple wiping methods simultaneously to maximize damage.
At this stage, speed matters.
Organizations that survive destructive incidents focus on containment.
Key capabilities include:
Automated isolation of compromised systems
Immediate restriction of administrative access paths
Rapid ring-fencing of affected hosts
If containment happens quickly enough, the attack may impact only a limited number of systems instead of spreading across the entire environment.
The strategic lesson for CISOs
Iranian destructive campaigns highlight an uncomfortable truth: attackers do not need sophisticated malware when networks allow unrestricted internal access.
The most effective defense is not simply detecting malicious files earlier.
It is removing the attacker’s ability to move.
Organizations that consistently limit the impact of destructive attacks share three core capabilities:
Visibility into who can access what across the environment
Control over administrative services and privileged access
Automated containment that limits blast radius
Attackers may still get inside the network.
But if they cannot move, they cannot destroy the environment.
And in an era of geopolitical cyber conflict, that capability may determine whether an organization shuts down—or keeps operating.
Sponsored and written by Zero Networks.

CISO
Cyberattack
Cybersecurity
Iran
Wiper
Zero Networks

Previous Article
Next Article

Comments have been disabled for this article.

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

CISA orders feds to patch max-severity Cisco flaw by Sunday

Microsoft Azure Monitor alerts abused for callback phishing attacks

Sponsor Posts

Secure your AI agents without sacrificing speed.

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

AI is a data-breach time bomb: Read the new report

Overdue a password health-check? Audit your Active Directory for free

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Here’s a detailed summary of the provided text, tailored for a college graduate audience, focusing on the key insights and strategic implications for CISOs navigating the evolving threat landscape:

**How CISOs Can Survive the Era of Geopolitical Cyberattacks**

The document outlines a five-step playbook for CISOs to effectively respond to and mitigate the growing threat of destructive cyberattacks, particularly those originating from state-sponsored actors like Iran. It moves beyond traditional perimeter defense to emphasize operational resilience and internal control, reflecting a shift in the nature of cyber warfare. The core argument is that attackers, particularly in these geopolitical scenarios, don’t necessarily require highly sophisticated malware; rather, they exploit vulnerabilities in network architecture and operating processes to achieve disruptive goals. The article, sponsored by Zero Networks, provides a practical approach based on observed attack patterns and highlights the importance of proactive containment strategies.

The primary driver for this change in security philosophy is the realization that conventional, reactive cybersecurity measures are insufficient against persistent, well-resourced adversaries like Iran. The attacks aren’t motivated by monetary gain, but by the intentional disruption and degradation of critical infrastructure and organizations. The Stryker incident, where thousands of devices were wiped across a global network, illustrates the potential scale of damage in these operations.

**Key Insights and Operational Patterns**

The document describes Iranian wiper campaigns as relying heavily on manual operations rather than advanced malware, a critical distinction. Attackers typically initiate breaches through stolen VPN credentials, conducting hands-on activity within the compromised environment before laterally moving across the network. They exploit commonly available enterprise tools—RDP, PowerShell, WMI, SMB, and SSH—which, due to their administrative functionalities, bypass many standard detection mechanisms. Furthermore, the use of tunneling tools like NetBird to maintain persistent access pathways further compounds the problem, allowing attackers to evade traditional monitoring systems. The article stresses that the real vulnerability is not the malware itself, but the attacker's ability to move freely within the network after gaining initial access.

**A Five-Step Containment Strategy**

Zero Networks proposes a five-pronged strategy for CISOs to implement:

1. **Credential Theft Mitigation:** Reducing the risk of initial access by limiting VPN access to only authorized personnel and enforcing MFA on administrative services. The emphasis is on restricting broad network connectivity from VPN authentication.
2. **Preventing Lateral Movement:** Implementing default-deny policies for administrative ports, restricting access based on verified authentication, and gaining real-time visibility into system-to-system connectivity.
3. **Restricting Privileged Accounts:** Segmenting privileged access based on role and environment, limiting administrator access to only the systems they manage, and continuously monitoring privileged account activity.
4. **Detecting Unauthorized Paths:** Monitoring east-west connectivity, establishing baselines for administrative communication, and detecting unusual connections or tunneling behavior.
5. **Containment of Destructive Activity:** Automating system isolation, restricting administrative access paths, and rapidly ring-fencing affected hosts when wiper malware is detected.

**Strategic Lessons and Core Capabilities**

The strategic lesson is that attackers don't need sophisticated malware if networks allow unrestricted internal access. The most effective defense isn’t simply early malware detection, but removing the attacker’s ability to move laterally. CISOs need to cultivate three core capabilities: visibility into access across the environment, control over administrative services and privileged access, and automated containment to limit the blast radius. Even if attackers gain initial access, effective strategies severely restrict their ability to cause widespread damage.

**Conclusion**

In the context of escalating geopolitical tensions, cybersecurity is no longer solely about protecting networks from intrusion. It’s a strategic imperative for organizations to build operational resilience, focusing on limiting internal movement and containing the damage if an attack does occur. The success of defense depends on a layered approach, combining proactive controls with rapid response capabilities, recognizing the shift towards destructive cyber campaigns driven by state-sponsored actors. Recognizing the vulnerabilities of internal network access protocols and establishing robust containment measures is paramount in this new era of cyber conflict.