Geopolitical Cyberattacks - How CISOs Can Survive Them

The Threat

Geopolitical tensions are increasingly spilling into cyberspace, creating a new landscape of cyber threats. Nation-state actors and politically aligned groups are deploying destructive malware aimed at causing operational chaos rather than financial gain. A notable example is the Iranian wiper campaigns, which are designed to destroy systems and disrupt critical infrastructure. These attacks can have devastating effects on organizations, as seen in March 2026, when the Iran-linked group Handala targeted Stryker, a Fortune 500 medical technology manufacturer. This incident wiped out tens of thousands of devices across Stryker’s global network, impacting operations in 79 countries.

The shift from financially motivated attacks to those aimed at disruption underscores the need for organizations to rethink their cybersecurity strategies. Cybersecurity incidents are now closely tied to geopolitical conflicts, making it imperative for security leaders to not only focus on preventing breaches but also on surviving them when they occur.

Who's Behind It

The Handala group exemplifies the type of threat actors involved in these destructive campaigns. Their tactics often rely on manual operations, leveraging legitimate administrative tools to navigate through networks without detection. Initial access is typically gained through stolen VPN credentials, followed by lateral movement using tools like RDP, PowerShell, and SSH. This approach allows attackers to operate stealthily, making traditional malware detection methods less effective.

Understanding the operational patterns of these attackers is crucial for defenders. By recognizing how these campaigns unfold, organizations can implement strategies to limit the damage even when breaches occur. The focus must shift from solely perimeter defense to internal containment and control.

Tactics & Techniques

To combat these destructive attacks, CISOs can adopt a five-step containment strategy based on observed tactics in recent campaigns. The first step is to stop credential theft from granting full network access. Implementing identity-aware access controls and multi-factor authentication (MFA) can significantly limit attackers' ability to move laterally once they gain initial access.

Next, preventing lateral movement through administrative ports is crucial. Many organizations leave these ports open for convenience, which attackers exploit. Adopting default-deny policies and ensuring that access is only granted after verified authentication can reduce potential attack pathways. Additionally, restricting privileged accounts to only the systems they manage can help contain the blast radius if an account is compromised.

Defensive Measures

The final steps in the containment strategy involve detecting unauthorized access paths and containing destructive activity before it spreads. Organizations should monitor east-west connectivity and establish baselines for administrative communication to identify unusual patterns. When wiper malware begins executing, speed is essential. Automated isolation of compromised systems and immediate restriction of administrative access can prevent the attack from spreading.

In summary, the ability to limit lateral movement and contain breaches is vital in the era of geopolitical cyberattacks. Organizations that enhance visibility, control over administrative services, and automated containment capabilities will be better positioned to withstand these threats. As geopolitical tensions continue to rise, the resilience of cybersecurity measures will determine whether organizations can maintain operations or face significant disruptions.