Handala-Linked Cyberattack on GCC Critical Infrastructure Marks Dangerous Shift to Destructive Cyber Operations

A two-day destructive cyberattack on GCC critical infrastructure — attributed to Iran-aligned Handala — reportedly wiped 6 PB of data and exfiltrated 149 TB, marking a critical escalation from espionage to deliberate digital destruction.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Visual representation of a destructive cyberattack on GCC critical infrastructure attributed to the Iran-aligned Handala threat group in April 2026.

Visual representation of a destructive cyberattack on GCC critical infrastructure attributed to the Iran-aligned Handala threat group in April 2026.

A severe cyberattack targeting critical infrastructure across the GCC region between April 11–12, 2026 has been attributed to Handala, also tracked as Void Manticore — an Iran-aligned threat group associated with Iran's Ministry of Intelligence and Security (MOIS). The incident, analyzed by threat intelligence firm CyberShelter, represents one of the most destructive cyber operations documented in the region to date.

According to attacker claims, which remain unverified, approximately 149 TB of data was exfiltrated and an estimated 6 PB of infrastructure data was deliberately destroyed. If the figures are confirmed, this would rank among the largest acts of destructive cyber sabotage ever recorded against regional infrastructure.

From Espionage to Destruction: A Fundamental Shift

What distinguishes this incident from conventional data breaches is intent. Handala is not a financially motivated ransomware group — it operates with a geopolitical mandate, prioritizing disruption, psychological impact, and the permanent degradation of target systems. The deliberate targeting of backup environments before primary systems signals a calculated effort to eliminate recovery options entirely.

"This incident marks a clear shift in cyber operations — from data theft to intentional destruction of digital ecosystems," CyberShelter noted in its analysis. "Organizations must now prepare not only for breaches, but for complete operational disruption scenarios."

For GCC security leaders, this framing is significant. The threat model has changed. Incident response planning built around data recovery assumes backups survive. In this attack, they were the first target.

How the Attack Unfolded

CyberShelter's reconstructed timeline reveals a patient, multi-phase operation that began weeks before the destructive payload was triggered:

The initial access phase began in mid-to-late March through phishing campaigns targeting contractor accounts. Stolen credentials were used to exploit vulnerable VPN infrastructure, with three specific vulnerabilities leveraged: CVE-2023-46805 (authentication bypass), CVE-2024-21887 (command injection), and CVE-2025-0282 (remote code execution). All three are publicly documented — and preventable through timely patching.

By March 23–25, attackers were conducting Active Directory exploration and accessing VMware and backup systems — a classic pre-destruction reconnaissance pattern. On March 26, backup failures began and storage manipulation was initiated, with the full destructive execution occurring on April 11, followed by a public claim on April 12.

A particularly alarming technical detail: attackers compromised identity synchronization systems, specifically Azure AD Connect, enabling them to push malicious changes across both cloud and on-premises environments. Multi-factor authentication was bypassed using a Temporary Access Pass (TAP) — a legitimate Microsoft feature that, when abused, can render MFA controls ineffective.

What Was Potentially Exposed

The claimed exfiltrated data includes internal communications and email archives, identity and authentication logs, network architecture and firewall configurations, and operational system data. If accurate, this provides the attacker with a detailed map of the organization's infrastructure — information that could enable follow-on operations against connected entities across the region.

Why This Matters for GCC Enterprises

Several systemic security failures enabled this attack — and they are not unique to the targeted organization. Over-reliance on MFA without phishing-resistant alternatives, unpatched VPN infrastructure, excessive privileges granted to third-party contractors, and backup systems that were not isolated from primary environments all contributed to the severity of the outcome.

These are patterns visible across GCC enterprise environments today. Saudi Arabia's National Cybersecurity Authority (NCA) and the UAE Cybersecurity Council have both issued guidance on identity security and backup resilience — guidance that this incident validates with operational urgency.

Immediate Actions Security Teams Should Take

Based on CyberShelter's analysis, organizations operating critical infrastructure in the region should prioritize the following:

Patch VPN and remote access systems immediately — the three CVEs exploited in this incident have available fixes. Reset all privileged accounts and revoke active sessions. Review and restrict Temporary Access Pass (TAP) configurations in Azure AD environments. Transition from standard MFA to phishing-resistant authentication, specifically FIDO2-based hardware keys. Move backup systems to offline or air-gapped environments and test restoration procedures independently of production. Deploy EDR/XDR and SIEM monitoring with full logging across identity and administrative activity layers.

Contractor account hygiene deserves specific attention. Third-party access is consistently among the most exploited vectors in GCC infrastructure attacks — and it is frequently the least governed.

The Broader Implication

Handala's operational playbook — phishing, identity system compromise, living-off-the-land techniques, backup destruction — is not novel. What is novel is the scale of claimed destruction and the demonstrated willingness to permanently degrade infrastructure rather than simply exfiltrate data. This is a posture shift that demands a corresponding shift in how GCC organizations model, fund, and drill for worst-case scenarios.

Note: Data figures cited in this report — including the 149 TB exfiltration claim and 6 PB destruction claim — are based on attacker statements and have not been independently verified. MENA CyberWire will update this report as further corroboration becomes available.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

GCC Threat IntelligenceCritical Infrastructure Security MENAIdentity & Access SecurityIncident Response GCCNation-State Cyber Operations