How CISOs Can Survive the Era of Geopolitical Cyberattacks

In today’s security landscape, geopolitics and cyberspace are tangled more tightly than ever. Attacks driven by political aims aim to disrupt operations, not just extort money. State-aligned groups increasingly deploy destructive malware designed to cripple critical systems and infrastructure, creating cascading effects that ripple through supply chains, healthcare networks, and national grids. For security leaders, this shifts the question from “how do we keep intruders out?” to “how do we survive and limit damage when intrusion is unavoidable?”

A real-world example of this shift is the wave of Iranian wiper campaigns that treat organizations as tactical battlegrounds rather than profit centers. In early 2026, a well-known Iran-linked cluster conducted a high-profile operation against a major medical technology company with a global footprint. Tens of thousands of devices were wiped across a multinational network, disrupting manufacturing, order processing, and logistics across dozens of countries. The impact extended beyond the IT department, slowing hospital workflows and threatening patient care. While headlines focus on the scale, the underlying pattern of these campaigns is remarkably consistent: attackers aim to move freely inside networks and trigger widespread damage with minimal friction, often exploiting legitimate tools that are already part of everyday operations.

How these campaigns typically unfoldThreat researchers have observed that many destructive campaigns rely more on human-in-the-loop operations than on flashy, keyboard-heavy exploits. The attackers tend to follow a familiar sequence:

• Initial access is usually gained via stolen VPN credentials or compromised remote access points.
• Once inside, they engage in hands-on activity to map the environment, locate critical assets, and plan the next moves.
• Lateral movement often relies on standard administrative tools and protocols that administrators use every day, such as remote desktop, PowerShell, Windows Management Instrumentation, and common file-sharing services.
• Privilege escalation follows as attackers exploit gaps in identity and access controls to reach higher-value targets.
• Finally, multiple wiping techniques are deployed in tandem to maximize disruption and complicate recovery.

Crucially, these operators frequently leverage tools that already exist within the enterprise, making their movements harder to distinguish from legitimate administration. They may also set up covert access channels using tunneling utilities, preserving a foothold even as perimeter defenses hold steady. The effectiveness of destructive campaigns, therefore, often hinges less on the sophistication of malware and more on the attacker’s ability to move laterally unimpeded once inside.

From theory to practice: building cyber resilienceReactive security—relying on signatures and perimeter alerts—struggles against attacks that leverage benign tools and ordinary access patterns. The path forward is cyber resilience: a capability set that emphasizes containment, identity-driven control, and rapid isolation of threats before they can spread. The core idea is to shrink the “attack surface” within the network so that even if adversaries gain a foothold, their options to reach critical systems are severely constrained.

A practical, five-step containment strategy for CISOsDrawing on observed tactics from recent campaigns, organizations can substantially reduce the impact of destructive intrusions by hardening five core areas:

1) Stop credential theft from becoming full network accessDestructive campaigns often begin with compromised credentials used to gain broad internal reach. Give privileged access a new constraint: move beyond flat network reach. Implement identity-aware controls that limit access to what is needed for a given role, enforce multi-factor authentication for administrative services (not just for VPNs), and maintain continuous visibility into which identities are touching which resources. This way, even if credentials are stolen, attackers cannot instantly pivot to sensitive administration.

2) Prevent lateral movement through administrative portsAttackers use standard admin channels to hop between machines. The defense is to default-deny administrative ports and require verified authentication before access is granted. Real-time visibility into system-to-system connectivity helps identify unusual or unauthorized paths. With fewer legitimate routes available, attackers lose agility and must reveal themselves to proceed.

3) Restrict privileged accounts to the systems they actually manageWide-grant privileges create aggressive blast radii. Privilege boundaries should be tight and role-based, with access limited to the specific systems and functions each administrator genuinely needs. Continuous monitoring of privileged activity, combined with strict segmentation, dramatically reduces the scope an intruder can reach.

4) Detect unauthorized access paths and tunnelsTunneling tools and covert channels let attackers maintain persistence even when the perimeter appears secure. To counter this, organizations must gain insight into east-west traffic, establish baselines for administrative communications, and look for anomalous connection patterns. Early detection of unfamiliar tunnels or unexpected pathways enables a rapid containment response.

5) Contain destructive activity before it spreadsWhen wiper malware activates, speed matters. Automated isolation of compromised hosts, immediate restriction of administrative paths, and rapid ring-fencing of affected segments can limit the blast radius. The objective is not perfect prevention but rapid, surgical containment that prevents a single breach from becoming a full-scale outage.

Strategic takeaway for CISOsThe most dangerous attribute of contemporary destructive campaigns is not necessarily the malware itself but the ability of attackers to move unhindered within a network. The strongest defense hinges on three capabilities: full visibility of who can access what across the environment, robust control over administrative services and privileged access, and automated containment that can quickly quarantine and isolate threats. Even if an intruder gains entry, restricting their movement can mean the difference between a contained incident and a cascading disaster. In a geopolitical era where cyber conflicts can target critical infrastructure and supply chains, the ability to limit internal movement may determine whether an organization keeps operating or shutters its doors.