Week 3 Threat Advisory on Iran-Israel-US Conflict: Confirmed Intrusions, Declared Targets, New Attack Vectors

SISA Sappers Threat Intelligence unit has been continuously tracking the Iran–Israel–US cyber conflict since its escalation. This advisory is a direct follow-up to our Week 1 assessment — Elevated Cyber Risk to the Payments Ecosystem Amid Israel-US-Iran Conflict Escalation (3 March 2026) and should be read in conjunction with that advisory.

In the two weeks since that publication, the threat environment for BFSI organisations has not merely continued — it has materially escalated across three distinct dimensions. What was assessed as high probability in Week 1 is now confirmed and declared. These are not incremental updates — they represent threshold events that demand immediate re-evaluation of your organisation’s defensive posture, regardless of geography or perceived exposure.

1. Banks are now explicitly, formally declared targets — not assessed probability.

On 12 March 2026, Iran’s military command publicly named US- and Israeli-linked banks and economic centres as military targets. This is a state-level declaration, not hacktivist signalling. Simultaneously, Hydro Kitten (IRGC-aligned, new group) announced specific financial sector targeting intent — confirmed by CrowdStrike. The BFSI threat moved from high-probability assessment to confirmed declared intent.

2. MuddyWater is confirmed on a US bank network — direct BFSI intrusion, not indirect exposure.

Symantec/Carbon Black (Broadcom) confirmed on 5–6 March that MuddyWater/Seedworm has active network presence on a US bank, a US airport, US/Canadian NGOs, and the Israeli operations of a US defence software supplier. Two new custom backdoors deployed: Dindoor (Deno-based, signed ‘Amy Cherne’) and Fakeset (Python-based, hosted on Backblaze). Data exfiltration via Rclone to Wasabi cloud storage confirmed. The activity began in early February — the group was pre-positioned before the 28 February strikes. This supersedes our earlier assessment that MuddyWater’s BFSI exposure was only indirect.

3. Handala demonstrated enterprise-scale destructive capability via a new attack vector: MDM/Intune console hijack.

The 11 March Stryker attack wiped 200,000+ devices across 79 countries and sent 5,000+ workers home in Ireland — using Microsoft Intune’s device management console to execute mass remote wipes without deploying traditional malware. A simultaneous attack on Verifone (payments company) was claimed. This is a qualitatively different capability from our earlier characterisation of Handala as a ‘medium-capability hacktivist group.’ Handala is now confirmed capable of enterprise-scale destructive operations using cloud administration platforms as weapons.

New Threat Vectors

The latest wave of activity reflects a clear evolution in attacker behavior. Instead of broad, noisy disruption alone, threat actors are now combining deep enterprise access, low-noise data exfiltration, and human-layer manipulation. These vectors signal a shift toward precision attacks with asymmetric impact.

Vector 1: Microsoft Intune / MDM Console Hijack as Wiper Weapon NEW

What happened: Handala compromised Stryker’s Microsoft Intune console and deployed a device wipe policy to 200,000+ managed endpoints across 79 countries. No malware was deployed to individual endpoints — the attack was entirely executed through the legitimate MDM platform’s administrative capabilities.

Why it matters for BFSI: Microsoft Intune manages endpoints in most large BFSI organisations. A compromised Intune admin account is equivalent to having physical access to every managed device. The attack bypasses endpoint detection, EDR, and traditional malware detection entirely. The only layer of defence is protecting the Intune console itself.

Detection: Anomalous Intune policy deployments; bulk device wipe or configuration commands; Intune admin sign-ins from new ASNs, geographies, or at unusual hours; new admin accounts created in Intune; CA policy changes in Entra ID governing Intune access.

Immediate action: Treat Intune admin console as Tier-0 / crown-jewel infrastructure. Apply Privileged Identity Management (PIM) for all Intune administrator roles. Enable Intune admin activity audit logging and alert on any device wipe policies. Require phishingresistant MFA (FIDO2) for all Intune admin access. Review who has Global Administrator/Intune Administrator roles in your tenant.

Vector 2: Rclone + Cloud Storage for Silent Data Exfiltration

What happened: MuddyWater used the open-source tool Rclone to exfiltrate data from a targeted software company to a Wasabi cloud storage bucket. The Fakeset backdoor was hosted on Backblaze servers. Both Wasabi and Backblaze are legitimate cloud storage platforms — their traffic is indistinguishable from normal cloud sync activity to most DLP tools.

Why it matters for BFSI: Cloud storage exfiltration via legitimate sync tools evades traditional DLP, proxy filtering, and even many CASB configurations. Financial data, customer records, and transaction data exfiltrated this way may not trigger any security alerts. The use of Rclone specifically is a well-established Iranian APT tradecraft pattern that is now confirmed active in the current campaign.

Detection: Rclone execution on non-administrator hosts; outbound connections to *.wasabisys.com or *.backblaze.com from unexpected hosts; large HTTPS data transfers to cloud storage endpoints outside business hours; process ancestry: cmd.exe / PowerShell → rclone.exe.

Vector 3: Conflict-Opportunistic Vishing — UAE Ministry of Interior Impersonation

What happened: Unit 42 (Palo Alto) documented cybercriminals capitalising on the conflict in UAE by calling residents and businesses, impersonating the UAE Ministry of Interior. The callers claim to be ‘confirming receipt of a national alert’ — then prompt victims for credential input or personal authentication details.

Why it matters for BFSI: Conflict-driven public anxiety creates a highly effective social engineering environment. UAE banking customers are primed to expect government alerts and security notifications. Vishing calls impersonating banks, central banks, or government financial authorities during this period will achieve higher success rates than during peacetime. BFSI customer-facing staff are also targets for social engineering during elevated-anxiety periods.

Immediate action: Issue customer awareness bulletin warning of increased vishing/smishing impersonating government and financial authorities. Brief fraud hotline teams and branch staff on conflict-specific social engineering patterns. Review IVR and authentication flows for susceptibility to caller social engineering. Monitor customer fraud reporting for spike in authority-impersonation calls.

Threat Outlook: Updated Scenarios

The three scenarios outlined in our 3 March advisory remain valid. The following updates reflect confirmed developments since that publication.

Scenario A — Destructive & Disruptive Cyber Campaign: NOW ACTIVE (not forward-looking)

This scenario has materialised. The Stryker attack is a confirmed destructive operation using a novel vector against a US multinational. Iran formally declaring banks as military targets combined with Hydro Kitten’s sector-specific declaration means Scenario A conditions for the BFSI sector are now present, not predicted.

Updated trigger: Scenario A posture should be active now for all BFSI entities with US or Israeli linkage. The decision trigger from our 3 March advisory — ‘if confirmed wiper against a GCC BFSI entity’ — has been met at the sector level — Stryker is a US company; Verifone(payments) was simultaneously targeted.

Scenario B — Sustained Espionage: Confirmed Active, Expanding Scope

MuddyWater’s pre-positioned access on a US bank network since early February confirms Scenario B is active and has been for weeks. The goal appears to be intelligence collection that may pivot to disruptive operations. Pre-positioned access on financial networks is qualitatively different from external reconnaissance — it means the threat actor can act internally when directed.

Updated trigger: If MuddyWater Dindoor/Fakeset indicators are found on your network, escalate immediately to IR and treat as a potential precursor to destructive action — not just espionage.

Scenario C — Hacktivist Surge: Active, Geographically Expanding

The hacktivist coalition has grown to 60+ groups, added a Russian partner (NoName057(16)), and expanded targeting to Europe (Romania). This is no longer a Middle East-contained scenario. Globally connected BFSI institutions should maintain Scenario C posture regardless of their physical location.

Updated trigger: If your institution appears by name in Iranian, Palestinian, or Russian hacktivist Telegram channels with operational language — escalate immediately and activate DDoS runbooks regardless of whether an attack has been confirmed.

Defensive Priorities

The emerging threat vectors signal a shift from broad-based attacks to precision strikes on control planes, data flows, and human trust layers. Defensive strategy must therefore move beyond perimeter security to protect what attackers now target most: control, movement, and authorization.

Treat Microsoft Intune / MDM admin console as Tier-0 infrastructure — DO NOW. Apply Privileged Identity Management (PIM) for Intune Administrator and Global Administrator roles. Enable FIDO2/phishing-resistant MFA for all Intune admin access. Enable Intune audit logging and alert on any device wipe policy creation or deployment. Audit current Intune admin role membership — remove all unnecessary assignments immediately.

Hunt for Dindoor and Fakeset indicators on all networks NOW. Run published IOC sets from Symantec/Carbon Black March 5 report. Search for: certificates signed by ‘Amy Cherne’ or ‘Donald Gay’; Rclone execution outside approved admin hosts; outbound connections to *.wasabisys.com or *.backblaze.com from non-approved hosts; Deno runtime execution on endpoints; Fakeset Python backdoor indicators. If MuddyWater was pre-positioned from February, access may already exist.

Activate DDoS mitigation for all BFSI-facing portals immediately — Hydro Kitten declaration is active. Do not wait for an attack to begin. Confirm CDN/scrubbing centre is engaged and sized for volumetric attacks. Activate traffic baseline monitoring so anomalies are detected within minutes. Validate failover DNS. Contact ISP DDoS mitigation partner to confirm readiness. Based on Operation Ababil precedent, peak attack traffic can reach 140 Gbps against financial portals.

Audit Entra ID / Azure AD for all cloud admin roles and Conditional Access policies. Any organisation using Microsoft cloud services should review: all Global Admin, Intune Admin, and Security Admin role assignments; Conditional Access policies governing admin access; PIM activation logs for anomalous just-in-time elevations; registered authentication methods for admin accounts. The Intune attack vector requires Entra ID compromise first.

Issue conflict-specific customer fraud alert — vishing and smishing surge expected. Publish a customer-facing advisory warning of increased impersonation of financial authorities, government agencies, and central banks during the current period. Update IVR messaging. Brief fraud operations centre on conflict-specific social engineering patterns. Track customer fraud reports for spike in authority-impersonation vishing — early detection enables rapid customer warnings.

Assess whether your institution matches Iran’s stated target profile. Iran specifically named ‘US- and Israeli-linked banks and economic centres.’ Review: correspondent banking relationships with US banks; technology vendor relationships with US/Israeli companies; US entity ownership or investment; US-based cloud or payment infrastructure usage; Israeli technology partners or subsidiaries. Any of these links places your institution within the declared target scope — communicate this assessment to your Board.

Block or alert on Rclone execution and anomalous cloud storage egress. Add Rclone to application control blocklists on endpoints where it is not authorised. Create SIEM rules for: rclone.exe execution from non-admin hosts; large outbound HTTPS to wasabisys.com or backblaze.com; process chains including PowerShell/cmd → rclone or curl to cloud storage. Review proxy/firewall logs for historical anomalous egress.

Sources & References

1. Symantec / Carbon Black / Broadcom — Seedworm US network intrusion report (5 March 2026) Halcyon RRC — Iranian cyber-criminal convergence report including Sicarii analysis
2. Flashpoint — #OpIsrael NoName057(16) coalition analysis
3. Unit 42 / Palo Alto Networks — March 2026 Iran escalation threat brief
4. FBI / NSA — defence contractor advisory on Iranian near-term cyber operations
5. DHS Critical Incident Note — financial sector priority targeting bulletin (reviewed by CNN, 10 March)
6. Al Jazeera Digital Investigations
7. American Banker (Hydro Kitten, Iran bank targeting declaration, 12 March)
8. The Register (MuddyWater / Seedworm Dindoor analysis)
9. Help Net Security (Seedworm campaign)