Wiper Attacks in 2026: Why Data Governance Matters

In 2026, there has been a noticeable rise in wiper attacks. In these damaging incidents, threat actors use a fully destructive tactic that causes maximum havoc to their targets. The question is, why are wiper attacks rising, and should your defences focus just on keeping out the bad guys or on the more fundamental practice of solid data governance?

What Wiper Attacks Actually Do

A wiper is designed to destroy data at scale, not to monetise access or maintain persistence. Technically, this can involve using custom-built binaries deployed inside the target environment. Once executed, these programs carry out destructive routines such as:

• Recursively overwriting files with random or fixed data blocks.
• Corrupting file system structures to make recovery difficult.
• Targeting specific directories, drives, or network shares.
• In some cases, overwriting disk sectors or partition data.

Unlike ransomware, which preserves data for leverage, wipers are engineered to ensure that data cannot be restored through normal means. The objective is to make data unrecoverable or operationally unusable. Systems themselves aren’t the primary target, but once the underlying data is destroyed, those systems often become non-functional in practice.

Wiper attacks have traditionally been associated with nation-state or state-aligned actors. These groups use wiper attacks to disrupt operations, signal intent, or create downstream economic and operational impact, rather than to generate financial return.

Ransomware groups also increasingly incorporate wipers into their playbooks, using them as an escalation mechanism. This comes either as a threat (“pay or we destroy the data”) or as a follow-through when victims refuse to comply. At the same time, more traditional APT groups have deployed wipers as a form of post-access cleanup, deliberately destroying systems and data after exfiltration to remove forensic evidence, hinder incident response, and complicate attribution.

The Real Driver: Geopolitical Escalation in 2026

The current rise in wiper attacks can’t be understood without looking at the broader escalation between the US and Israel on one side and Iran on the other. The recent attack on US medical device company Stryker, which impacted operations in Cork, Ireland, is a clear example.

The Iran-linked Handala group claimed responsibility, stating that the attack was retaliation for US actions in Iran. Devices were wiped, systems disrupted, and operations affected. In fact, as the Irish Examiner reported, many staff at the company’s facilities still weren’t able to work over a week after the attack.

In the context of an asymmetrical conflict, the use of wipers is entirely predictable. Iran can’t match the US or Israel conventionally, so it leans into tactics that create maximum disruption at relatively low cost. We’ve already seen this play out on the physical side, with targeting of LNG and oil infrastructure across GCC nations. The cyber domain follows the same logic: if you can’t match force, you maximise impact.

Wipers fit that model perfectly. They are fast, visible, and difficult to recover from, ideal for signalling capability and creating downstream operational pressure. Iranian-linked actors have used wipers for over a decade, most notably in campaigns like Shamoon targeting energy infrastructure.

Between 2023 and 2025, newer families such as BiBi, Hamsa, and Hatef moved away from low-level disk destruction and toward faster, file-level wiping, recursively overwriting data across both Windows and Linux environments. Campaigns also began to rely more heavily on legitimate enterprise tooling, including remote monitoring and management (RMM) platforms, to distribute payloads at scale.

But the most significant shift we are now seeing in 2026 is that, rather than deploying wiper malware at all, Iranian-linked operations are increasingly targeting the management plane itself by compromising privileged identities and using built-in administrative functions to trigger destruction. Attackers can issue legitimate wipe or reset commands across entire environments, affecting laptops, servers, and mobile devices simultaneously.

Where to Focus: Data Governance Against Wiper Attacks

When wiper attacks are executed through legitimate management systems, it’s tempting to focus on detection through things like identifying suspicious behaviour, tightening monitoring, or improving alerting.

But in these scenarios, detection has a limited role.

If destructive actions are:

• Initiated through valid credentials.
• Executed via trusted platforms.
• Indistinguishable from legitimate administrative activity.

Then by the time anything is flagged, the impact may already be underway. Perhaps a better place to start is to ask what an attacker can actually reach, and what happens if they do?

This is where data governance becomes a more fundamental control layer. Not in the sense of policies or compliance frameworks alone, but in terms of how data is structured, accessed, and protected across your environment.

Because even when an attacker gains control of a management plane, their impact is still constrained by:

• What data is accessible from that control point.
• How systems and datasets are segmented.
• Whether critical data is isolated or widely exposed.
• How backups are stored, protected, and separated.

In environments with weak data governance, the picture is familiar:

• Critical data spread across systems with little classification.
• Broad access permissions.
• Backups accessible from the same administrative domain.

In that context, a single compromised identity can translate into organisation-wide data destruction. In more controlled environments, the outcome looks different because high-value datasets are identified and segmented, access to them is tightly scoped, backup systems are isolated and immutable, and destructive actions can’t propagate uniformly across all assets.

The attack may still occur, but its impact is contained. Detection and response still matter, but getting to the heart of the issue means looking at your data assets and their governance. Fundamentally, data governance is about control over where critical data resides, who can access it, whether it needs encryption, and what can happen to it even when something goes wrong.

Understanding Your Data Environment

Wiper attacks expose what happens when that control is weak or unclear. So, how well do you actually understand and control your data environment?

For many organisations, that’s not easy to answer. Data is distributed across systems, access models evolve over time, and responsibilities are often fragmented. Building a clear, enforceable governance structure requires alignment between business priorities, technical controls, and risk management.

This is where structured GRC becomes critical. At DIESEC, our Governance, Risk and Compliance services are designed to help organisations establish that foundation with expert advice.
Learn more here or Contact Us today.