Since the United States and Israel first unleashed a broad campaign of air strikes across Iran in late February, the cybersecurity industry has warned that the country’s retaliatory measures would include punishing, disruptive cyberattacks against Western targets. Late Tuesday night, the first of those attacks arrived in the US: a devastating breach of the medical technology firm Stryker that has reportedly disabled as many as tens of thousands of computers and paralyzed much of the company’s global operations—all carried out by an Iranian hacker group that calls itself Handala.
“We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” read a statement posted to Handala’s website, referencing both the American Tomahawk missile that killed at least 165 civilians at a girl’s school in Iran and numerous hacking operations that the US and Israel have carried out as part of the two countries’ assaults across Iran. “This is only the beginning of a new era of cyber warfare.”
Even among American cybersecurity researchers who closely track state-sponsored hacking groups, Handala—which takes its name from the well-known Handala character in the political cartoons of Palestinian artist Naji al-Ali—has until now hardly achieved much notoriety. But those who have followed the group’s evolution, particularly in Israel’s cybersecurity industry, say the group is now widely believed to be a front for Iran’s Ministry of Intelligence, or MOIS. They’ve seen the hackers become the most prominent player in a wave of Iranian state cyber operators who pose as hacktivists while seeking to inflict noisy, often politically motivated chaos on adversaries. Handala, or the same group operating under earlier names, has launched data-destroying and hack-and-leak operations for years against targets ranging from the Albanian government to Israeli businesses and political officials.
Now, as Iran’s regime faces an existential threat, its hackers—and Handala in particular—have likely been tasked with using every tool they’ve held in reserve and every foothold they’ve quietly gained inside a Western network to fight back against the US and Israel, says Sergey Shykevich, who leads threat intelligence research at at the Tel-Aviv-based cybersecurity firm Check Point. “They’re all in,” Shykevich says. “They’re trying to do whatever they can now to carry out destructive activity.”
Within that effort among Iranian state-sponsored hacking agencies to achieve loud, publicly visible digital retribution, Handala has grown into “probably the most dominant group,” says Shykevich. “They are the main face now.”
Although hacking groups are prone to exaggerate or embellish their successes and the impact of their activity, Handala has publicly claimed more than a dozen, mostly Israeli, victims since the start of the war two weeks ago. The group has “combined the noisy, chaotic playbook of a hacktivist group with the destructive capabilities of a nation-state,” says Justin Moore, a threat intelligence researcher at security firm Palo Alto Networks’ Unit 42 group, calling Handala “a primary cyber-retaliatory arm for the Iranian regime.”
Despite the chaos it has unleashed, Handala’s strategic thinking shouldn’t be overestimated, says Rafe Pilling, director of that intelligence at cybersecurity firm Sophos’ X-Ops group. Handala appears to be attempting to gain access to organizations quickly and do whatever damage it can in the midst of US and Israeli air strikes that have reportedly hit parts of Iran’s cyber operations. “This doesn’t have the hallmarks of a plan,” Pilling says of Handala’s recent hacking campaign. “It’s likely the group is currently thrashing for targets of opportunity that they can hit in Israel or the US, to demonstrate that they are having some kind of retaliatory effect, but not from any kind of strategic perspective.”
Security researchers first spotted the “Handala” brand being used toward the end of 2023, emerging after the October 7 attacks by Hamas on Israel and the country’s subsequent bombardment of Gaza. When Handala first appeared, says Alexander Leslie, a threat intelligence analyst at security firm Recorded Future, it seemed to have the public persona of a “pro-Palestinian hacktivist” group, but its hacking has been aligned with Iranian interests and linked back to the regime. Publicly, Handala has loudly promoted its claimed hacks on Telegram and X accounts, and has run public websites posting updates on the attacks. It has also relied upon Starlink’s satellite internet connectivity to bypass Iran’s draconian internet blackouts, Forbes recently reported.
Over the past couple of years, Leslie says, Handala has engaged in multiple hack-and-leak operations, publishing details from many of its victims in Israel as a “psychological weapon.” But the group has also used destructive wiper malware to delete victim files, impacting their systems deeply and indicating a more sophisticated presence aimed at causing “real operational pain,” as Leslie puts it. Handala’s operations have been “consistent with Tehran’s broader preference for proxy and cutout architectures that combine deniability with psychological impact,” he says.
In fact, Check Point has found that Handala is just one of several hacktivist fronts that it says—based on connections in the groups’ malware and server infrastructure—all represent a single state-sponsored group of hackers that it calls Void Manticore. Check Point has tracked the origins of the MOIS-linked group, which is also known by other names in the cybersecurity industry, including Red Sandstorm and Cobalt Mystique, as far back as 2022. That year, Microsoft attributed cyberattacks to the group that targeted Albanian government agencies with data-destroying wiper malware. The group, then using the handle Homeland Justice, was apparently motivated by the Iranian regime’s attempt to persuade Albania to not harbor members of an Iranian opposition group, Mojahedin-e-Khalq, based there.
After Hamas’ October 7 attacks and Israel’s retaliatory war in Gaza that killed tens of thousands of people in the territory, Void Manticore appears to have created the Handala sub-group to attack Israeli targets under the mantle of the pro-Palestinian cause. “As long as the bullets and bloodshed in my land do not get tired and the wound is still on the leg, we will stand. #FreePalestine,” read one statement posted to the group’s website.
Handala has posted to its website announcements of what appeared to be ransomware-style extortion operations and hack-and-leak breaches, though the true extent of their intrusions against victims has often been difficult to verify. In some cases, it used repurposed criminal malware like the Rhadamanthys infostealer, but in others it used destructive tools to delete as much data as possible from the networks of victims across the Israeli government and financial industries, using phishing emails and fake security updates to deploy code specimens that included Coolwipe, Chillwipe, and Bibiwiper, named for Israeli prime minister Benjamin Netanyahu. “This combination of a ransomware front, layered with hacktivist branding and state-sponsored tactics, makes them unique among threat-actor groups,” says Ian Gray, a researcher for security firm Flashpoint.
In its most recent high-profile operation prior to the US and Israeli war on Iran, Handala shifted again to hacking and leaking the private phone records of Israeli officials. The hackers claimed to have hacked the iPhones of Netanyahu’s chief of staff, Tzachi Braverman, and former prime minister Naftali Bennett, though some analyses of the breaches suggested that they had actually obtained only their Telegram accounts.
With the outbreak of war, Handala’s hackers may have been partially reassigned to reconnaissance work: The group was one of three Iranian hacker groups that Check Point spotted attempting to exploit vulnerabilities in civilian internet-connected security cameras across the Middle East. Those camera-hacking attempts aligned closely with the timing of the US and Israeli air strikes in Iran and matched geographically with Iran’s counterattacks in countries from Bahrain, the United Arab Emirates, Israel, and even Cyprus, suggesting the hacked cameras were likely intended for surveillance as part of military operations and possibly targeting of missile and drone strikes.
Despite its opportunistic tactics, the breach of Michigan-based Stryker may be its most impactful operation yet, given the company’s continued struggle on Thursday to return to normal operations. Handala has claimed it attacked the company’s due to “Zionist” ties, such as the Israeli company Orthospace it acquired in 2019 and a $450 million US military contract last year, as reported by Bloomberg. Stryker did not immediately respond to WIRED’s request for comment.
More likely, Check Point’s Shykevich says, Handala hacked Stryker because it could. “I’m not sure they had a plan,” he says. “Probably they found an opportunity, and now it’s a big win for them.”
With the war in Iran dragging on, Handala is seemingly attempting to find every possible leverage point to sow as much chaos as possible, often announcing a “stern warning” in its public messages or news that will “shake the cyber world.”
As overblown as those claims and warnings have been at times, the haphazard nature of its attacks is little comfort to targets like Stryker. As one of Handala’s posts put it, “control of the game is in our hands.”
The post How ‘Handala’ Became the Face of Iran’s Hacker Counterattacks appeared first on Wired.
