How ‘Handala’ Became the Face of Iran’s Hacker Counterattacks | WIRED

Save Story Save this story Save Story Save this story Since the United States and Israel first unleashed a broad campaign of air strikes across Iran in late February, the cybersecurity industry has warned that the country’s retaliatory measures would include punishing, disruptive cyberattacks against Western targets. Late Tuesday night, the first of those attacks arrived in the US: a devastating breach of the medical technology firm Stryker that has reportedly disabled as many as tens of thousands of computers and paralyzed much of the company’s global operations—all carried out by an Iranian hacker group that calls itself Handala. “We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” read a statement posted to Handala’s website, referencing both the American Tomahawk missile that killed at least 165 civilians at a girl’s school in Iran and numerous hacking operations that the US and Israel have carried out as part of the two countries’ assaults across Iran. “This is only the beginning of a new era of cyber warfare.” Even among American cybersecurity researchers who closely track state-sponsored hacking groups, Handala—which takes its name from the well-known Handala character in the political cartoons of Palestinian artist Naji al-Ali—has until now hardly achieved much notoriety. But those who have followed the group’s evolution, particularly in Israel’s cybersecurity industry, say the group is now widely believed to be a front for Iran’s Ministry of Intelligence, or MOIS. They’ve seen the hackers become the most prominent player in a wave of Iranian state cyber operators who pose as hacktivists while seeking to inflict noisy, often politically motivated chaos on adversaries. Handala, or the same group operating under earlier names, has launched data-destroying and hack-and-leak operations for years against targets ranging from the Albanian government to Israeli businesses and political officials. Now, as Iran’s regime faces an existential threat , its hackers—and Handala in particular—have likely been tasked with using every tool they’ve held in reserve and every foothold they’ve quietly gained inside a Western network to fight back against the US and Israel, says Sergey Shykevich, who leads threat intelligence research at at the Tel-Aviv-based cybersecurity firm Check Point. “They're all in,” Shykevich says. “They’re trying to do whatever they can now to carry out destructive activity.” Within that effort among Iranian state-sponsored hacking agencies to achieve loud, publicly visible digital retribution, Handala has grown into “probably the most dominant group,” says Shykevich. “They are the main face now.” Although hacking groups are prone to exaggerate or embellish their successes and the impact of their activity, Handala has publicly claimed more than a dozen, mostly Israeli, victims since the start of the war two weeks ago. The group has “combined the noisy, chaotic playbook of a hacktivist group with the destructive capabilities of a nation-state,” says Justin Moore, a threat intelligence researcher at security firm Palo Alto Networks’ Unit 42 group, calling Handala “a primary cyber-retaliatory arm for the Iranian regime.” Despite the chaos it has unleashed, Handala’s strategic thinking shouldn’t be overestimated, says Rafe Pilling, director of threat intelligence at cybersecurity firm Sophos’ X-Ops group. Handala appears to be attempting to gain access to organizations quickly and do whatever damage it can in the midst of US and Israeli air strikes that have reportedly hit parts of Iran’s cyber operations. “This doesn’t have the hallmarks of a plan,” Pilling says of Handala’s recent hacking campaign. “It’s likely the group is currently thrashing for targets of opportunity that they can hit in Israel or the US, to demonstrate that they are having some kind of retaliatory effect, but not from any kind of strategic perspective.” Security researchers first spotted the “Handala” brand being used toward the end of 2023, emerging after the October 7 attacks by Hamas on Israel and the country’s subsequent bombardment of Gaza . When Handala first appeared, says Alexander Leslie, a threat intelligence analyst at security firm Recorded Future, it seemed to have the public persona of a “pro-Palestinian hacktivist” group, but its hacking has been aligned with Iranian interests and linked back to the regime. Publicly, Handala has loudly promoted its claimed hacks on Telegram and X accounts, and has run public websites posting updates on the attacks. It has also relied upon Starlink’s satellite internet connectivity to bypass Iran’s draconian internet blackouts , Forbes recently reported . Over the past couple of years, Leslie says, Handala has engaged in multiple hack-and-leak operations, publishing details fro