How ‘Handala’ Became the Face of Iran’s Hacker Counterattacks
From the United States The United States and Israel first launched a broad campaign of airstrikes on Iran in late February. The cybersecurity industry has warned that the country’s retaliatory measures will include punitive and disruptive cyberattacks against Western targets. Late Tuesday night, the first of these attacks arrived in the United States: a devastating breach of medical technology company Stryker that reportedly disabled up to tens of thousands of computers and crippled much of the company’s global operations, all carried out by an Iranian hacking group calling itself Handala.
“We announce to the world that in retaliation for the brutal attack on the Minab school and in response to ongoing cyberattacks against the infrastructure of the Axis of Resistance, our major cyber operation was executed with complete success,” read a statement on Handala’s website, referring to both the US Tomahawk missile that killed at least 165 civilians at a girls’ school in Iran and the numerous hacking operations carried out by the US and Israel as part of the two countries’ assaults across Iran. “This is just the beginning of a new era of cyberwarfare.”
Even among U.S. cybersecurity researchers who closely track state-sponsored hacking groups, Handala — which takes its name from the famous character Handala in Palestinian artist Naji al-Ali’s political cartoons — has so far gained little notoriety. But those who have followed the group’s evolution, particularly in Israel’s cybersecurity sector, say the group is now widely seen as a front for Iran’s Ministry of Intelligence, or MOIS. They have seen hackers emerge as the most prominent player in a wave of Iranian state cyber operators who pose as hacktivists while seeking to inflict noisy, often politically motivated mayhem on their adversaries. Handala, or the same group operating under previous names, has for years launched data destruction and hack-and-leak operations against targets ranging from the Albanian government to Israeli businesses and politicians.
Today, as the Iranian regime faces an existential threat, its hackers — and Handala in particular — have likely been tasked with using every tool they have in reserve and every foothold they have quietly taken within a Western network to strike back against the United States and Israel, says Sergey Shykevich, who directs threat intelligence research at the Tel Aviv-based cybersecurity firm Check Point. “They’re all in,” Shykevich says. “They are now trying to do everything they can to carry out destructive activities.”
As part of this effort by Iranian state-sponsored hacking agencies to achieve loud, publicly visible digital retaliation, Handala has become “probably the most dominant group,” Shykevich says. “They are now the main face.”
Although hacker groups tend to exaggerate or embellish their successes and the impact of their activities, Handala has publicly claimed more than a dozen casualties, most of them Israeli, since the war began two weeks ago. The group has “combined the loud and chaotic playbook of a hacktivist group with the destructive capabilities of a nation-state,” says Justin Moore, a threat intelligence researcher with the Unit 42 group at security firm Palo Alto Networks, calling Handala “the primary cyber-retaliatory weapon for the Iranian regime.”
Despite the chaos she unleashed, Handala’s strategic thinking should not be overstated, says Rafe Pilling, director of threat intelligence in the X-Ops group at cybersecurity firm Sophos. Handala appears to be trying to quickly gain access to organizations and cause whatever damage possible amid US and Israeli airstrikes that have reportedly hit parts of Iran’s cyber operations. “It doesn’t have the makings of a plan,” Pilling says of Handala’s recent hacking campaign. “It is likely that the group is currently scrambling to find targets of opportunity that it could hit in Israel or the United States, in order to demonstrate that it is exerting some sort of retaliatory effect, but not from a strategic perspective.”
