Iran-linked Threat Group Handala Actively Targets Israel

Iran-linked threat actors have become increasingly active in 2024, but one such group has so far gone relatively unnoticed.

Handala has landed on our radar twice this year, in a hack of Zerto in June and a mass text campaign sent to Israeli citizens in April. The pro-Palestinian group has recently stepped up its campaign in actions documented by cybersecurity researcher Kevin Beaumont in a blog post and a long-running thread on Mastodon.

Handala’s most dramatic claim – that they’ve discovered a backdoor in widely used Vidisco security scanners that allowed explosives used in pager attacks in Lebanon last month to go undetected – remains unconfirmed, but Beaumont said he has confirmed that a breach of Vidisco did occur.

“I have confirmed with sources that the hack of Vidisco is real,” Beaumont wrote on Sept. 23. “They have a significant cybersecurity incident running, which includes data exfiltration.”

Handala claimed that they also breached Israeli Industrial Batteries (IIB) and that contaminated IIB materials were also used in the pager attack, but Beaumont said he hasn’t seen evidence for that claim either.

“As far as I’m aware there is nothing linking either Vidisco or IIB to battery attacks — however it is clear Handala have gained access to Vidisco’s network,” he wrote.

Handala has previously been linked to Iran, and Beaumont confirmed that connection, noting, “their prior web domains had early network traffic originating from Iranian IP addresses. Their talking points in their writing overlap with Iran government talking points.”

The group has also defaced websites and claims to have hacked Israeli politicians Gabi Ashkenazi, Benny Gantz, Ehud Barak and Ron Prosor, and Israel’s Soreq Nuclear Research Center.

Emma Best, co-founder of Distributed Denial of Secrets, noted that “a good bit of their data is years old/recycled. They also seem to be tied to Iranian intelligence and share significant but not wholly unique markers with ‘Anonymous For Justice’, which recently went silent.”

Handala’s post on Soreq two days ago referenced the recent assassination of Hezbollah leader Hassan Nasrallah (source: Kevin Beaumont):

While Handala’s claims have gone largely unnoticed and uncorroborated, the threat group’s websites, social media and Telegram accounts have been repeatedly taken down quickly.

Iran’s Growing Cyber Campaigns

Iran has recently stepped up its cyberattacks and influence campaigns heading into the U.S. presidential election, including a high-profile breach and data exfiltration of the Trump campaign, data that has so far gone unpublished by U.S. news media – in contrast to the widespread publication of Democratic National Committee emails stolen by Russian hackers in 2016.

Iranian threat actors have also targeted critical infrastructure in the U.S. and elsewhere, and Iran has also become a target of attacks, including an attack on the country’s banking system in mid-August.

Russia and China have also been active in cyber threats and influence operations heading into the U.S. elections, and the campaign of Vice President Kamala Harris has also been targeted.

Despite the significant cyber threats, U.S. cyber and national security officials say election infrastructure is secure, and the bigger threat is disinformation – a view confirmed by Cyble threat intelligence researchers in an exhaustive look at the U.S. election and related dark web activity.