Since the United States and Israel first unleashed a broad campaign of air strikes across Iran in late February, the cybersecurity industry has warned that the country’s retaliatory measures would include punishing, disruptive cyberattacks against Western targets. Late Tuesday night, the first of those attacks arrived in the US: a devastating breach of the medical technology firm Stryker that has reportedly disabled as many as tens of thousands of computers and paralyzed much of the company’s global operations—all carried out by an Iranian hacker group that calls itself Handala.
“We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” read a statement posted to Handala’s website, referencing both the American Tomahawk missile that killed at least 165 civilians at a girl’s school in Iran and numerous hacking operations that the US and Israel have carried out as part of the two countries’ assaults across Iran. “This is only the beginning of a new era of cyber warfare.”
Even among American cybersecurity researchers who closely track state-sponsored hacking groups, Handala—which takes its name from the well-known Handala character in the political cartoons of Palestinian artist Naji al-Ali—has until now hardly achieved much notoriety. But those who have followed the group’s evolution, particularly in Israel’s cybersecurity industry, say the group is now widely believed to be a front for Iran’s Ministry of Intelligence, or MOIS. They’ve seen the hackers become the most prominent player in a wave of Iranian state cyber operators who pose as hacktivists while seeking to inflict noisy, often politically motivated chaos on adversaries. Handala, or the same group operating under earlier names, has launched data-destroying and hack-and-leak operations for years against targets ranging from the Albanian government to Israeli businesses and political officials.
Now, as Iran’s regime faces an existential threat, its hackers—and Handala in particular—have likely been tasked with using every tool they’ve held in reserve and every foothold they’ve quietly gained inside a Western network to fight back against the US and Israel, says Sergey Shykevich, who leads threat intelligence research at at the Tel-Aviv-based cybersecurity firm Check Point. “They’re all in,” Shykevich says. “They’re trying to do whatever they can now to carry out destructive activity.”
Within that effort among Iranian state-sponsored hacking agencies to achieve loud, publicly visible digital retribution, Handala has grown into “probably the most dominant group,” says Shykevich. “They are the main face now.”
Although hacking groups are prone to exaggerate or embellish their successes and the impact of their activity, Handala has publicly claimed more than a dozen, mostly Israeli, victims since the start of the war two weeks ago. The group has “combined the noisy, chaotic playbook of a hacktivist group with the destructive capabilities of a nation-state,” says Justin Moore, a threat intelligence researcher at security firm Palo Alto Networks’ Unit 42 group, calling Handala “a primary cyber-retaliatory arm for the Iranian regime.”
Despite the chaos it has unleashed, Handala’s strategic thinking shouldn’t be overestimated, says Rafe Pilling, director of that intelligence at cybersecurity firm Sophos’ X-Ops group. Handala appears to be attempting to gain access to organizations quickly and do whatever damage it can in the midst of US and Israeli air strikes that have reportedly hit parts of Iran’s cyber operations. “This doesn’t have the hallmarks of a plan,” Pilling says of Handala’s recent hacking campaign. “It’s likely the group is currently thrashing for targets of opportunity that they can hit in Israel or the US, to demonstrate that they are having some kind of retaliatory effect, but not from any kind of strategic perspective.”
