Recently, threat actors linked to Iran managed to gain unauthorized access to the personal email account of Kash Patel, the director of the U.S. Federal Bureau of Investigation (FBI). They proceeded to leak a collection of photos and documents from his account onto the internet.
The group behind the breach, Handala Hack Team, claimed responsibility for the incident and stated that Patel’s name would now be added to the list of their successful hacking victims. The FBI confirmed the targeting of Patel’s emails and assured that steps have been taken to mitigate any potential risks associated with the breach.
It was clarified by the FBI that the leaked data was historical and did not contain any government-related information. The compromised emails dated back to the years 2010 to 2019 and were allegedly sent by Patel.
Handala Hack is identified as a pro-Iranian and pro-Palestinian hacktivist group associated with Iran’s Ministry of Intelligence and Security (MOIS). The cybersecurity community has been tracking their activities under various aliases such as Banished Kitten, Cobalt Mystique, Red Sandstorm, and Void Manticore. The group has also been operating under the persona of Homeland Justice to target Albanian entities since mid-2022.
Another persona connected to the MOIS-affiliated adversary is Karma, which is believed to have been mostly replaced by Handala Hack since late 2023.
Research conducted by StealthMole has revealed that Handala’s activities extend beyond messaging platforms and cybercrime forums. They maintain a complex infrastructure comprising surface web domains, Tor-hosted services, and external file-hosting platforms like MEGA.
According to a report by Check Point, Handala has been consistently targeting IT and service providers to obtain credentials, primarily relying on compromised VPN accounts for initial access. The group has made numerous logon and brute-force attempts against organizational VPN infrastructure in recent months.
Handala Hack’s operations are known to utilize RDP for lateral movement and deploy destructive wiper malware families like Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts. They also utilize legitimate disk encryption tools like VeraCrypt to hinder recovery efforts.
Unlike financially motivated cybercriminal groups, Handala-associated activities focus on disruption, psychological impact, and geopolitical signaling. Their operations often coincide with periods of heightened geopolitical tensions and target organizations of symbolic or strategic value, as highlighted by Flashpoint.
The recent developments in the U.S.-Israel-Iran conflict have prompted Iran to launch retaliatory cyber offensives against Western targets. Handala Hack claimed responsibility for a significant attack on the networks of medical devices and services provider Stryker, resulting in the deletion of crucial company data and wiping of thousands of employee devices.
In response to the attack, Stryker swiftly contained the incident by removing the unauthorized party from their environment and dismantling the installed persistence mechanisms. The breach was confined to their internal Microsoft environment, as indicated by Stryker.
Palo Alto Networks Unit 42 suggested that recent destructive operations by Handala Hack likely involved exploiting identity through phishing and gaining administrative access via Microsoft Intune. Compromised credentials associated with Microsoft infrastructure obtained through infostealer malware were potentially used in the attack, according to Hudson Rock.
In light of the breach, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidelines on strengthening Windows domains and fortifying Intune to defend against similar attacks. These recommendations include implementing the principle of least privilege, enforcing phishing-resistant multi-factor authentication, and enabling multi-admin approval in Intune for sensitive changes.
The attack on Stryker has been characterized as a concerning shift in supply chain threats, with state-linked cyber activities targeting critical suppliers and logistics providers posing risks to the entire healthcare ecosystem, as highlighted by Flashpoint.
Handala Hack’s exposure of Patel’s personal emails was a retaliatory move following a court-authorized operation that resulted in the seizure of four domains operated by MOIS since 2022. The U.S. government has offered a $10 million reward for information on members of the group. The seized domains were utilized by MOIS for malicious activities, including psychological operations, data theft, and threatening journalists and dissidents.
- justicehomeland.org
- handala-hack.to
- karmabelow80.org
- handala-redwanted.to
The U.S. Department of Justice (DoJ) highlighted that the seized domains were used by MOIS to engage in psychological operations, post stolen data, and issue threats against adversaries of the regime. The activities included targeting individuals associated with the Israeli Defense Force (IDF) and Israeli government, as well as members of the Sanzer Hasidic Jewish community.
FBI revealed that Handala Hack and other MOIS cyber actors have utilized social engineering tactics to distribute Windows malware via social messaging applications. The malware enabled remote access and resulted in intelligence collection, data leaks, and reputational harm against targeted individuals.
Handala Hack has reemerged on a different clearnet domain, “handala-team.to,” denouncing the domain seizures as desperate attempts by the U.S. and its allies to suppress their activities.
The ongoing conflict has raised concerns about the vulnerability of critical infrastructure operators to cyber threats. The surge in DDoS attacks, website defacements, and hack-and-leak operations against Israel and Western organizations has been attributed to hacktivist entities aiming to instill fear and confusion.
A new cybercriminal group called Nasir Security has been targeting the energy sector in the Middle East, focusing on supply chain vendors involved in engineering, safety, and construction. The attacks are believed to be orchestrated by individuals hired or sponsored by Iran or its proxies.
As the conflict escalates, cyber activities associated with it are becoming more destructive and decentralized. The integration of criminal tools by MOIS-linked actors has enhanced their operational capabilities while complicating attribution, leading to confusion and misattribution in threat analysis.
It is imperative for organizations to remain vigilant and implement robust security measures to safeguard against evolving cyber threats in the current geopolitical landscape.
