Risk actors with ties to Iran efficiently broke into the non-public electronic mail account of Kash Patel, the director of the U.S. Federal Bureau of Investigation (FBI), and leaked a cache of images and different paperwork to the web.
Handala Hack Crew, which carried out the breach, mentioned on its web site that Patel “will now find his name among the list of successfully hacked victims.” In a press release shared with Reuters, the FBI confirmed Patel’s emails had been focused, and famous crucial steps have been taken to “mitigate potential risks associated with this activity.”
The company additionally mentioned the printed information was “historical in nature and involves no government information.” The leak consists of emails from 2010 and 2019 allegedly despatched by Patel.
Handala Hack is assessed to be a pro-Iranian, pro-Palestinian hacktivist persona adopted by Iran’s Ministry of Intelligence and Safety (MOIS). It is tracked by the cybersecurity neighborhood beneath the monikers Banished Kitten, Cobalt Mystique, Crimson Sandstorm, and Void Manticore, with the group additionally working one other persona known as Homeland Justice to focus on Albanian entities since mid-2022.
A 3rd persona linked to the MOIS-affiliated adversary is Karma, which is alleged to have been doubtless fully changed by Handala Hack since late 2023.
Knowledge gathered by StealthMole has revealed that Handala’s on-line presence extends past messaging platforms and cybercrime boards like BreachForums to publicize its actions, sustaining a layered infrastructure that features floor net domains, Tor-hosted providers, and exterior file-hosting platforms reminiscent of MEGA.
“Handala has consistently targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access,” Verify Level mentioned in a report printed this month. “Throughout the last months, we identified hundreds of logon and brute-force attempts against organizational VPN infrastructure linked to Handala-associated infrastructure.”
Assaults mounted by the proxy group are identified to leverage RDP for lateral motion and provoke harmful operations by dropping wiper malware households reminiscent of Handala Wiper and Handala PowerShell Wiper by way of Group Coverage logon scripts. Additionally used are official disk encryption utilities like VeraCrypt to complicate restoration efforts.
“Unlike financially motivated cybercriminal groups, Handala-associated activity has historically emphasized disruption, psychological impact, and geopolitical signaling,” Flashpoint mentioned. “Operations attributed to the persona frequently align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value.”
The event comes towards the backdrop of the U.S.-Israel-Iran battle, prompting Iran to go on a retaliatory cyber offensive towards Western targets. Notably, Handala Hack claimed credit score for crippling the networks of medical units and providers supplier Stryker by deleting an enormous trove of firm information and wiping 1000’s of worker units. The assault is the primary confirmed harmful wiper operation focusing on a U.S. Fortune 500 firm.
In an replace issued on its web site this week, Stryker mentioned “the incident is contained,” including it “reacted quickly to not only regain access but to remove the unauthorized party from our environment” by dismantling the persistence mechanisms put in. The breach, it acknowledged, was confined to its inner Microsoft surroundings.
The risk actors have been discovered to make use of a malicious file to run instructions that allowed them to hide their actions. Nevertheless, the file doesn’t possess any capabilities to unfold throughout the community, Stryker identified.
Palo Alto Networks Unit 42 mentioned the first vector for current harmful operations from Handala Hack doubtless includes the “exploitation of identity through phishing and administrative access through Microsoft Intune.” Hudson Rock has discovered proof that compromised credentials related to Microsoft infrastructure obtained by way of infostealer malware might have been used to drag off the hack.
Within the wake of the breach, each Microsoft and the Cybersecurity and Infrastructure Safety Company (CISA) have launched steerage on hardening Home windows domains and fortifying Intune to defend towards comparable assaults. This consists of utilizing the precept of least privilege, imposing phishing-resistant multi-factor authentication (MFA), and enabling multi-admin approval in Intune for delicate adjustments.
Flashpoint has characterised the assault on Stryker as a harmful shift in provide chain threats, as state-linked cyber exercise focusing on important suppliers and logistics suppliers can have cascading impacts throughout your entire healthcare ecosystem.
Handala Hack’s leak of Patel’s private emails is available in response to a court-authorized operation that led to the seizure of 4 domains operated by MOIS since 2022 as a part of an effort to disrupt its malicious actions in our on-line world. The U.S. authorities can also be providing a $10 million reward for data on members of the group. The names of the seized domains are listed under –
- justicehomeland[.]org
- handala-hack[.]to
- karmabelow80[.]org
- handala-redwanted[.]to
“The seized domains […] were used by the MOIS in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents, and Israeli persons,” the U.S. Division of Justice (DoJ) mentioned.
This included the names and delicate data of about 190 people related to or employed by the Israeli Protection Power (IDF) and/or Israeli authorities, and 851 GB of confidential information from members of the Sanzer Hasidic Jewish neighborhood. As well as, an electronic mail deal with linked to the group (“handala_team@outlook[.]com”) is alleged to have been used to ship demise threats to Iranian dissidents and journalists dwelling within the U.S. and elsewhere.
In a separate advisory, the FBI revealed that Handala Hack and different MOIS cyber actors have employed social engineering ways to have interaction with potential victims on social messaging purposes to ship Home windows malware able to enabling persistent distant entry utilizing a Telegram bot by masquerading the first-stage payload as generally used packages like Pictory, KeePass, Telegram, or WhatsApp.
Utilizing Telegram (or different official providers) as C2 is a standard tactic by risk actors to cover malicious exercise amongst regular community site visitors, and considerably cut back the chance of detection. Associated malware artifacts discovered on compromised units have revealed added capabilities to file audio and display whereas a Zoom session was energetic. The assaults have focused dissidents, opposition teams, and journalists, per the FBI.
“MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world,” the bureau mentioned. “This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties.”
Handala Hack has since resurfaced on a special clearnet area, “handala-team[.]to,” the place it described the area seizures as “desperate attempts by the United States and its allies to silence the voice of Handala.”
The continuing battle has additionally prompted contemporary warnings that it dangers turning important infrastructure sector operators into profitable targets, even because it has triggered a surge in DDoS assaults, web site defacements, and hack-and-leak operations towards Israel and Western organizations. Hacktivists entities have additionally engaged in psychological and affect operations with an intention to sow concern and confusion among the many focused populations.
In current weeks, a comparatively new cybercriminal group known as Nasir Safety has been noticed focusing on the power sector within the Center East. “The group is attacking supply chain vendors involved in engineering, safety, and construction,” Resecurity mentioned. “The supply chain attacks attributed to Nasir Security are likely carried out by cyber-mercenaries or individuals hired or sponsored by Iran or its proxies.”
“The cyber activity tied to this conflict is becoming increasingly decentralized and destructive,” Kathryn Raines, cyber risk intelligence staff lead for the Nationwide Safety Options at Flashpoint, mentioned in a press release.
“Groups like Handala and Fatimion are targeting private-sector organizations with attacks designed to erase data, disrupt services, and introduce uncertainty for both businesses and the public. At the same time, we’re seeing a greater use of legitimate administrative tools in these cyber operations, making it significantly harder for traditional security controls to detect.”
That is not all. MOIS-linked actors have been more and more participating with the cybercrime ecosystem to help its aims and supply a canopy for its malicious exercise. This consists of Handala’s integration of Rhadamanthys stealer into its operations and MuddyWater’s use of the Tsundere botnet (aka Dindoor) and Fakeset, the latter of which is a downloader used to ship CastleLoader.
“Such engagement offers a dual advantage: it enhances operational capabilities through access to mature criminal tooling and resilient infrastructure, while complicating attribution and contributing to recurring confusion around Iranian threat activity,” Verify Level mentioned.
“The use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related. This demonstrates that the use of criminal software can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters.”
