Handala is presented as a group of pro-Palestinian “vigilante” hackers, but Western scholars consider it to be one of the many groups under which the Iranian government’s cyber intelligence units operate, particularly those associated with the Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC).
Iranian hackers from the Handala group managed to hack the personal email address of FBI Director Kash Patel, publishing private photos and a portion of over 300 emails online. It was the FBI itself that confirmed this on Friday, March 27, through spokesman Ben Williamson, clarifying that “all necessary measures have been taken to mitigate potential risks” and that the data included was “historical in nature and did not contain government information.”
On their website, the Handala Hack Team wrote that Patel “will now find his name on the list of successfully hacked victims,” attaching photos of him sniffing and smoking cigars, driving an old convertible, and taking selfies in the mirror with a bottle of rum. The published emails appear to be a mix of Patel’s personal and professional correspondence, dating from 2010–2019. The hacked Gmail address matches one previously attributed to Patel in other data breaches, maintained by the dark web intelligence firm District 4 Labs.
The operation is part of a broader strategy. Gil Messing, chief of staff at Israeli cybersecurity company Check Point, described the attack as part of an Iranian plan to embarrass US officials and “make them feel vulnerable.” According to him, the Iranians are “using everything they have at their disposal.”
This is not an isolated incident, nor is it a new technique. In 2016, Russian-linked hackers hacked into the Gmail account of John Podesta, Hillary Clinton's campaign chairman, and released material to WikiLeaks, in a case that had an impact on the presidential race with Donald Trump. Even earlier, in 2015, teenage hackers broke into the personal AOL account of then-CIA director John Brennan, releasing data on intelligence officials.
Such breaches, technically not very sophisticated but with great media impact, are consistent with US intelligence assessments that Iran and its allies could respond to US and Israeli attacks with low-level cyberattacks on US digital networks.
Who is Handala?
Handala is presented as a group of pro-Palestinian “vigilante” hackers, but Western scholars consider it to be one of the many groups under which the Iranian government’s cyber intelligence units operate, particularly those linked to the Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC). The group has been active since at least 2022, when it targeted the Albanian government. Handala is linked to the Iranian group “Homeland Justice,” which has claimed responsibility for attacks on Albania, including the recent attacks on the website of the Albanian Parliament and the Albanian Post.
The Handala group hit the US medical technology company Stryker with a ransomware attack on March 11, allegedly locking up around 80,000 company and personal devices. In a statement, they described the attack as “revenge for the brutal attack on the Minab school.” Stryker said the incident was “under control” and that there was no evidence of access to customer or partner systems.
On Thursday, Handala also took responsibility for publishing the personal data of dozens of Lockheed Martin employees serving in the Middle East; the company confirmed it is aware of the reports.
“Handala” and “Homeland Justice” were among the Iranian websites that were targeted by the US and had their domains blocked on March 20. One of them, according to the official announcement, was used as part of “a broader effort to intimidate and harass Iranian dissidents and journalists living in the US and abroad”. Another published direct threats to American officials: “You will be executed soon and we have offered a reward of $250,000 for agents who will kill and behead you”.
Techniques used
Handala's operating method follows the classic social engineering model: targets, journalists, dissidents, activists, officials, are contacted with personalized emails, built according to the habits and information available to each victim. Those who fall for the scam are encouraged to share access codes and credentials. The malware disguises itself as common applications for Windows systems. Once the device is compromised, a Telegram bot establishes a remote connection with the attackers and extracts data such as documents, screenshots and, in some cases, even audio and video recordings from Zoom sessions.
Lini një Përgjigje