Some ‘free Palestine’ hacktivist style group called Handala have been defacing websites and claim to exfiltrate data. https://handala.to/ #threatintel
23 orgs hit so far.
Handala, a wiper group posing as a ransomware group who target Israeli companies, claims IIB (Israeli Industrial Batteries) supplied explosive batteries for pagers and Vidisco supplied Xray machines which didn’t detect said batteries.
They claim they will be releasing 6tb of data for IIB and 8tb of data for Vidisco. I tried phoning one of the companies, who said they have an IT issue.
@GossiTheDog If this is true that means we have backdoors in the X-Ray machines in 86% of all air- and seaports? And Israel risked exposing that for a local terror attack? That is insane.
Wrote up the Handala Hack Team thing while on lunch as it was too nuts not to. https://doublepulsar.com/hacker-group-handala-hack-team-claim-battery-explosions-linked-to-israeli-battery-company-5bea086280cd
@GossiTheDog Ehm.... the Vidisco thing could potentially be a Big Problem, for <reasons>
Handala Hack Team have started posting files on Telegram. They were kicked off Telegram multiple times prior, they're back on a different username. #threatintel
Handala have released what they claim is source code showing a backdoor in Vidisco scanners, which are used by ports and airports to scan cargo.
Post contains reference to Hodhod drones, which is an Iranian UAV, and makes reference to Vidisco as being a “legal target” #threatintel
The latest on the Handala Hack Team situation with Vidisco and Israeli Industrial Batteries (IIB) breach claims is the file sharing site hosting the downloads say they have received DMCA complaints.
So far only outlets in Italy and Iran have picked up the story, and have done so fairly responsibly, i.e. not saying the claims are true.
I have just published a big update on the Handala situation regarding Vidisco at the bottom of my original post.
tl;dr: They are owned.
Expect to read 0 about this from your threat intelligence providers btw, there's a cone of silence around this one.
Handala are currently up on https://t.me/Handala_backup on Telegram.
Comes complete with a 1 minute data dump announcement video with reasonable production quality.
There's a lot of time and effort gone into the group's recent efforts, it's a little bit better than NoName and the like.
Handala are now going after Israeli politician Gabi Ashkenazi.
I think what they’re doing is compromising personal cloud accounts. #threatintel
The journalist looking at Handala Hack Team has been told to stop looking at it.
Handala say they plan to post 2k photos from Benny Gantz’ phone in response to rocket attacks. I think my theory they’re targeting Israel’s political’s cloud accounts is looking more likely. #threatintel
@GossiTheDog I don't mean to be dumb, but how would an X-ray scanner backdoor work? Like, how would an object being scanned trigger the backdoor?
Handala appear to have gained access to former Israeli PM Ehud Barak’s personal phone, publishing a series of messages alleging various things and lots of photos and identity documents #threatintel
If you’re reading this thread and thinking ‘why isn’t this mentioned anywhere outside of Gossi The Dog’s toots?’ - that’s a good question. #threatintel
@GossiTheDog This from Telegram again? How many times have they been kicked out of there?
@GossiTheDog Opsec includes not leaving out glaring omissions from your coverage. Focusing only on when Russia or China does bad tells....a story.
@GossiTheDog @bontchev shouldn't it be possible to report that Telegram group? how come they get again on? I mean, their actions may be full of good intentions, but Telegram's TOS do not allow such sort of public groups/channels
@GossiTheDog @bontchev should have been improved since some days due to the "french kiss" 😅, Pavel tells there are special groups of moderators on particular arguments, TOS have been improved, and most important, now they do disclose data to law enforcement. https://t.me/durov/345
@GossiTheDog @bontchev well, hes tecnically still under arrest, he cant leave Fr so hes just enjoying the stay LOL, but give him time, hell fix everything
@GossiTheDog Handala just dumped 60K emails allegedly from Gabriel Ashkenazi's gmail account. It comes in 2 archived parts
Handala allege they are doing a hack and leak of Soreq Nuclear Research Center in Israel. So far their leak claims have been true.. although the document leaks haven’t resembled all of their claims about the contents to the best of my knowledge.
They also claim journalists in Israel have been told not to cover Handela, which I believe has foundation.
The entire cyber industry coverage of a clear Iranian cyber group doing actual cyber activity during a war: #threatintel #handala
They’ve also done a dump of emails belonging to Gabi Ashkenazi. #threatintel #handala
@GossiTheDog Putting our cyber colleagues aside, why aren’t the cyber journos at specialist/mainstream outlets covering Handala?
Handala Hack Team appear to be doing a hack and leak of Ron Prosor (Israel’s ambassador in Germany) next #threatintel #handala
Handala claim to have taken Bezeq offline earlier today. Fact check with @netblocks
@GossiTheDog @netblocks There are indications of very slight impact to Bezeq but, assuming this is Handala, it hasn’t knocked out the network to the extent of previous attacks.
Assuming Handala mean network connectivity, their claims do not check out. I guess it is possible they mean something else, eg system wiping. #handala #threatintel
Today Handala have a dump of 110k emails from/to former Israel PM. Emails are again collected from a personal email account. #handala #threatintel
Israel PM office has acknowledged they are dealing with an incident at Soreq referenced above, but no safety impact. #handala #threatintel
Handala are saying they’ve sent 1 million messages, whatever that means. Anybody in Israel got any strange texts? #handala #threatintel
Handala have posted an Iranian propaganda video, with “Great News For Shin Bet On The Way” #handala #threatintel
Handala claims to have performed a supply chain attack on Shin Bet, the Israel Security Agency, they say allowing them to install software on managed mobile phones.
The photos provided appear to show access to some kind of Mobile Device Management platform. They also provided a data dump.
In the screenshots as evidence, one shows a phone screenshot using Maps - at a Kosher bar in Hackney in London.
Additionally, the screenshot of the list of devices almost all have ‘test’ in the device name. #handala #threatintel
The Handala claim of hacking Shin Bet mobiles via a supply chain hack does not appear to stack up.
They appear to have used material from NativCell, who provide internet filtering and management for Haredim (strictly Orthodox).
It’s part of a pattern with Handala where they take some access and spin it to mean something it doesn’t. #handala #threatintel
Handala claim to have done a hack and wipe of MaxShop, a point of sale vendor in Israel.
I have confirmed their website was defaced and has been taken offline. https://maxshop.co.il #handala #threatintel
Handala have posted 300gb of what they claim is IBB - Israel Industrial Batteries - internal data.
Previously they claimed they had access, but hadn’t provided proof.
MaxShop’s website has changed to a Plesk default site. #handala #threatintel
Handala have done a defacement of Silver Shadow, a small exporter of licensed firearms.
Silver Shadow’s website has gone offline, displaying a Wordpress error page. #handala #threatintel
MaxShop’s website is back online. Contains no reference to what happened. #handala #threatintel
Silver Shadow’s website is back online. Makes no reference to what happened. #handala #threatintel
💾 🇿🇦
@GossiTheDog defacing a website is one thing, claiming an extensive data breach is another. Did they in fact compromise their systems?
Handala are now upset with Yair Golan, in particular highlighting his comments about a possible attack on Iran.
Contains the usual, a picture dump - so far no email dump. #handala #threatintel
Handala's latest is a dump allegedly of Ron Prosor's emails, who they originally mentioned 8 days ago.
50k emails, again looks like a personal email account. #threatintel #handala
Handala’s latest dump is of a podcasting platform called Doscast. Email addresses and encrypted passwords. #threatintel #handala
Handala claim they used a MaxShop SMS account to send 5 million messages. Their screenshot and my translated version below. #threatintel #handala
@GossiTheDog A friend in .il said his network was hit with this wiper last week. MO seems similar to Handala's. He said the trigger was the same email from ESET and payload hosted on their infra too.
Handala have deleted their previous message and replaced it with this. #threatintel #handala
Handala claim they are doing a “ultra big wipe” #threatintel #handala
Handala claim to have hacked and wiped 74 servers at AGAS - https://www.agas.co.il - an Israeli MSP, MSSP and cloud reseller.
I’m not sure the size of the org stacks up with Handala’s claim. Also, 74 servers is not a lot.
I’ve reached out to AGAS to see if they want to comment.
@GossiTheDog Depends on what type of servers I imagine.
74 Windows servers with some normal stuff, not that big.
74 ESX hosts holding thousands and thousands of VM’s, sligthly bigger of a deal.
@GossiTheDog 18 TB is barely 1-2 servers. In a 32 server hyperconverged setup, you can easily have 3-4 PB of available data. Something doesn't smell right.
@GossiTheDog that is true 😅. And breaching the underlying cloud that the VM is hosted on is a nontrivial task. If however you get there, only finding 18 TB means you're most likely in a honeypot.
- replies
- 1
- announces
- 0
- likes
- 1
@0daystolive @GossiTheDog you're right. My mind went to lala land I guess. I saw "75 server", "service provider" and "main storage", my mind immediately went to "private cloud". There are single entities that generate several hundred GB of customer data each day on fewer (physical) servers than stated in the screenshot. But it depends on the business and the type of data that gets generated. My brain decided to take a break and the result is the silly thing I posted earlier.
Handala claim to have released 10gb of customer data for AGAS.
It does appear AGAS has a security incident going on. AGAS declined to comment when asked.
AGAS have confirmed to me they are dealing with a cyber incident from Handala. #threatintel #handala
Handala have been banned from TikTok, one day after joining. #threatintel #handala
Handala say have hacked and dumped IM Cannabis aka IMC - https://imcannabis.com/ - using their access via AGAS, their MSP.
They also implicate another company, NDN Security - https://www.ndn-security.com/
Handala claims to have done a leak and wipe of Elad municipality.
Elad's website is offline, and there's an Israeli media report of some kind of cyber incident.
Handala typically over exaggerate data volumes exfiltrated.
Handala are again claiming to have hacked Soreq, the nuclear safety org. I have in the past confirmed Soreq had a cybersecurity incident related to Handala, via the International Atomic Agency. #Handala #threatintel
Handala have posted photos and internal diagrams of, they claim, Shimon Peres Negev Nuclear Research Center.
The data appears to have come from Soreq. I have confirmed Soreq was owned, via the IAEA.
A few things have happened with Handala over the past few days which I haven’t covered - they’ve been dumping cloud backup photos and making threats, including about family members. I didn’t want to cover it.
All but one of the Handala Telegram channels has been shut down tonight.
Handala continues to be crazy town, with data dumps of what is allegedly to be SSV Network, a blockchain company.
Handala claim they can link it (SSV Network) to Unit 8200, the Israeli intelligence agency. So far this appears to be without proof.
I’m going to guess, based on this post, they plan to post more tomorrow about Unit 8200.
So with the Unit 8200 stuff and Handala, their latest claim is they gained access to Silicom Limited (an IT services and networking company) and exfiltrated data, and that Silicom is a front company for Unit 8200.
Presented evidence includes a video accessing an internal VMware vCentre cluster with about 50tb of storage.
@GossiTheDog Whoever named it "Silicom" wanted so much to make a pun on "silicon" that he didn't realize that it sounds like "silly com(pany)".
@GossiTheDog Do you have an opinion on whether deplatforming would dampen activity by this and similar groups? If they didn't have their Telegram channel or similar account to brag about their hacks, would they continue at the same rate?
Handala claim to be inside the Silicom incident response process, and that they’ve wiped 300 systems. #Handala #threatintel
Btw the Silicom thing is interesting - Silicom sell OEMs networking kit and cards inside server which is rebranded on sale, ie people see their products as other company. The Handala claim is that Silicom is a Unit 8200 (Israeli signals intelligence) front company, for onward access. #Handala #threatintel
Handala are one year old today. They are billing next week “destructive week”. #Handala #threatintel
Masoumeh Karbasi & Reza Avazeh were killed in a drone strike in Lebanon in October. As far as I can see nobody knew why publicly, Handala’s linking Reza to Hezbollah and their cybersecurity appears to be a first.
His children were invited to meet ‘Supreme Leader of the Islamic Revolution’ that week. https://farsi.khamenei.ir/news-content?id=58050
Handala say they plan their most destructive hack so far this weekend, over the fate of Reza Avazeh
There’s even a video, but sadly no hoodie wearing hackers
@GossiTheDog i dont get how they don't think these videos are cringe before posting it lmfao
Handala claim to have gained access to
CaaB Cloud (https://caab.cloud), aka Cloud as a Business, posting a video of administrator access. CAAB Cloud describe themselves as “The MSP’s Cloud” in marketing.
CAAB Cloud is owned and operated by GNS in Israel, aka https://gns.cloud
It is unclear if the claims are credible. CaaB’s status page suggest a ~10% availability impact in one of their Israeli datacenters three days ago on cloud VM. https://status.caab.cloud
Handala suggests they got access to Ehud Barak’s iPad using a BYOD management profile. #Handala #threatintel
@GossiTheDog somehow this feel like the explanatory paragraph of ChatGPT 🤔 which now that I think about it makes a lot of sense to throw any kind of lingual profiling out of the equation
Handala have gained access to Reutone, a SaaS CRM supplier, and forward phished customers with a Trojan. Write up later. #Handala #threatintel
I wrote up the Handala attack on ReutOne, includes the first IoCs on Handala's python trojan
https://doublepulsar.com/handala-attempts-a-supply-chain-hack-via-reutone-001aa3cc684f
Handala has also defaced ReutOne’s website, and published videos of RDP access to ReutOne’s internal network, eg Active Directory Certificate Authority etc. https://web.archive.org/web/20241226141650/https://www.reutone.com/
Handala claim they hacked Allen Carr's Easyway via ReutOne.
Two points:
a) I legit thought they had hacked UK national treasure Alan Carr for a moment
2) "reportedly", lol. ChatGPT doing overtime for Handala.
The '100K messages sent' thing is a reference to Handala abusing WhatsApp Business accounts, my English translation of message they've been sending.
@GossiTheDog
Now I want the UK national treasure Alan Carr to make some statement about being hacked.
Would be the most pure and awesome and most British camp comedy gold ever
Handala claim they will be wiping Mossad’s financial network today. Also, they appear to have purchased ChatGPT premium.
One note, they fully respected the dates of the ceasefire last time but apparently aren’t bothered this time? #handala #threatintel
Handala claim to have done a hack and wipe of Zuk Group, an Israel group of financial companies. Their website has been defaced as of writing.
Handala posted a series of videos appearing to show access to their internal network.
Handala also claim the company is a front for Mossad. They offer no evidence of that bit.
Yes Cyber Toufan paused during ceasefire.
But you missed this one:
https://www.jpost.com/israel-news/article-838245
https://t.me/CyberSecurityIL/6421
https://t.me/CyberSecurityIL/6422
https://t.me/CyberSecurityIL/6423
https://t.me/CyberSecurityIL/6424
I'm 100% sure it was Cyber Toufan...
Both groups seems to be politically motivated but some people mixed attribution between Handala and Cyber Toufan, we watched them closely.
Handala got booted off Telegram after the Zuk Group hack.
They’re back on another channel and posted:
“وَ كَمْ قَصَمْنا مِنْ قَرْيَةٍ كانَتْ ظالِمَةً ... بَلْ نَقْذِفُ بِالْحَقِّ عَلَى الْباطِلِ فَيَدْمَغُهُ فَإِذا هُوَ زاهِقٌ ...”
Which translates to
“How many a city have We destroyed which was unjust... Rather, We cast the truth upon falsehood, and it destroys it, and at once it departs...”
@GossiTheDog As to be expected, that's from the Qu'ran. Sure al-Anbiya, verse 11-12
Handala claim to have hacked the Ministry of National Security in Israel, activated red alert to get people into shelters, closed the doors, then played a song and wiped the system.
Very unclear how widespread or credible this is, although some Israeli social media posts show devices going off and playing songs.
They also claim they have hacked Israeli police pagers and are broadcasting song on them, claim to have taken security ID information and delivery certificates for weapons. #handala #threatintel
There’s some coverage in Israeli media suggesting a focus on schools, with Israeli authorities acknowledging the incidents.
https://www.mivzaklive.co.il/archives/879473
Handala claim to have done a hack and wipe of Tosaf, a plastics manufacturer.
Screenshots show apparent Windows domain admin access, and they attach CCTV videos of themselves playing songs into a factory and an office, with workers looking confused.
@GossiTheDog Weren't they supposed to honor the cease-fire? Or am I confusing them with some other anti-Israel group?
Handala have been fully kicked off Telegram, including their backup channel.
Achievement unlocked as I can't remember a group ever getting fully booted.
Handala appear to have fully wiped a company called Stryker, a global healthcare company.
Not in the link but they've got into AD, and wiped all the devices with Intune etc etc.
https://www.irishmirror.ie/news/irish-news/stryker-cyber-attack-thousands-irish-36850017
@GossiTheDog So this page on their website… https://www.stryker.com/ie/en/about/governance/security.html
> Our programme includes a Tier 1 and Tier 2 Security Operations and Cyber Fusion Centre that monitors and detects threat activity 24/7 to proactively gather, analyse and act upon relevant intelligence to defend Stryker, including risk management, compliance assurance, regulatory and audit
Seems it failed. Hard. Along with their quarterly security-related exercises, which didn’t catch poss. poor Conditional Access controls.
@GossiTheDog Viewed through the lens of the ongoing war in Iran, this retaliation is not entirely unexpected.
How many more might be in the works?
@GossiTheDog actual serious question, because I'm not an it admin, just a normal developer: considering how getting into intune like this allows you to basically kill an entire company, could having intune or equivalent setup to be able to remotely wipe stuff actually be considered a security risk? Clearly it's a very effective blast radius. How are you even supposed to protect against that?
How would it compare with the risk of just "leaking data" that can happen if you cannot remote wipe a machine and it gets stolen?
I imagine it's still better to have the capability to remote wipe, as you hopefully have better security around that access point, than the actual laptops and phones people carry?
Handala have claimed responsibility to me, saying they wiped about a quarter of a mil endpoints. They say it’s because of the strike on a girls’ primary school in Minab, in Iran’s Hormozgan province, which killed close to 200 people.
There’s an entire thread tracking Handala above btw, goes back multiple years. Some bits need follow links to the thread as I broke it.
Their MO is break in, lay low for months, when target interesting exfiltrate data and then delete everything including org backups. They pivot to domain admin early and then sit on access for later. They live off land and live off org IT documentation.
@GossiTheDog
To me, a person who only knows what I've read on this thread, this sounds like impressive and disciplined craft.
😊)
Yikes! That's a lot of endpoints and associated servers and other infrastructure.
I wonder if they will be able to recover? Particularly if the backups are gone and there are no others in cold storage somewhere.
As they have discovered, blowback can be painful and expensive or even unrecoverable.
Stryker have filed an 8-K with the SEC for their wiper incident.
"The Company has no indication of ransomware or malware and believes the incident is contained."
Almost like Handala lived off the land..
https://www.sec.gov/Archives/edgar/data/310764/000119312526102460/d76279d8k.htm
@GossiTheDog They left of the parts that would be really interesting: Roughly how many devices were affected?
If hope Microsoft Intune has some safeguards against wiping 100.000 or more devices at once. Or even at 1.000 devices...
But my hope is not a big one.
@GossiTheDog Kevin, do you know anyone at Microsoft that works directly on Windows 11? Can you ask them why Windows 11 now displays your email address on like every single settings page? I noticed people on twitch just splaying out their email addresses and of course their login username (same thing) all over the internet now a days.
@GossiTheDog #Alt4You #AltText the statement: "We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success.
The Zionist-rooted corporation, Stryker, one of the key arms of the global Zionist
lobby and a central ring in the 'New Epstein' chain, has been struck with an
unprecedented blow. In this operation, over 200,000 systems, servers, and
mobile devices have been wiped and 50 terabytes of critical data have been
extracted.
Stryker's offices in 79 countries have been forced to shut down. All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption. A clear warning to all Zionist leaders and their lobbies who hide behind concrete walls and closed windows: The era of the 'Epstein' rings and the demons of our time is over. 'Nimrod of this era, even if you close your windows, we will build our nests everywhere. Get ready for the mosquito..
This is only the beginning of a new chapter in cyber warfare. To all those plotting attacks on the infrastructure of the Axis of Resistance:
The era of hit-and-run is over!
PoC soon"
Stryker have a liveblog of their security incident, linked from the front page of their website:
https://www.stryker.com/gb/en/about/news/a-message-to-our-customers-03-2026.html
tl;dr is most customer systems aren't impacted as they run on Linux, but their corporate Windows systems are toast so please hold the line.
@GossiTheDog does this included the latest post from the handala hack website stating they wiped 12PB of data. The screenshots appeared to be VMware which is different than the previous In tune attack
Stryker filed an 8-K with the SEC saying no indication of malware on their environment - yet Palo-Alto's DFIR statement says they have removed malware from Stryker's environment.
@GossiTheDog there's no indication of malware because it all got removed. Perfect, no notes.
@GossiTheDog Unfortunately, securities fraud is one of the sitting president's favorite industries; so if they do get what's coming to them it won't be from the SEC.
@GossiTheDog *nods* no indication of malware in the environment if all the logs are gone