Some ‘free Palestine’ hacktivist style group called Handala have been defacing websites and claim to exfiltrate data. https://handala.to/ #threatintel
23 orgs hit so far.
Handala, a wiper group posing as a ransomware group who target Israeli companies, claims IIB (Israeli Industrial Batteries) supplied explosive batteries for pagers and Vidisco supplied Xray machines which didn’t detect said batteries.
They claim they will be releasing 6tb of data for IIB and 8tb of data for Vidisco. I tried phoning one of the companies, who said they have an IT issue.
@GossiTheDog If this is true that means we have backdoors in the X-Ray machines in 86% of all air- and seaports? And Israel risked exposing that for a local terror attack? That is insane.
Wrote up the Handala Hack Team thing while on lunch as it was too nuts not to. https://doublepulsar.com/hacker-group-handala-hack-team-claim-battery-explosions-linked-to-israeli-battery-company-5bea086280cd
@GossiTheDog Ehm.... the Vidisco thing could potentially be a Big Problem, for <reasons>
Handala Hack Team have started posting files on Telegram. They were kicked off Telegram multiple times prior, they're back on a different username. #threatintel
@GossiTheDog Have you or anyone looked at the data yet? I'm interested to hear more
Handala have released what they claim is source code showing a backdoor in Vidisco scanners, which are used by ports and airports to scan cargo.
Post contains reference to Hodhod drones, which is an Iranian UAV, and makes reference to Vidisco as being a “legal target” #threatintel
@GossiTheDog
Post the link?
@GossiTheDog
The xcode project
The latest on the Handala Hack Team situation with Vidisco and Israeli Industrial Batteries (IIB) breach claims is the file sharing site hosting the downloads say they have received DMCA complaints.
So far only outlets in Italy and Iran have picked up the story, and have done so fairly responsibly, i.e. not saying the claims are true.
I have just published a big update on the Handala situation regarding Vidisco at the bottom of my original post.
tl;dr: They are owned.
Expect to read 0 about this from your threat intelligence providers btw, there's a cone of silence around this one.
Handala are currently up on https://t.me/Handala_backup on Telegram.
Comes complete with a 1 minute data dump announcement video with reasonable production quality.
There's a lot of time and effort gone into the group's recent efforts, it's a little bit better than NoName and the like.
Handala are now going after Israeli politician Gabi Ashkenazi.
I think what they’re doing is compromising personal cloud accounts. #threatintel
Handala say they plan to post 2k photos from Benny Gantz’ phone in response to rocket attacks. I think my theory they’re targeting Israel’s political’s cloud accounts is looking more likely. #threatintel
@GossiTheDog I don't mean to be dumb, but how would an X-ray scanner backdoor work? Like, how would an object being scanned trigger the backdoor?
Handala appear to have gained access to former Israeli PM Ehud Barak’s personal phone, publishing a series of messages alleging various things and lots of photos and identity documents #threatintel
If you’re reading this thread and thinking ‘why isn’t this mentioned anywhere outside of Gossi The Dog’s toots?’ - that’s a good question. #threatintel
@GossiTheDog This from Telegram again? How many times have they been kicked out of there?
@GossiTheDog Opsec includes not leaving out glaring omissions from your coverage. Focusing only on when Russia or China does bad tells....a story.
@GossiTheDog @bontchev shouldn't it be possible to report that Telegram group? how come they get again on? I mean, their actions may be full of good intentions, but Telegram's TOS do not allow such sort of public groups/channels
@GossiTheDog @bontchev should have been improved since some days due to the "french kiss" 😅, Pavel tells there are special groups of moderators on particular arguments, TOS have been improved, and most important, now they do disclose data to law enforcement. https://t.me/durov/345
@GossiTheDog @bontchev well, hes tecnically still under arrest, he cant leave Fr so hes just enjoying the stay LOL, but give him time, hell fix everything
@GossiTheDog Handala just dumped 60K emails allegedly from Gabriel Ashkenazi's gmail account. It comes in 2 archived parts
Handala Hack Team are very annoyed #threatintel
Handala allege they are doing a hack and leak of Soreq Nuclear Research Center in Israel. So far their leak claims have been true.. although the document leaks haven’t resembled all of their claims about the contents to the best of my knowledge.
They also claim journalists in Israel have been told not to cover Handela, which I believe has foundation.
The entire cyber industry coverage of a clear Iranian cyber group doing actual cyber activity during a war: #threatintel #handala
They’ve also done a dump of emails belonging to Gabi Ashkenazi. #threatintel #handala
@GossiTheDog Putting our cyber colleagues aside, why aren’t the cyber journos at specialist/mainstream outlets covering Handala?
@GossiTheDog I've been busy with other projects and school...
@GossiTheDog Any confirmation on the Vidisco backdoor claims?
Handala Hack Team appear to be doing a hack and leak of Ron Prosor (Israel’s ambassador in Germany) next #threatintel #handala
@GossiTheDog FYSA, a good bit of their data is years old/recycled.
They also seem to be tied to Iranian intelligence and share significant but not wholly unique markers with "Anonymous For Justice", which recently went silent.
Handala claim to have taken Bezeq offline earlier today. Fact check with @netblocks
@GossiTheDog @netblocks There are indications of very slight impact to Bezeq but, assuming this is Handala, it hasn’t knocked out the network to the extent of previous attacks.
Assuming Handala mean network connectivity, their claims do not check out. I guess it is possible they mean something else, eg system wiping. #handala #threatintel
Today Handala have a dump of 110k emails from/to former Israel PM. Emails are again collected from a personal email account. #handala #threatintel
Israel PM office has acknowledged they are dealing with an incident at Soreq referenced above, but no safety impact. #handala #threatintel
Handala are saying they’ve sent 1 million messages, whatever that means. Anybody in Israel got any strange texts? #handala #threatintel
Crap web defacement of Haderi Haredim sites #handala #threatintel
Handala have posted an Iranian propaganda video, with “Great News For Shin Bet On The Way” #handala #threatintel
Handala claims to have performed a supply chain attack on Shin Bet, the Israel Security Agency, they say allowing them to install software on managed mobile phones.
The photos provided appear to show access to some kind of Mobile Device Management platform. They also provided a data dump.
In the screenshots as evidence, one shows a phone screenshot using Maps - at a Kosher bar in Hackney in London.
Additionally, the screenshot of the list of devices almost all have ‘test’ in the device name. #handala #threatintel
The Handala claim of hacking Shin Bet mobiles via a supply chain hack does not appear to stack up.
They appear to have used material from NativCell, who provide internet filtering and management for Haredim (strictly Orthodox).
It’s part of a pattern with Handala where they take some access and spin it to mean something it doesn’t. #handala #threatintel
Handala claim to have done a hack and wipe of MaxShop, a point of sale vendor in Israel.
I have confirmed their website was defaced and has been taken offline. https://maxshop.co.il #handala #threatintel
MaxShop’s website is still offline. #handala #threatintel
Handala have posted 300gb of what they claim is IBB - Israel Industrial Batteries - internal data.
Previously they claimed they had access, but hadn’t provided proof.
@GossiTheDog probably full of shit.
MaxShop’s website has changed to a Plesk default site. #handala #threatintel
Handala have done a defacement of Silver Shadow, a small exporter of licensed firearms.
Silver Shadow’s website has gone offline, displaying a Wordpress error page. #handala #threatintel
MaxShop’s website is back online. Contains no reference to what happened. #handala #threatintel
Silver Shadow’s website is back online. Makes no reference to what happened. #handala #threatintel
@GossiTheDog defacing a website is one thing, claiming an extensive data breach is another. Did they in fact compromise their systems?
Handala are now upset with Yair Golan, in particular highlighting his comments about a possible attack on Iran.
Contains the usual, a picture dump - so far no email dump. #handala #threatintel
Handala's latest is a dump allegedly of Ron Prosor's emails, who they originally mentioned 8 days ago.
50k emails, again looks like a personal email account. #threatintel #handala
Handala’s latest dump is of a podcasting platform called Doscast. Email addresses and encrypted passwords. #threatintel #handala
Handala claim they used a MaxShop SMS account to send 5 million messages. Their screenshot and my translated version below. #threatintel #handala
@GossiTheDog A friend in .il said his network was hit with this wiper last week. MO seems similar to Handala's. He said the trigger was the same email from ESET and payload hosted on their infra too.
Obviously, Handala are awake. #threatintel #handala
Handala have deleted their previous message and replaced it with this. #threatintel #handala
Handala claim they are doing a “ultra big wipe” #threatintel #handala
@GossiTheDog I don't think they be enough serious
Handala claim to have hacked and wiped 74 servers at AGAS - https://www.agas.co.il - an Israeli MSP, MSSP and cloud reseller.
I’m not sure the size of the org stacks up with Handala’s claim. Also, 74 servers is not a lot.
I’ve reached out to AGAS to see if they want to comment.
@GossiTheDog Depends on what type of servers I imagine.
74 Windows servers with some normal stuff, not that big.
74 ESX hosts holding thousands and thousands of VM’s, sligthly bigger of a deal.
@GossiTheDog 18 TB is barely 1-2 servers. In a 32 server hyperconverged setup, you can easily have 3-4 PB of available data. Something doesn't smell right.
@GossiTheDog that is true 😅. And breaching the underlying cloud that the VM is hosted on is a nontrivial task. If however you get there, only finding 18 TB means you're most likely in a honeypot.
- replies
- 1
- announces
- 0
- likes
- 1
@0daystolive @GossiTheDog you're right. My mind went to lala land I guess. I saw "75 server", "service provider" and "main storage", my mind immediately went to "private cloud". There are single entities that generate several hundred GB of customer data each day on fewer (physical) servers than stated in the screenshot. But it depends on the business and the type of data that gets generated. My brain decided to take a break and the result is the silly thing I posted earlier.
Handala claim to have released 10gb of customer data for AGAS.
It does appear AGAS has a security incident going on. AGAS declined to comment when asked.
AGAS have confirmed to me they are dealing with a cyber incident from Handala. #threatintel #handala
Handala have been banned from TikTok, one day after joining. #threatintel #handala
Handala say have hacked and dumped IM Cannabis aka IMC - https://imcannabis.com/ - using their access via AGAS, their MSP.
They also implicate another company, NDN Security - https://www.ndn-security.com/
Handala claims to have done a leak and wipe of Elad municipality.
Elad's website is offline, and there's an Israeli media report of some kind of cyber incident.
Handala typically over exaggerate data volumes exfiltrated.
Handala are again claiming to have hacked Soreq, the nuclear safety org. I have in the past confirmed Soreq had a cybersecurity incident related to Handala, via the International Atomic Agency. #Handala #threatintel
Handala have posted photos and internal diagrams of, they claim, Shimon Peres Negev Nuclear Research Center.
The data appears to have come from Soreq. I have confirmed Soreq was owned, via the IAEA.
A few things have happened with Handala over the past few days which I haven’t covered - they’ve been dumping cloud backup photos and making threats, including about family members. I didn’t want to cover it.
All but one of the Handala Telegram channels has been shut down tonight.
Handala continues to be crazy town, with data dumps of what is allegedly to be SSV Network, a blockchain company.
Handala claim they can link it (SSV Network) to Unit 8200, the Israeli intelligence agency. So far this appears to be without proof.
I’m going to guess, based on this post, they plan to post more tomorrow about Unit 8200.
So with the Unit 8200 stuff and Handala, their latest claim is they gained access to Silicom Limited (an IT services and networking company) and exfiltrated data, and that Silicom is a front company for Unit 8200.
Presented evidence includes a video accessing an internal VMware vCentre cluster with about 50tb of storage.
@GossiTheDog Whoever named it "Silicom" wanted so much to make a pun on "silicon" that he didn't realize that it sounds like "silly com(pany)".
@GossiTheDog Do you have an opinion on whether deplatforming would dampen activity by this and similar groups? If they didn't have their Telegram channel or similar account to brag about their hacks, would they continue at the same rate?
Handala claim to be inside the Silicom incident response process, and that they’ve wiped 300 systems. #Handala #threatintel
Btw the Silicom thing is interesting - Silicom sell OEMs networking kit and cards inside server which is rebranded on sale, ie people see their products as other company. The Handala claim is that Silicom is a Unit 8200 (Israeli signals intelligence) front company, for onward access. #Handala #threatintel
@GossiTheDog that's an explosive revelation
@GossiTheDog so Good
Handala are one year old today. They are billing next week “destructive week”. #Handala #threatintel
Masoumeh Karbasi & Reza Avazeh were killed in a drone strike in Lebanon in October. As far as I can see nobody knew why publicly, Handala’s linking Reza to Hezbollah and their cybersecurity appears to be a first.
His children were invited to meet ‘Supreme Leader of the Islamic Revolution’ that week. https://farsi.khamenei.ir/news-content?id=58050
Handala say they plan their most destructive hack so far this weekend, over the fate of Reza Avazeh
There’s even a video, but sadly no hoodie wearing hackers
@GossiTheDog i dont get how they don't think these videos are cringe before posting it lmfao
Handala claim to have gained access to
CaaB Cloud (https://caab.cloud), aka Cloud as a Business, posting a video of administrator access. CAAB Cloud describe themselves as “The MSP’s Cloud” in marketing.
CAAB Cloud is owned and operated by GNS in Israel, aka https://gns.cloud
It is unclear if the claims are credible. CaaB’s status page suggest a ~10% availability impact in one of their Israeli datacenters three days ago on cloud VM. https://status.caab.cloud
Handala suggests they got access to Ehud Barak’s iPad using a BYOD management profile. #Handala #threatintel
@GossiTheDog we have less than a month until Giuliani is running CISA.
A bit on the nose writing 🤣 #Handala #threatintel
@GossiTheDog it's especially funny to see chatgpt output here
@GossiTheDog somehow this feel like the explanatory paragraph of ChatGPT 🤔 which now that I think about it makes a lot of sense to throw any kind of lingual profiling out of the equation