Threat actors with ties to Iran successfully hacked into the personal email account of US Federal Bureau of Investigation (FBI) Director Kash Patel and leaked a large number of photos and other documents on the internet.
Hendala Hack Team, which carried out the breach, said on its website that Patel “will now find his name on the list of successfully hacked victims.” In a statement shared with Reuters, the FBI confirmed that Patel’s emails were targeted, and said it had taken the necessary steps to “mitigate the potential risks associated with this activity.”
The agency also said that the published data “is historical in nature and does not include any government information.” The leak includes emails allegedly sent by Patel from 2010 and 2019.
Handala Haack is considered a pro-Iran, pro-Palestine hacktivist persona adopted by Iran’s Ministry of Intelligence and Security (MOIS). It has been tracked by the cybersecurity community under the aliases Banished Kitten, Cobalt Mystique, Red Sandstorm, and Void Manticore, with the group also operating another persona called Homeland Justice to target Albanian entities since mid-2022.
A third personality associated with the MOIS-affiliated rival is Karma, who is said to have been completely replaced by the Handala hack since late 2023.
Data collected by StealthMole revealed that Handala’s online presence extended beyond messaging platforms and cybercrime forums such as BreachForum to publicize its activities, maintaining a layered infrastructure that included surface web domains, Tor-hosted services, and external file-hosting platforms such as MEGA.
“Handala has persistently targeted IT and service providers in an attempt to obtain credentials, relying largely on compromised VPN accounts for initial access,” Check Point said in a report published this month. “Over the past months, we identified hundreds of logon and brute-force attempts against organizational VPN infrastructure connected to Handala.”
Attacks carried out by proxy groups are known to leverage RDP for lateral movement and initiate destructive operations by dropping wiper malware families such as Handala Viper and Handala PowerShell Viper through Group Policy logon scripts. Legitimate disk encryption utilities like VeraCrypt are also used to complicate recovery efforts.
Flashpoint said, “In contrast to financially motivated cybercriminal groups, activity associated with Handala has historically emphasized disruption, psychological impact, and geopolitical signaling.” “Operations attributed to individuality often align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value.”
The development comes against the backdrop of the US-Israel-Iran conflict, which has prompted Iran to launch retaliatory cyber attacks against Western targets. Specifically, the Handala hack took credit for crippling the networks of medical devices and service provider Stryker by deleting a large amount of company data and wiping thousands of employee devices. This attack is the first destructive wiper operation targeting an American Fortune 500 company.
In an update released on its website this week, Stryker said the “incident has been contained,” adding that it “responded quickly to not only regain access but to remove the unauthorized party from our environment” by destroying established persistence mechanisms. It said the breach was limited to its internal Microsoft environment.
It has been found that threat actors use a malicious file to run commands that allows them to hide their actions. However, the file has no ability to spread across a network, Stryker pointed out.
Palo Alto Networks Unit 42 said the primary vector of the Handala hack’s recent destructive operations included “exploitation of identities through phishing and administrative access through Microsoft Intune.” Hudson Rock has found evidence that compromised credentials associated with Microsoft infrastructure obtained through the InfoStealer malware may have been used to carry out the hack.
In the wake of the breach, both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidance on hardening Windows domains and strengthening Intune to protect against similar attacks. This includes using the principle of least privilege, implementing phishing-resistant multi-factor authentication (MFA), and enabling multi-admin approval in Intune for sensitive changes.
Flashpoint characterized the attack on Stryker as an alarming shift in supply chain threats, as state-linked cyber activity targeting critical suppliers and logistics providers could have widespread impact on the entire health care ecosystem.
The leak of Patel’s personal emails by Handala Hack comes in response to a court-authorized operation that led to the seizure of four domains operated by MOIS since 2022 as part of an effort to disrupt its malicious activities in cyberspace. The US government is also offering a reward of $10 million to anyone providing information about the group’s members. The names of the seized domains are listed below –
- justicehomeland[.]Organization
- handla-hack[.]To
- karmabelow80[.]Organization
- Handala-Redwanted[.]To
“Seized Domains […] MOIS was used to further psychological campaigns targeting regime opponents by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents, and Israeli individuals, the US Department of Justice (DOJ) said.
This included the names and sensitive information of approximately 190 individuals associated with or employed by the Israeli Defense Forces (IDF) and/or the Israeli government, and 851 GB of confidential data from members of the Sanzer Hasidic Jewish community. Additionally, an email address associated with the group (“handala_team@outlook[.]com”) is alleged to have been used to send death threats to Iranian dissidents and journalists living in the US and elsewhere.
In a separate advisory, the FBI revealed that the Handla hack and other MOIS cyber actors employed social engineering tactics to connect with potential victims on social messaging applications to deliver Windows malware capable of enabling persistent remote access using Telegram bots by disguising the first-stage payload as a commonly used program such as Pictory, KeePass, Telegram or WhatsApp.
Using Telegram (or other legitimate services) as a C2 is a common tactic by threat actors to hide malicious activity among normal network traffic and significantly reduce the likelihood of detection. Related malware artifacts found on compromised devices have revealed additional capabilities to record audio and screen while a Zoom session is active. According to the FBI, the attacks have targeted dissidents, opposition groups and journalists.
“MOIS cyber actors are responsible for using Telegram as command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposing Iran, and other opposition groups around the world,” the bureau said. “This malware resulted in intelligence gathering, data leakage, and reputational damage to targeted parties.”
The Handala hack has since resurfaced on a different Clearnet domain, “handala-team”.[.]From,” where it described the domain seizure as “a desperate attempt by the United States and its allies to silence Handala’s voice.”
The ongoing conflict has also prompted fresh warnings that it risks turning operators of the critical infrastructure sector into attractive targets, even as it has led to an increase in DDoS attacks, website defacement and hack-and-leak operations against Israel and Western organizations. Hacktivist organizations also engage in psychological and influence operations aimed at creating fear and confusion among targeted populations.
In recent weeks, a relatively new cybercriminal group called Nasser Security has been seen targeting the energy sector in the Middle East. “The group is attacking supply chain vendors involved in engineering, security, and manufacturing,” ReSecurity said. “The supply chain attacks attributed to Nasser Security were likely carried out by cyber-mercenaries or individuals hired or sponsored by Iran or its proxies.”
“Cyber activity related to this conflict is becoming increasingly decentralized and destructive,” Katherine Raines, head of the cyber threat intelligence team for National Security Solutions at Flashpoint, said in a statement.
“Groups like Handala and Fatimian are targeting private sector organizations with attacks designed to exfiltrate data, disrupt services, and create uncertainty for both businesses and the public. At the same time, we are seeing greater use of legitimate administrative tools in these cyber operations, making it much more difficult for traditional security controls to detect.”
Not only this. Actors associated with MOIS are increasingly engaging with the cybercrime ecosystem to support its objectives and provide cover for its malicious activity. This includes Handala’s integration of Rhadamanthis Stealer into its operations and Muddywater’s use of the Tsundere botnet (aka Dindoor) and Fakeset, the latter of which is a downloader used to distribute Castleloader.
Check Point said, “Such involvement provides a dual benefit: It enhances operational capabilities through access to mature criminal tooling and flexible infrastructure, while complicating attribution and contributing to repeated confusion about Iranian threat activity.”
“The use of such tools has created significant confusion, leading to misattribution and erroneous polarization, and grouping together activities that are not necessarily related. This shows that the use of criminal software can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters.”
