The Handala hacking group has recently intensified its operations, establishing itself as one of the most prominent hacktivist threats targeting Israeli infrastructure, government institutions, and businesses.
Since its inception, Handala has consistently leveraged propaganda to publicize its actions, using Telegram and dark web forums to share evidence of their breaches and incite fear. Their recent campaigns target critical sectors and showcase an impressive understanding of advanced cyber techniques.
For organizations with ties to sensitive industries or regions under high scrutiny, understanding Handala’s tactics and implementing defenses against them is vital.
Recent cyber attacks and high-profile targets
Being a pro-palestinian group, Handala primarily targets entities within Israel’s critical infrastructure, which includes government bodies, technology firms, and industries with perceived ties to Israeli interests.
Handala threatens attack on Israeli Nuclear Research Center (Source: Telegram)
Throughout 2024, Handala has launched a number of high-impact cyberattacks on Israeli critical infrastructure. Some of the most notable ones have included:
- DRS RADA & Israeli Radar Systems Breach: Handala allegedly breached DRS RADA, one of the leading providers of radar systems for Israel’s defense sector, potentially compromising the Iron Dome system.
- MyCity Application False Messages: In June, Handala targeted civilians by sending alarming SMS messages to residents of Ma’ala Yosef regional council. These messages included a link to a compromised version of the MyCity mobile app, which, if downloaded, would allow Handala to further infiltrate the device.
- Wiper Malware Campaign: On July 20th, Handala launched a mass phishing campaign that used CrowdStrike-themed emails as lures. The emails appeared to be urgent security alerts from the reputable cybersecurity firm, but included links that downloaded wiper malware, a destructive tool designed to erase or corrupt data on infected systems.
Over the last few months, their activity has ramped up even more, with a focus on key political figures and strategically significant institutions. Here is a breakdown of the most recent attacks:
Israeli politicians email attacks (September & October, 2024)
Since September 2024, Handala has orchestrated a series of high-profile email breaches targeting prominent Israeli politicians. These attacks are likely to continue as Handala seeks to expose sensitive information related to Israel’s national security, defense strategies, and foreign relations.
The list of targeted politicians includes:
- Ron Prosor – Israeli ambassador to Germany and former Mossad officer. Handala leaked 50,000 emails from Prosor’s account, exposing sensitive diplomatic communications.
- Ehud Barak – Former Israeli prime minister. Handala leaked 110,000 emails from Barak’s personal and official accounts.
- Gabi Ashkenazi – Former Minister of Foreign Affairs and Chief of General Staff of the Israeli Armed Forces. The breach included 60,000 emails from Ashkenazi’s account, exposing communications that could disrupt Israel’s foreign policy efforts.
- Benny Gantz – Former Defense Minister. Handala leaked 35,000 emails and 2,000 private photos of Gantz, revealing internal defense discussions.
Soreq Nuclear Research Center (September 28, 2024)
Handala targeted Israel’s Soreq Nuclear Research Center, a critical facility for nuclear research. The group claims to have stolen comprehensive data, including emails, sensitive infrastructure blueprints, personnel information, and administrative documents. This breach poses serious risks for national security, as the stolen data could reveal vulnerabilities within Israel’s nuclear infrastructure, potentially compromising its nuclear capabilities.
Shin Bet (October 3, 2024)
In early October, Handala infiltrated Shin Bet’s security system responsible for monitoring officer’s phones. Handala claimed to have installed malware on these devices, gaining access to confidential information of approximately 30,000 officers, as well as communication logs.
Israeli Industrial Batteries – IIB (October 6, 2024)
On October 6, Handala infiltrated Israeli Industrial Batteries (IIB), a key supplier of energy storage infrastructure to Israel’s defense and military sectors. The group leaked 300GB of sensitive data, including technical specifications, client information, and operational logistics. This breach threatens Israel’s defense supply chain, particularly impacting the military’s reliance on secure, energy-dependent technologies.
Max Shop (October 8, 2024)
Max Shop is a terminal system used in over 9,000 stores across Israel. On October 8th, Handala breached the Max Shop network and dumped 1.5TB of data, including financial transactions and customer details. Handala also defaced kiosk screens and sent threatening messages to over 250,000 Israeli citizens via SMS.
AGAS (October 28, 2024)
AGAS, one of Israel’s largest providers of cloud and cybersecurity services, was breached by Handala on October 28. The hack compromised 74 servers, exposing critical data from over 500 organizations, including government agencies and major corporations. This attack demonstrated Handala’s capacity to infiltrate supply chain networks, threatening not just AGAS but its clients who rely on its secure services for their operations.
Elad Municipality (November 3, 2024)
One of their most recent attacks affected the Elad Municipality on November 3. The hack wiped servers and exposed over 3TB of confidential data, paralyzing municipal operations and community services. The personal data of residents was also exposed.
You can see a summary of all the confirmed attacks here, listed in reverse chronological order (latest first).
Main attack methods and tactics
Handala’s tactics have evolved dramatically since its inception, transitioning from basic defacements and low-level DDoS attacks to highly sophisticated operations involving ransomware, supply chain attacks, and infiltration of air-gapped networks.
The group’s tactics are designed not only to breach and disrupt but also to spread fear and assert a symbolic presence in Israel’s digital landscape.
- Most of their attacks start with a phishing email or SMS message, which is usually carefully crafted to target high-profile individuals and organizations (spear-phishing). For instance, they have used spear-phishing emails and messages disguised as security updates or government notifications. One notable phishing campaign targeted Israeli officials, with emails posing as urgent security alerts from recognized cybersecurity vendors.
- When a target interacts with the phishing email, malware is deployed on their system – typically a Trojan, spyware, or in some cases, the Handala wiper. This wiper is designed to delete or overwrite data, causing irreparable damage to systems and adding another layer of disruption beyond data theft.
- With this initial access, Handala can move across the victim’s network, and identify high-value data and critical systems. They often prioritize accessing email servers, sensitive files, and communication channels.
- The final step is data exfiltration, transferring sensitive data to external servers under their control. At this stage, they may also deploy ransomware to encrypt files, locking down critical systems and demanding ransom payments while issuing politically charged messages that align with their ideological goals.
Defacement is another big component of Handala’s attack strategy. They often deface websites or display altered content on digital screens to showcase their ideological messages. For example, during their attack on the Elad Municipality, Handala defaced government web pages with threatening messages directed at the Israeli public.
The risks Handala hacking team poses to organizations in 2024 and beyond
The increased activity of Handala has many implications for the stability and security of organizations in critical sectors, particularly those tied to public infrastructure, government, and private companies with strategic significance.
- Operational disruption: Handala’s ransomware, data-wiping, and DDoS attacks can bring essential services to a halt. These disruptions affect not only the organization’s immediate operations but also the broader community that relies on these services. Prolonged outages can erode public trust, damage reputations, and require significant resources to recover.
- Confidential data exposure: Due to the group’s focus on data exfiltration and exposure, sensitive information, such as personal and proprietary data, faces significant risk. Handala frequently publishes the stolen data publicly, which affects everyday citizens and damages the affected organization’s reputation.
- Financial loss: The financial implications of a Handala attack are considerable. Organizations may face ransom demands, recovery expenses, and investments in enhanced cybersecurity. Indirect costs, such as lost business, customer attrition, and potential regulatory fines are also part of the equation. The economic toll can be long-lasting.
The risk of follow-up attacks
Once Handala gains access to a network, the stolen data or exploited vulnerabilities can be sold or shared on dark web forums, making the organization a target for other attackers. Furthermore, Handala’s ideological motives mean they may return to previously attacked organizations for repeated breaches, using their earlier successes as a foothold.
This requires organizations to not only respond to current breaches but also focus on securing their perimeter to prevent recurring intrusions.
How to stay protected
Based on the activities and evolving threat landscape posed by the Handala Hacker Group, OP Innovate recommends the following measures for Israeli companies to enhance their cybersecurity posture and mitigate potential risks:
Examine internal suspicious activity
Start with conducting a thorough internal audit to make sure there are no signs of suspicious activity within your network. This includes:
- Monitoring for unusual login attempts
- Unexpected data transfers
- Other anomalies that could indicate a breach
Conduct phishing awareness training
Since phishing is the main entry point for the attackers, you should conduct regular training session to raise awareness of phishing tactics among the workforce. The goal is for the employees to learn how to recognize and report suspicious emails.
You could also run phishing simulations to see how your employees react to phishing attempts in a controlled environment.
Secure your network infrastructure
Your network should be protected by advanced security solutions, including firewalls, intrusion detection/prevention systems (IDS/IPS), and anti-DDoS technologies. These tools will help you detect and block malicious activity.
Protect data and create backups
Handala’s attacks include data exfiltration, ransomware, and even wiping. So, it’s necessary to have updated backups stored in secure, off-site locations. This will allow you to quickly restore operations in the event of a breach.
Sensitive data should be encrypted with strong encryption protocols both at rest and in transit.
Suspecting a cybersecurity breach? Contact OP Innovate
If you suspect that your organization has been targeted or compromised by Handala or any other sophisticated threat actor, OP Innovate is here to help. Our Incident Response (IR) team is equipped with the tools, expertise, and processes to contain threats swiftly and mitigate damage.
Our rapid-response framework ensures minimal downtime and thorough investigation, helping you regain control and resume operations as quickly as possible. We are regularly involved in high-stakes incident response engagements, including past Handala-related incidents.
Here is a recent example where we employed advanced social engineering techniques to trace the root cause of a breach and outmaneuver the threat actor.
