In November 2024, we covered Handala’s rise as a major hacktivist threat targeting Israeli systems.
Now, as headlines shift to a historic peace agreement aimed at resolving the long-standing tensions, the question arises: what happens to a group like Handala? Will the deal dampen their motivations or fuel new waves of cyber activity?
As a pro-Palestinian entity protesting the war, it would make sense to assume that Handala cyberattacks will stop with the easing of hostilities. However, recent Handala activity suggests that may not be the case.
This follow-up examines Handala’s recent activity and explores how the peace deal may influence its motivations, tactics, and targets.
Recent Handala activity (since Dec. 2024)
Since our last post on Handala, the group has continued with highly targeted and sophisticated attacks on critical Israeli infrastructure, with a noticeable increase in attacks targeting organizations that play pivotal roles in Israel’s supply chain, potentially disrupting operations for many large companies dependent on these services.
That trend has already started from the time of our first post on Handala, as the group breached one of Israel’s largest cybersecurity and cloud service providers in October 2024.
Since then, several other high-profile attacks transpired, including:
ZUK Group (Jan. 20, 2025)
On January 20, 2025, the ZUK Group, a multinational financial conglomerate operating across sectors such as finance, technology, and energy, became the latest victim of a Handal cyberattack.
The impact of the attack was allegedly extensive. Handala claimed to have breached the company’s internal systems, wiping over 1,000 employee devices and severely crippling ZUK Group’s ability to conduct business. Operations in key locations, including Romania, Kazakhstan, Georgia, and Florida, were reportedly halted, leading to significant operational and reputational challenges.
Handala teasing the ZUK cyberattack on Telegram
Allen Carr’s Easyway (Dec. 30, 2024)
On December 30, 2024, Handala carried out a significant cyberattack on Allen Carr’s Easyway, a leading addiction treatment institution. The breach was executed through a supply chain attack on Reutone (see below), a third-party vendor providing CRM services to Easyway.
Handala gained unauthorized access to Easyway’s systems, resulting in the exposure of sensitive customer data, including personal information and contact details. This attack disrupted operations and led to over 100,000 unauthorized messages being sent to customers, causing reputational and operational damage.
Reutone (Dec. 25, 2024)
Easyway was just one of 1,500 companies affected the devastating cyberattack on Reutone, Israel’s largest CRM provider. The breach resulted in the exposure of sensitive business data from prominent organizations, including Bank Hapoalim and FOX.
Handala not only exfiltrated vast amounts of data but also wiped Reutone’s infrastructure and defaced its website, leaving its clients vulnerable and scrambling to mitigate the fallout.
GNS cloud attack (Dec. 15, 2024)
On December 15, Handala announced that they had successfully infiltrated GNS – another major player in Israel’s cloud and IT infrastructure sector.
Handala claimed that they have access to very sensitive data, from private communications to financial details, which they threatened to release publicly.
Leaked invoice from the GNS breach
The attack not only disrupted GNS’s operations but also jeopardized data belonging to its clients, many of whom are large enterprises reliant on GNS for secure and stable cloud services.
You can track the full history of Handala attacks here.
What the peace agreement means for Handala activity
Handala as a group has existed well before the October 2023 incident when Hamas launched its large-scale attack on Israel, operating as a hacktivist entity with a history of cyber campaigns tied to geopolitical tensions in the region.
So, a stop to the physical conflict doesn’t mean much in the context of cyber warfare. The cyber battlefield operates on different rules. As seen with nations like China and Russia, countries or groups can maintain aggressive cyber campaigns even while presenting friendly military or economic relations on the surface.
Handala’s ideological leaders may see the peace deal as undermining Palestinian sovereignty, justifying attacks on entities perceived to support the agreement.
The fact that another high-profile attack (ZUK financial services) was announced just days after the ceasefire rumours started suggests that Handala activity is not slowing down but will likely increase in frequency and impact.
Can we expect a surge in attacks?
Considering the popularity Handala has gained over the past year, along with the public disclosure of another high-profile victim just days after the peace talks rumors started, suggests that Handala may just be getting started.
The group has already positioned itself to escalate attacks thanks to their focus on supply chain vulnerabilities, which allow them to infiltrate critical infrastructure and disrupt multiple organizations through a single breach.
A perfect example is the Reutone breach, which led to an attack on Allen Carr’s Easyway just a few days later (as seen above).
On top of that, their new-found fame could lead to broader alliances with other like-minded hacktivist groups, amplifying the scale and impact of their campaigns.
OP Innovate highly recommends organizations to take a proactive stance in protecting against Handala, especially if they operate in sectors that Handala has historically targeted or if they rely on cloud or other services that Handala has previously breached.
How organizations can prepare
A dangerous and evolving threat like Handala demands a comprehensive and proactive approach to cybersecurity. Organizations must adopt strategies that not only detect and mitigate current risks but also anticipate future attacks. Key steps include:
Proactive monitoring and testing of the attack surface
Regularly assess your systems for vulnerabilities to ensure potential entry points are identified and addressed before they can be exploited. Tools like OP Innovate’s WASP platform provide continuous penetration testing and attack surface management, offering organizations the insights needed to strengthen their defenses.
Special attention should be given to supply chain vulnerabilities, as Handala has increasingly targeted third-party vendors critical to operations.
Threat intelligence capabilities
By actively tracking Handala messaging and alliance through platforms like Telegram and the dark web, Cyber threat intelligence (CTI) empowers organizations to identify potential breaches or anticipate future attacks with confidence.
WASP Threat Intelligence, seamlessly integrated into the WASP platform, delivers unparalleled access to global breach data, allowing users to monitor and respond to compromised credentials, data leaks, ransomware, and other exposures in near real-time.
Incident response on retainer
With a highly sophisticated and motivated hacktivist actor with nation-state links like Handala, prevention is only once piece of the puzzle. You also have to be fully prepared for a scenario where an attack does occur, putting your entire operations and reputation at risk.
That’s why many prominent organizations invest in retainer-based incident response services that give them immediate access to expert teams who can quickly contain threats, minimize damage, and guide recovery efforts.
OP Innovate has helped several organizations targeted by Handala to identify the root cause of the breach and quickly get back to full operational capacity.
OP Innovate’s role in mitigating Handala threats
OP Innovate is proud to serve as a trusted partner that plays an active role in helping organizations prevent and respond to Handala-related incidents.
We have helped clients in critical sectors quickly identify, contain, and remediate breaches, ensuring minimal operational impact.
Our incident response team is active 24/7, delivering over 10,000 hours of incident response time over the last three years while resolving 50+ cyber incidents annually. Our team is certified in industry-leading qualifications such as GCIH, OSCE, and OSCP.
Want to speak to an expert to ensure your organization is secure from Handala and other nation-state actors?
