{"id":16235,"date":"2026-03-12T16:32:37","date_gmt":"2026-03-12T16:32:37","guid":{"rendered":"https:\/\/www.europesays.com\/iran\/16235\/"},"modified":"2026-03-12T16:32:37","modified_gmt":"2026-03-12T16:32:37","slug":"how-handala-became-the-face-of-irans-hacker-counterattacks","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/iran\/16235\/","title":{"rendered":"How \u2018Handala\u2019 Became the Face of Iran\u2019s Hacker Counterattacks"},"content":{"rendered":"<p>Since the United States and Israel <a href=\"https:\/\/www.wired.com\/story\/us-iran-strike-donald-trump\/\" rel=\"nofollow noopener\" target=\"_blank\">first unleashed<\/a> a broad campaign of <a href=\"https:\/\/www.wired.com\/story\/every-country-directly-impacted-by-the-war-on-iran\/\" rel=\"nofollow noopener\" target=\"_blank\">air strikes across Iran<\/a> in late February, the cybersecurity industry has warned that the country\u2019s retaliatory measures would include punishing, disruptive cyberattacks against Western targets. Late Tuesday night, the first of those attacks arrived in the US: a devastating breach of the medical technology firm <a data-offer-url=\"https:\/\/d18rn0p25nwr6d.cloudfront.net\/CIK-0000310764\/7fd1068c-1cef-4fd3-8a20-8c086e15da56.pdf\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/d18rn0p25nwr6d.cloudfront.net\/CIK-0000310764\/7fd1068c-1cef-4fd3-8a20-8c086e15da56.pdf&quot;}\" href=\"https:\/\/d18rn0p25nwr6d.cloudfront.net\/CIK-0000310764\/7fd1068c-1cef-4fd3-8a20-8c086e15da56.pdf\" rel=\"nofollow noopener\" target=\"_blank\">Stryker<\/a> that has <a data-offer-url=\"https:\/\/www.wsj.com\/articles\/stryker-hit-with-suspected-iran-linked-cyberattack-52f6615c?gaa_at=eafs&amp;gaa_n=AWEtsqdFrSXf-gy_ftlfgo0Yh3ZRJlI_IPRgRgMA3oz513ROm7NL7H7hRrR2qbz76Sk%3D&amp;gaa_ts=69b28a43&amp;gaa_sig=g-dciEk-SG6CpMqQh8ypQ7ugYqEuJFuwH08v0hsR8zxXKNuBzMgq0CJHLkk-aizECGYf6_CTHlhsL6hQPh3R2g%3D%3D\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/www.wsj.com\/articles\/stryker-hit-with-suspected-iran-linked-cyberattack-52f6615c?gaa_at=eafs&amp;gaa_n=AWEtsqdFrSXf-gy_ftlfgo0Yh3ZRJlI_IPRgRgMA3oz513ROm7NL7H7hRrR2qbz76Sk%3D&amp;gaa_ts=69b28a43&amp;gaa_sig=g-dciEk-SG6CpMqQh8ypQ7ugYqEuJFuwH08v0hsR8zxXKNuBzMgq0CJHLkk-aizECGYf6_CTHlhsL6hQPh3R2g%3D%3D&quot;}\" href=\"https:\/\/www.wsj.com\/articles\/stryker-hit-with-suspected-iran-linked-cyberattack-52f6615c?gaa_at=eafs&amp;gaa_n=AWEtsqdFrSXf-gy_ftlfgo0Yh3ZRJlI_IPRgRgMA3oz513ROm7NL7H7hRrR2qbz76Sk%3D&amp;gaa_ts=69b28a43&amp;gaa_sig=g-dciEk-SG6CpMqQh8ypQ7ugYqEuJFuwH08v0hsR8zxXKNuBzMgq0CJHLkk-aizECGYf6_CTHlhsL6hQPh3R2g%3D%3D\" rel=\"nofollow noopener\" target=\"_blank\">reportedly<\/a> disabled as many as tens of thousands of computers and paralyzed much of the company\u2019s global operations\u2014all carried out by an Iranian hacker group that calls itself Handala.<\/p>\n<p class=\"paywall\">\u201cWe announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,\u201d read a statement posted to Handala\u2019s website, referencing both the <a data-offer-url=\"https:\/\/www.bellingcat.com\/news\/2026\/03\/08\/video-shows-us-tomahawk-missile-strike-next-to-girls-school-in-iran\/\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/www.bellingcat.com\/news\/2026\/03\/08\/video-shows-us-tomahawk-missile-strike-next-to-girls-school-in-iran\/&quot;}\" href=\"https:\/\/www.bellingcat.com\/news\/2026\/03\/08\/video-shows-us-tomahawk-missile-strike-next-to-girls-school-in-iran\/\" rel=\"nofollow noopener\" target=\"_blank\">American Tomahawk<\/a> <a data-offer-url=\"https:\/\/www.nytimes.com\/2026\/03\/08\/world\/middleeast\/iran-minab-school-strike.html\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/www.nytimes.com\/2026\/03\/08\/world\/middleeast\/iran-minab-school-strike.html&quot;}\" href=\"https:\/\/www.nytimes.com\/2026\/03\/08\/world\/middleeast\/iran-minab-school-strike.html\" rel=\"nofollow noopener\" target=\"_blank\">missile<\/a> that killed at least <a href=\"https:\/\/www.npr.org\/2026\/03\/11\/nx-s1-5744981\/pentagon-iran-missile-school-hegseth\" rel=\"nofollow noopener\" target=\"_blank\">165 civilians<\/a> at a <a href=\"https:\/\/news.un.org\/en\/story\/2026\/03\/1167063\" rel=\"nofollow noopener\" target=\"_blank\">girl\u2019s school<\/a> in Iran and numerous <a href=\"https:\/\/www.wired.com\/story\/from-ukraine-to-iran-hacking-security-cameras-is-now-part-of-wars-playbook\/\" rel=\"nofollow noopener\" target=\"_blank\">hacking operations<\/a> that the US and Israel have carried out as part of the two countries\u2019 assaults across Iran. \u201cThis is only the beginning of a new era of cyber warfare.\u201d<\/p>\n<p class=\"paywall\">Even among American cybersecurity researchers who closely track state-sponsored hacking groups, Handala\u2014which takes its name from the well-known Handala character in the political cartoons of Palestinian artist Naji al-Ali\u2014has until now hardly achieved much notoriety. But those who have followed the group\u2019s evolution, particularly in Israel\u2019s cybersecurity industry, say the group is now widely believed to be a front for Iran\u2019s Ministry of Intelligence, or MOIS. They\u2019ve seen the hackers become the most prominent player in a wave of Iranian state cyber operators who pose as hacktivists while seeking to inflict noisy, often politically motivated chaos on adversaries. Handala, or the same group operating under earlier names, has launched data-destroying and hack-and-leak operations for years against targets ranging from the Albanian government to Israeli businesses and political officials.<\/p>\n<p class=\"paywall\">Now, as Iran\u2019s <a href=\"https:\/\/www.wired.com\/story\/5-big-known-unknowns-donald-trump-iran-war\/\" rel=\"nofollow noopener\" target=\"_blank\">regime faces an existential threat<\/a>, its hackers\u2014and Handala in particular\u2014have likely been tasked with using every tool they\u2019ve held in reserve and every foothold they\u2019ve quietly gained inside a Western network to fight back against the US and Israel, says Sergey Shykevich, who leads threat intelligence research at at the Tel-Aviv-based cybersecurity firm Check Point. \u201cThey&#8217;re all in,\u201d Shykevich says. \u201cThey\u2019re trying to do whatever they can now to carry out destructive activity.\u201d<\/p>\n<p class=\"paywall\">Within that effort among Iranian state-sponsored hacking agencies to achieve loud, publicly visible digital retribution, Handala has grown into \u201cprobably the most dominant group,\u201d says Shykevich. \u201cThey are the main face now.\u201d<\/p>\n<p class=\"paywall\">Although hacking groups are prone to exaggerate or embellish their successes and the impact of their activity, Handala has publicly claimed more than a dozen, mostly Israeli, victims since the start of the war two weeks ago. The group has \u201ccombined the noisy, chaotic playbook of a hacktivist group with the destructive capabilities of a nation-state,\u201d says Justin Moore, a threat intelligence researcher at security firm Palo Alto Networks\u2019 Unit 42 group, calling Handala \u201ca primary cyber-retaliatory arm for the Iranian regime.\u201d<\/p>\n<p class=\"paywall\">Despite the chaos it has unleashed, Handala\u2019s strategic thinking shouldn\u2019t be overestimated, says Rafe Pilling, director of that intelligence at cybersecurity firm Sophos\u2019 X-Ops group. Handala appears to be attempting to gain access to organizations quickly and do whatever damage it can in the midst of US and Israeli air strikes that have <a data-offer-url=\"https:\/\/www.politico.com\/news\/2026\/03\/04\/israel-iran-cyber-headquarters-00813364\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/www.politico.com\/news\/2026\/03\/04\/israel-iran-cyber-headquarters-00813364&quot;}\" href=\"https:\/\/www.politico.com\/news\/2026\/03\/04\/israel-iran-cyber-headquarters-00813364\" rel=\"nofollow noopener\" target=\"_blank\">reportedly<\/a> hit parts of Iran\u2019s cyber operations. \u201cThis doesn\u2019t have the hallmarks of a plan,\u201d Pilling says of Handala\u2019s recent hacking campaign. \u201cIt\u2019s likely the group is currently thrashing for targets of opportunity that they can hit in Israel or the US, to demonstrate that they are having some kind of retaliatory effect, but not from any kind of strategic perspective.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"Since the United States and Israel first unleashed a broad campaign of air strikes across Iran in late&hellip;\n","protected":false},"author":2,"featured_media":16236,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[8526,822,7060,666,8525,34,37,443,36],"class_list":{"0":"post-16235","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-iran","8":"tag-breaches","9":"tag-cybersecurity","10":"tag-data-breaches","11":"tag-hackers","12":"tag-hacking","13":"tag-iran","14":"tag-israel","15":"tag-security","16":"tag-war"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@iran\/116217167481984905","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/posts\/16235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/comments?post=16235"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/posts\/16235\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/media\/16236"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/media?parent=16235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/categories?post=16235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/iran\/wp-json\/wp\/v2\/tags?post=16235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}