An Iranian cyber group known as Handala Hack has launched a series of destructive attacks against targets in Israel, the United States, and Albania. These operations utilize remote desktop access, network tunneling, and several data-wiping methods simultaneously.
Group Identity and Objectives
Operating under the broader identity of Void Manticore, also known as Red Sandstorm and Banished Kitten, Handala Hack is closely associated with Iran’s Ministry of Intelligence and Security (MOIS). Unlike espionage-focused attacks, the group’s activities are designed to obliterate data, making recovery efforts extremely difficult.
Handala Hack draws its name from a renowned Palestinian cartoon character and has been active since late 2023. The group also uses the aliases Karma and Homeland Justice, with the latter having targeted Albanian government sectors since mid-2022. Recently, the group expanded its reach to the United States, impacting organizations like the medical technology company Stryker.
Evolution of Attack Techniques
According to research by Check Point, Handala Hack’s attack strategies have evolved, with new techniques emerging alongside their established methods. The group has incorporated NetBird, a legitimate peer-to-peer networking tool, to tunnel traffic within victim networks, and has begun using AI-assisted PowerShell scripts in their data-wiping arsenal.
Notably, the group’s operational discipline has declined, with their activities now traceable to Iranian IP addresses, moving away from the commercial VPN services they previously used. The attack process typically starts by exploiting compromised VPN credentials through brute-force tactics or supply chain attacks on IT service providers.
Destructive Methods and Defensive Measures
Handala Hack is distinguished by its use of multiple wipers concurrently, ensuring swift and extensive data destruction. The group’s tactics include deploying the Handala Wiper via Group Policy logon scripts, which overwrites file contents and corrupts the Master Boot Record (MBR) for severe damage. This wiper operates remotely from the Domain Controller, evading detection by security tools.
In addition, the group uses an AI-assisted PowerShell wiper to erase files and flood drives with propaganda images. They also employ VeraCrypt to encrypt drives, hindering recovery efforts. Finally, operators manually delete virtual machines and files via RDP, a practice highlighted in their own leaked videos.
To counter these threats, organizations should enforce multi-factor authentication on all remote and privileged accounts and monitor for logins from unfamiliar locations or at odd hours. Blocking connections from Iranian IP addresses and known Starlink IP ranges is recommended, as is disabling RDP access where unnecessary.
For more cybersecurity updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for instant updates.
