An Iranian cyber group known as Handala recently launched an influence campaign targeting United States military personnel stationed in Bahrain. The campaign, executed through the messaging platform WhatsApp, signifies an escalation in cyber threats against US forces in the region.
Handala’s Threatening Messages
The messages, attributed to Handala, contained warnings indicating that US service members were being closely monitored. In these communications, the group claimed imminent drone and missile attacks would be launched against the troops. The messages explicitly mentioned the use of Shahed drones and Kheibar and Ghadeer missiles, intensifying the threat’s severity.
Personal Data Exposure and Military Warnings
On Tuesday, Handala disclosed personal details of 2,379 US Marine Corps members on its Telegram channel. This revelation follows earlier warnings from the US Navy about Iranian influence operations targeting American forces, as reported by Stars and Stripes. The group, also known by several aliases including Banished Kitten and Red Sandstorm, has been active since 2008, engaging in various cyber activities ranging from hacktivism to outright destructive attacks.
Links to Iranian Intelligence
In March, US authorities officially connected Handala to Iran’s Ministry of Intelligence and Security (MOIS), highlighting the group’s role in intelligence gathering and psychological operations rather than strictly military activities. Handala’s recent actions are viewed as part of a larger campaign that began with assaults on Israeli infrastructure and has now expanded to direct confrontations with US military entities.
Broader Implications and Group Tactics
Handala has previously claimed responsibility for a cyberattack on the US-based medical technology company Stryker, boasting about compromising over 200,000 systems. Additionally, the group asserted it had hacked the personal Gmail account of a former FBI official. The US government has acknowledged these claims and has offered a $10 million reward for information leading to the group’s identification and arrest.
Employing custom malware and social engineering tactics, Handala has targeted a wide range of organizations, from educational institutions to nuclear research centers. The group utilizes wiper malware and the Telegram Bot API for its command-and-control operations, demonstrating a sophisticated approach to cyber warfare.
According to SOCRadar, Handala operates within a broader Iranian intelligence framework, receiving initial access from more advanced actors. The group’s expansion to targeting military personnel highlights its willingness to extend beyond corporate and infrastructure targets, posing a significant threat to US interests in the region.
