Handala have been fully kicked off Telegram, including their backup channel.

Achievement unlocked as I can't remember a group ever getting fully booted.

#threatintel #handala

Handala claim to have done a hack and wipe of Tosaf, a plastics manufacturer.

Screenshots show apparent Windows domain admin access, and they attach CCTV videos of themselves playing songs into a factory and an office, with workers looking confused.

#handala #threatintel

There’s some coverage in Israeli media suggesting a focus on schools, with Israeli authorities acknowledging the incidents.
mivzaklive.co.il/archives/8794…

inn.co.il/news/659713

For the record Handala claims they sent 5million text messages at 8am this morning, UK time.

#handala #threatintel

Handala claim to have hacked the Ministry of National Security in Israel, activated red alert to get people into shelters, closed the doors, then played a song and wiped the system.

Very unclear how widespread or credible this is, although some Israeli social media posts show devices going off and playing songs.

#handala #threatintel

Handala got booted off Telegram after the Zuk Group hack.

They’re back on another channel and posted:

“وَ كَمْ قَصَمْنا مِنْ قَرْيَةٍ كانَتْ ظالِمَةً ... بَلْ نَقْذِفُ بِالْحَقِّ عَلَى الْباطِلِ فَيَدْمَغُهُ فَإِذا هُوَ زاهِقٌ‌ ...”

Which translates to

“How many a city have We destroyed which was unjust... Rather, We cast the truth upon falsehood, and it destroys it, and at once it departs...”

#handala #threatintel

Handala claim to have done a hack and wipe of Zuk Group, an Israel group of financial companies. Their website has been defaced as of writing.

Handala posted a series of videos appearing to show access to their internal network.

Handala also claim the company is a front for Mossad. They offer no evidence of that bit.

#handala #threatintel

One note, they fully respected the dates of the ceasefire last time but apparently aren’t bothered this time? #handala #threatintel

Edit: derp, it was Cyber Toufan who respected the ceasefire, not Handala.

Handala claim they will be wiping Mossad’s financial network today. Also, they appear to have purchased ChatGPT premium.

#handala #threatintel

The '100K messages sent' thing is a reference to Handala abusing WhatsApp Business accounts, my English translation of message they've been sending.

#handala #threatintel

Handala has also defaced ReutOne’s website, and published videos of RDP access to ReutOne’s internal network, eg Active Directory Certificate Authority etc. web.archive.org/web/2024122614…

#threatintel #Handala

Handala claim to have gained access to
CaaB Cloud (caab.cloud), aka Cloud as a Business, posting a video of administrator access. CAAB Cloud describe themselves as “The MSP’s Cloud” in marketing.

CAAB Cloud is owned and operated by GNS in Israel, aka gns.cloud

It is unclear if the claims are credible. CaaB’s status page suggest a ~10% availability impact in one of their Israeli datacenters three days ago on cloud VM. status.caab.cloud

#Handala #threatintel

CaaB - The MSP's Cloud

Join now and become a White-Label Public Cloud IaaS Reseller today!24/7 partner support, Cloud Management Platform, Top Performance, No minimum commitments. Sign up now!

^CaaB

Handala say they plan their most destructive hack so far this weekend, over the fate of Reza Avazeh

There’s even a video, but sadly no hoodie wearing hackers

#Handala #threatintel

Masoumeh Karbasi & Reza Avazeh were killed in a drone strike in Lebanon in October. As far as I can see nobody knew why publicly, Handala’s linking Reza to Hezbollah and their cybersecurity appears to be a first.

His children were invited to meet ‘Supreme Leader of the Islamic Revolution’ that week. farsi.khamenei.ir/news-content…

#Handala #threatintel

So with the Unit 8200 stuff and Handala, their latest claim is they gained access to Silicom Limited (an IT services and networking company) and exfiltrated data, and that Silicom is a front company for Unit 8200.

Presented evidence includes a video accessing an internal VMware vCentre cluster with about 50tb of storage.

#Handala #threatintel

Handala continues to be crazy town, with data dumps of what is allegedly to be SSV Network, a blockchain company.

Handala claim they can link it (SSV Network) to Unit 8200, the Israeli intelligence agency. So far this appears to be without proof.

I’m going to guess, based on this post, they plan to post more tomorrow about Unit 8200.

#Handala #threatintel

A few things have happened with Handala over the past few days which I haven’t covered - they’ve been dumping cloud backup photos and making threats, including about family members. I didn’t want to cover it.

All but one of the Handala Telegram channels has been shut down tonight.

#Handala #threatintel

Handala have posted photos and internal diagrams of, they claim, Shimon Peres Negev Nuclear Research Center.

The data appears to have come from Soreq. I have confirmed Soreq was owned, via the IAEA.

#Handala #threatintel

Handala claims to have done a leak and wipe of Elad municipality.

Elad's website is offline, and there's an Israeli media report of some kind of cyber incident.

Handala typically over exaggerate data volumes exfiltrated.

#Handala #threatintel

Handala say have hacked and dumped IM Cannabis aka IMC - imcannabis.com/ - using their access via AGAS, their MSP.

They also implicate another company, NDN Security - ndn-security.com/

#threatintel #handala

Handala claim to have released 10gb of customer data for AGAS.

It does appear AGAS has a security incident going on. AGAS declined to comment when asked.

#threatintel #handala

Handala claim to have hacked and wiped 74 servers at AGAS - agas.co.il - an Israeli MSP, MSSP and cloud reseller.

I’m not sure the size of the org stacks up with Handala’s claim. Also, 74 servers is not a lot.

I’ve reached out to AGAS to see if they want to comment.

#threatintel #handala

Handala's latest is a dump allegedly of Ron Prosor's emails, who they originally mentioned 8 days ago. Ron is the Ambassador of Israel to Germany. Telegram post includes death threats.

50k emails, again looks like a personal email account. #threatintel #handala

Edit: I broke the thread on this, the prior ones are at cyberplace.social/@GossiTheDog…

Kevin Beaumont (@GossiTheDog@cyberplace.social)

Attached: 1 image Handala are now upset with Yair Golan, in particular highlighting his comments about a possible attack on Iran. Contains the usual, a picture dump - so far no email dump.

^{Kevin Beaumont (Cyberplace)}

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

krebsonsecurity.com/2026/03/ir…

#stryker #handala #intune #wiper #cybersecurity