Iranian-linked attackers hacked into the personal email account of FBI Director Kash Patel and leaked a cache of photos and other documents onto the internet.
“Patel’s name will be found among the list of successfully hacked victims,” Handara Hack Team, which carried out the breach, said on its website. In a statement shared with Reuters, the FBI confirmed that Patel’s email was targeted and said it had taken the necessary steps to “mitigate the potential risks associated with this activity.”
The agency also said the data released was “historical in nature and does not contain government information.” The leak includes emails from 2010 and 2019 allegedly sent by Patel.
Handara Haqq is assessed to be a pro-Iranian, pro-Palestinian hacktivist persona adopted by Iran’s Ministry of Intelligence and Security (MOIS). The incident is being tracked by the cybersecurity community under the nicknames Banished Kitten, Cobalt Mystique, Red Sandstorm, and Void Manticore, and the group also operates another persona called Homeland Justice, which has targeted Albanian entities since mid-2022.
A third personality associated with MOIS-related enemies is Karma, who is said to have likely been completely replaced by Handala Hack starting in late 2023.
Data collected by StealthMole reveals that Handala’s online presence promotes its activities beyond messaging platforms and cybercrime forums such as BreachForums, and maintains a layered infrastructure that includes surface web domains, Tor-hosted services, and external file hosting platforms such as MEGA.
“Handala consistently targets IT and service providers to obtain credentials, relying primarily on compromised VPN accounts for initial access,” Check Point said in a report released this month. “Throughout the past several months, we have observed hundreds of logon and brute force attempts against organizations’ VPN infrastructure linked to Handala-related infrastructure.”
Attacks launched by proxy groups are known to leverage RDP for lateral movement and launch destructive operations by dropping wiper malware families such as Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts. Genuine disk encryption utilities such as VeraCrypt are also used to complicate recovery efforts.
“Unlike financially motivated cybercrime groups, Handara-related activities have historically focused on disruption, psychological impact, and geopolitical signaling,” Flashpoint said. “Operations by this individual often coincide with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value.”
This development comes against the backdrop of the US-Israel-Iran conflict, with Iran launching retaliatory cyber attacks against Western targets. In particular, the Handala Hack claimed credit for paralyzing the network of medical equipment and services provider Stryker by deleting vast amounts of company data and wiping thousands of employee devices. This attack is the first confirmed destructive Operation Wiper targeting a Fortune 500 company in the United States.
“The incident has been contained,” Stryker said in an update posted on its website this week, adding that it “responded quickly to not only restore access, but also remove the unauthorized parties from the environment” by dismantling the persistence mechanisms that were installed. The company said the breach was limited to its internal Microsoft environment.
Threat actors have been found to use malicious files to execute commands that can hide their actions. However, Stryker pointed out that the file had no ability to spread across the network.
Palo Alto Networks Unit 42 said the primary vectors of recent destructive operations by Handala Hack likely include “identity abuse through phishing and administrative access through Microsoft Intune.” Hudson Rock has found evidence that compromised credentials related to Microsoft infrastructure obtained through infostealer malware may have been used to perform the hack.
Following this breach, both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) released guidance for hardening Windows domains and hardening Intune to protect against similar attacks. This includes using the principle of least privilege, enforcing phishing-resistant multi-factor authentication (MFA), and enabling multiple administrator approvals in Intune for sensitive changes.
Flashpoint characterizes the attack on Stryker as a dangerous shift in supply chain threats, as nation-state-linked cyber activity targeting critical suppliers and logistics providers can have cascading effects across the healthcare ecosystem.
The leak of Mr Patel’s personal emails through the Handara hack was carried out in response to a court-sanctioned operation that led to the seizure of four domains operated by MOIS since 2022, as part of efforts to thwart malicious activity in cyberspace. The US government is also offering a $10 million reward for information about members of the group. The names of the seized domains are:
home of justice[.]organization handler hack[.]Karma up to 80[.]Organization Handara – Red Wanted[.]to
“Confiscated domain […] “This information was used by MOIS to facilitate psychological operations efforts targeting opponents of the regime by claiming credit for hacking operations, posting sensitive data stolen during such hacks, and calling for the killing of journalists, dissidents, and Israelis,” the U.S. Department of Justice (DoJ) said.
This included the names and classified information of approximately 190 people associated with or employed by the Israel Defense Forces (IDF) and/or the Israeli government, as well as 851 GB of classified data from members of the Sanzar Hasidic Jewish community. Also, the email address associated with the group (“handala_team@outlook”)[.]com) was allegedly used to send death threats to Iranian dissidents and journalists living in the United States and elsewhere.
In a separate advisory, the FBI revealed that Handala Hack and other MOIS cyberattackers distributed Windows malware that enabled persistent remote access using the Telegram bot by employing social engineering tactics that engaged potential victims on social messaging applications and disguised the first-stage payload as commonly used programs such as Pictory, KeePass, Telegram, and WhatsApp.
Using Telegram (or other legitimate services) as a C2 is a common tactic of threat actors to hide malicious activity within normal network traffic, greatly reducing the likelihood of detection. Associated malware artifacts found on compromised devices revealed additional functionality to record audio and screen while a Zoom session is active. The FBI said the attacks targeted dissidents, rebels and journalists.
“MOIS cyberattackers are responsible for using Telegram as a command and control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposing Iran, and other opposition groups around the world,” the agency said. “This malware resulted in information gathering, data leakage, and reputational damage to targeted parties.”
The Handala Hack has since resurfaced on another clearnet domain, “handala-team.”[.]The article described the domain seizure as a “desperate attempt by the United States and its allies to silence Handara’s voice.”
The ongoing conflict has also sparked fresh warnings that critical infrastructure sector operators risk becoming lucrative targets, even as it has sparked a surge in DDoS attacks, website defacements, and hack-and-leak operations against Israeli and Western organizations. Hacktivist organizations also engage in psychological and influence operations aimed at instilling fear and confusion in targeted populations.
In recent weeks, a relatively new cybercrime group called Nasir Security has been observed targeting the energy sector in the Middle East. “This group is attacking supply chain vendors involved in engineering, safety, and construction,” Resecurity said. “The Nasir Security supply chain attack was likely carried out by cyber mercenaries and individuals hired or sponsored by Iran or its proxies.”
“Cyber activity related to this conflict is becoming increasingly distributed and destructive,” Kathryn Rains, Cyber Threat Intelligence Team Leader for Flashpoint’s National Security Solutions Division, said in a statement.
“Groups such as Handara and Fatimion are targeting civilian organizations with attacks aimed at erasing data, disrupting services, and creating uncertainty for both businesses and the general public. At the same time, these cyber operations are increasingly using legitimate administrative tools, making them significantly harder to detect through traditional security controls.”
That’s not all. Threat actors associated with MOIS are increasing their involvement in the cybercrime ecosystem to support their objectives and provide cover for their malicious activities. This includes Handala’s integration of the Rhadamanthys stealer into its operations, and MuddyWater’s use of the Tsundere botnet (also known as Dindoor) and Fakeset, the latter a downloader used to distribute CastleLoader.
“Such engagement has a dual benefit: it enhances operational capabilities through access to mature criminal tools and resilient infrastructure, while complicating attribution and contributing to renewed confusion around Iranian threat activities,” Check Point said.
“Use of such tools can cause significant confusion, leading to misattribution, incomplete pivoting, and clustering of activities that are not necessarily related. This shows that the use of criminal software is effective at obfuscation and highlights the need for extreme caution when analyzing overlapping clusters.”
Source link
