Cyber Threat Actor: Handala
| Actor Type | Location | Known Incidents |
Activist
|
Iran
|
4 incidents |
|---|
Profile
Handala is an Iranian‑linked hacker group that operates under the alias Handala. Public reporting associates the group with Iran, and in one incident the actors were tied to Iran’s Ministry of State Security. The group is known by its single alias and has been described in open sources as a hacktivist collective.
Handala has targeted water utilities, software companies, medical technology firms, and federal law‑enforcement agencies, primarily within the United States. In the California Water Service case the group claimed it could disrupt water operations but chose not to while exfiltrating personal information and administrative credentials. The Adobe breach resulted in the theft of millions of customer support tickets, employee records and HackerOne bug bounty submissions, indicating a focus on data collection. The Stryker attack involved the wiping of tens of thousands of internal devices to disrupt order processing, manufacturing and shipping, and the FBI intrusion sought law‑enforcement sensitive information such as pen register and trap and trace returns.
Initial access has been achieved through phishing emails that delivered a remote access tool, as seen in the Adobe incident, and through the use of compromised administrator credentials to reach management platforms in the Stryker and FBI cases. The FBI intrusion also involved exploiting a commercial internet service provider’s infrastructure to bypass security controls. Lateral movement was observed when the group moved from a GNSS base station to a billing system in the California Water Service breach, and the abuse of Microsoft Intune enabled mass device wipes in the Stryker attack. No specific malware families are named beyond the generic remote access tool used in the phishing vector.
Notable operations include the claimed breach of California Water Service’s RTKBase GNSS platform and billing system, the Adobe breach traced to an Indian BPO contractor after a phishing‑delivered remote access tool, the Stryker incident where admin credentials were used to wipe tens of thousands of Intune‑managed devices, and the FBI surveillance network intrusion that leveraged ISP infrastructure to access pen register and trap and trace data. Attribution to Iran’s Ministry of State Security was cited in the FBI case, while other incidents describe the group as Iranian‑linked. This profile reflects only the facts presented in the source material.
