Kevin BeaumontSome ‘free Palestine’ hacktivist style group called Handala have been defacing websites and claim to exfiltrate data. https://handala.to/ #threatintel
23 orgs hit so far.
Handala, a wiper group posing as a ransomware group who target Israeli companies, claims IIB (Israeli Industrial Batteries) supplied explosive batteries for pagers and Vidisco supplied Xray machines which didn’t detect said batteries.
They claim they will be releasing 6tb of data for IIB and 8tb of data for Vidisco. I tried phoning one of the companies, who said they have an IT issue.
Wrote up the Handala Hack Team thing while on lunch as it was too nuts not to. https://doublepulsar.com/hacker-group-handala-hack-team-claim-battery-explosions-linked-to-israeli-battery-company-5bea086280cd
Iran linked hacker group Handala Hack Team claim pager explosions linked to Israeli battery company
Since May, the group has been attacking organisations in Israeli, and has followed a pattern of wiping victims, exfiltrating data and posting publicly — much like Cyber Toufan, who I covered prior…
Handala Hack Team have started posting files on Telegram. They were kicked off Telegram multiple times prior, they're back on a different username. #threatintel
Handala have released what they claim is source code showing a backdoor in Vidisco scanners, which are used by ports and airports to scan cargo.
Post contains reference to Hodhod drones, which is an Iranian UAV, and makes reference to Vidisco as being a “legal target” #threatintel
The latest on the Handala Hack Team situation with Vidisco and Israeli Industrial Batteries (IIB) breach claims is the file sharing site hosting the downloads say they have received DMCA complaints.
So far only outlets in Italy and Iran have picked up the story, and have done so fairly responsibly, i.e. not saying the claims are true.
I have just published a big update on the Handala situation regarding Vidisco at the bottom of my original post.
tl;dr: They are owned.
Iran linked hacker group Handala Hack Team claim pager explosions linked to Israeli battery company
Since May, the group has been attacking organisations in Israeli, and has followed a pattern of wiping victims, exfiltrating data and posting publicly — much like Cyber Toufan, who I covered prior…
Expect to read 0 about this from your threat intelligence providers btw, there's a cone of silence around this one.
Handala are currently up on https://t.me/Handala_backup on Telegram.
Comes complete with a 1 minute data dump announcement video with reasonable production quality.
There's a lot of time and effort gone into the group's recent efforts, it's a little bit better than NoName and the like.
Handala are now going after Israeli politician Gabi Ashkenazi.
I think what they’re doing is compromising personal cloud accounts. #threatintel
The journalist looking at Handala Hack Team has been told to stop looking at it.
Handala say they plan to post 2k photos from Benny Gantz’ phone in response to rocket attacks. I think my theory they’re targeting Israel’s political’s cloud accounts is looking more likely. #threatintel
Handala appear to have gained access to former Israeli PM Ehud Barak’s personal phone, publishing a series of messages alleging various things and lots of photos and identity documents #threatintel
If you’re reading this thread and thinking ‘why isn’t this mentioned anywhere outside of Gossi The Dog’s toots?’ - that’s a good question. #threatintel
Handala allege they are doing a hack and leak of Soreq Nuclear Research Center in Israel. So far their leak claims have been true.. although the document leaks haven’t resembled all of their claims about the contents to the best of my knowledge.
They also claim journalists in Israel have been told not to cover Handela, which I believe has foundation.
The entire cyber industry coverage of a clear Iranian cyber group doing actual cyber activity during a war: #threatintel #handala
They’ve also done a dump of emails belonging to Gabi Ashkenazi. #threatintel #handala
Handala Hack Team appear to be doing a hack and leak of Ron Prosor (Israel’s ambassador in Germany) next #threatintel #handala
Handala claim to have taken Bezeq offline earlier today. Fact check with @netblocks
Assuming Handala mean network connectivity, their claims do not check out. I guess it is possible they mean something else, eg system wiping. #handala #threatintel
Isik Mater 
@GossiTheDog @netblocks There are indications of very slight impact to Bezeq but, assuming this is Handala, it hasn’t knocked out the network to the extent of previous attacks.
Fritz Adalis@GossiTheDog
Have any of the dumps been... interesting? Or just flexing that they're in the systems?
Have any of the dumps been... interesting? Or just flexing that they're in the systems?
The Doctor@GossiTheDog We're too busy eating popcorn and laughing.
NosirrahSec 🏴☠️ guillotine enthusiast
Xilokar@GossiTheDog
You can't both handle Cups and Iran...
You can't both handle Cups and Iran...
Morten Linderud@GossiTheDog
Bro, can't handle a blue checkmarked CVE 9.9 *and* cyber warfare the same week. This isn't Wendy's.
Bro, can't handle a blue checkmarked CVE 9.9 *and* cyber warfare the same week. This isn't Wendy's.
Ravi Nayyar@GossiTheDog Putting our cyber colleagues aside, why aren’t the cyber journos at specialist/mainstream outlets covering Handala?
Alan Miller 
🇺🇦@GossiTheDog I think it'll be interesting when they start hitting docs or email about cover ups, advance knowledge of civilians in areas being struck, prosecutors declining to do anything about clearly illegal attacks by settlers, etc.
ChicletExactly. It's not particularly interesting. It's embarrassing for them, sure. But nothing so far has any real importance.
That said. I totally believe that Israel's govt is suppressing news coverage. But again... Even that is not too shocking or much of a scandal.
I would think that Israeli media does not need to be twisted too hard to not cover every drop. Journalists often have to decide when reporting on hacktivism is warranted.
The M.O. of this whole thing is TO GET ATTENTION. They're gonna trickle out each drop like it's the ultimate hack, and expect journalists to cover the story like they want, to maximum effect.
But unfortunately, people really just don't care about doxxing personal data (happens all the time).
And until there is a real scandal, it's probably for the best that we don't overreact and play into their games.
Alex@GossiTheDog I've been busy with other projects and school...
@GossiTheDog I need to build a working NAS and start hoarding and scraping data.
Paul Shread@GossiTheDog Any confirmation on the Vidisco backdoor claims?
C-richI'd LOL if they exfiled from a honeypot of disinfo (obviously nuggets of truth must be mixed in).
Scrutinizer
BibbleCo@GossiTheDog Funny how they're so much less bothered by what is pretty *universally* agreed to be a genocide of Muslims going on in China.
@GossiTheDog Cyber Av3ngers will be tasked to attack PLCs in the US Midwest, surely?
Alan@GossiTheDog This one toot sums up my issues with the threat intel community. Well the silence and that time they all went "ah yes, Hamas servers" after server racks were found under the UNRWA HQ with a tunnel entrance.
CryptoLek 🍉🌻@GossiTheDog hehe, just wanted to send the screenshots your way. But indeed, good question
drunkenjohn@GossiTheDog Opsec includes not leaving out glaring omissions from your coverage. Focusing only on when Russia or China does bad tells....a story.
Peter Dodemont@GossiTheDog because no-one is as committed as Gossi to never stop, not even for bathroom breaks? 😉
@GossiTheDog Handala just dumped 60K emails allegedly from Gabriel Ashkenazi's gmail account. It comes in 2 archived parts
jonny (good kind)
Mystery Babylon 
VessOnSecurity@GossiTheDog This from Telegram again? How many times have they been kicked out of there?
your auntifa liza 🇵🇷 🦛 🦦IN RE: BENNY GANTZ
"Israel-Hamas war: Benny Gantz quits war Cabinet citing frustrations with Netanyahu" | AP News
https://apnews.com/article/israel-palestinians-hamas-gaza-netanyahu-gantz-48a4a60ccccdb7f74b4bf7816f9a7c67
he is the guy marketed in the United States as the guy people hope will undo Netanyahu and his fascist coalition. he resigned the war cabinet back in June and has been positioned as a 'centrist' who is a threat to Netanyahu's genocide coalition.
Ganz seems to be the gringos guys; not much of Israelis though:
https://www.timesofisrael.com/parties-opposing-netanyahu-would-win-knesset-majority-without-arab-parties-poll/
Israel-Hamas war: Benny Gantz quits war Cabinet citing frustrations with Netanyahu
Benny Gantz, a centrist member of Israel’s three-man war Cabinet, has announced his resignation, accusing Prime Minister Benjamin Netanyahu of mismanaging the war effort and putting his own “political survival” over the country’s security needs. The move does not immediately pose a threat to Netanyahu, who still controls a majority coalition in parliament. But he becomes more heavily reliant on far-right allies who oppose the latest U.S.-backed cease-fire proposal and want to press ahead with the war. Gantz joined Netanyahu’s government shortly after the Oct. 7 Hamas attack. His presence boosted Israel’s credibility with its international partners. Gantz had previously said he would leave the government by June 8 if Netanyahu didn't formulate a plan for postwar Gaza.
Chris@GossiTheDog "Those responsible for sacking the people who have just been sacked, have been sacked."
boiert@GossiTheDog This is not sexy, please keep it off-f the Internet. 🛜
Eleanor Saitta@GossiTheDog
Post the link?
Post the link?
Landwomble@GossiTheDog do we have an idea of the timeline for the Handala breach? before or after stuff got kinetic? Wondering if it was before if Mossad decided to press the red button before the supply chain tampering came to light? Or if it's a very rapid response to it?
They mention releasing the source code for the X-ray machines that show a backdoor to 8200.
Was that released and independently reviewed yet?
Euph0r14@chiclet @GossiTheDog no, afaik they haven’t even released anything about the back door yet.
Simon ZerafaSo it really does come down to being a BOM issue, if this information proves to be correct.
Getting this into that manufacturing or logistics flow was the trick.
Assuming they didn't outright spin up a new production line specifically for this project 🫤🤷♂️
David Penfold 
@simonzerafa @GossiTheDog I'm guessing clandestine switching won't appear on the BOM.
No, probably not.
Listening to Comms experts it seems likely the explosive was built into the battery.
As such there would be two way signals between the device electronics and battery controller / charge management circuitry.
Suitably modified firmware would then send appropriate signals to the modified battery upon receipt of a suitable message 🫤
MattWhy@GossiTheDog You are normally quite reliable Kevin
I'm treating this seriously
I'm treating this seriously
uzayran@GossiTheDog If this is true that means we have backdoors in the X-Ray machines in 86% of all air- and seaports? And Israel risked exposing that for a local terror attack? That is insane.
prasoon@GossiTheDog
Whoa! This would mean they need to be investigated for complicity in several past security lapses and terror attacks across the whole world!
Whoa! This would mean they need to be investigated for complicity in several past security lapses and terror attacks across the whole world!
Fafner [_KeyZee_]@GossiTheDog yep, we started to monitore them on ransomlook