Kevin BeaumontSome ‘free Palestine’ hacktivist style group called Handala have been defacing websites and claim to exfiltrate data. https://handala.to/ #threatintel
23 orgs hit so far.
Handala, a wiper group posing as a ransomware group who target Israeli companies, claims IIB (Israeli Industrial Batteries) supplied explosive batteries for pagers and Vidisco supplied Xray machines which didn’t detect said batteries.
They claim they will be releasing 6tb of data for IIB and 8tb of data for Vidisco. I tried phoning one of the companies, who said they have an IT issue.
Wrote up the Handala Hack Team thing while on lunch as it was too nuts not to. https://doublepulsar.com/hacker-group-handala-hack-team-claim-battery-explosions-linked-to-israeli-battery-company-5bea086280cd
Iran linked hacker group Handala Hack Team claim pager explosions linked to Israeli battery company
Since May, the group has been attacking organisations in Israeli, and has followed a pattern of wiping victims, exfiltrating data and posting publicly — much like Cyber Toufan, who I covered prior…
Handala Hack Team have started posting files on Telegram. They were kicked off Telegram multiple times prior, they're back on a different username. #threatintel
Handala have released what they claim is source code showing a backdoor in Vidisco scanners, which are used by ports and airports to scan cargo.
Post contains reference to Hodhod drones, which is an Iranian UAV, and makes reference to Vidisco as being a “legal target” #threatintel
The latest on the Handala Hack Team situation with Vidisco and Israeli Industrial Batteries (IIB) breach claims is the file sharing site hosting the downloads say they have received DMCA complaints.
So far only outlets in Italy and Iran have picked up the story, and have done so fairly responsibly, i.e. not saying the claims are true.
I have just published a big update on the Handala situation regarding Vidisco at the bottom of my original post.
tl;dr: They are owned.
Iran linked hacker group Handala Hack Team claim pager explosions linked to Israeli battery company
Since May, the group has been attacking organisations in Israeli, and has followed a pattern of wiping victims, exfiltrating data and posting publicly — much like Cyber Toufan, who I covered prior…
Expect to read 0 about this from your threat intelligence providers btw, there's a cone of silence around this one.
Handala are currently up on https://t.me/Handala_backup on Telegram.
Comes complete with a 1 minute data dump announcement video with reasonable production quality.
There's a lot of time and effort gone into the group's recent efforts, it's a little bit better than NoName and the like.
Handala are now going after Israeli politician Gabi Ashkenazi.
I think what they’re doing is compromising personal cloud accounts. #threatintel
The journalist looking at Handala Hack Team has been told to stop looking at it.
Handala say they plan to post 2k photos from Benny Gantz’ phone in response to rocket attacks. I think my theory they’re targeting Israel’s political’s cloud accounts is looking more likely. #threatintel
Handala appear to have gained access to former Israeli PM Ehud Barak’s personal phone, publishing a series of messages alleging various things and lots of photos and identity documents #threatintel
If you’re reading this thread and thinking ‘why isn’t this mentioned anywhere outside of Gossi The Dog’s toots?’ - that’s a good question. #threatintel
Handala allege they are doing a hack and leak of Soreq Nuclear Research Center in Israel. So far their leak claims have been true.. although the document leaks haven’t resembled all of their claims about the contents to the best of my knowledge.
They also claim journalists in Israel have been told not to cover Handela, which I believe has foundation.
The entire cyber industry coverage of a clear Iranian cyber group doing actual cyber activity during a war: #threatintel #handala
They’ve also done a dump of emails belonging to Gabi Ashkenazi. #threatintel #handala
Handala Hack Team appear to be doing a hack and leak of Ron Prosor (Israel’s ambassador in Germany) next #threatintel #handala
Handala claim to have taken Bezeq offline earlier today. Fact check with @netblocks
Assuming Handala mean network connectivity, their claims do not check out. I guess it is possible they mean something else, eg system wiping. #handala #threatintel
Today Handala have a dump of 110k emails from/to former Israel PM. Emails are again collected from a personal email account. #handala #threatintel
Israel PM office has acknowledged they are dealing with an incident at Soreq referenced above, but no safety impact. #handala #threatintel
Handala are saying they’ve sent 1 million messages, whatever that means. Anybody in Israel got any strange texts? #handala #threatintel
Handala have posted an Iranian propaganda video, with “Great News For Shin Bet On The Way” #handala #threatintel
Handala claims to have performed a supply chain attack on Shin Bet, the Israel Security Agency, they say allowing them to install software on managed mobile phones.
The photos provided appear to show access to some kind of Mobile Device Management platform. They also provided a data dump.
In the screenshots as evidence, one shows a phone screenshot using Maps - at a Kosher bar in Hackney in London.
Additionally, the screenshot of the list of devices almost all have ‘test’ in the device name. #handala #threatintel
The Handala claim of hacking Shin Bet mobiles via a supply chain hack does not appear to stack up.
They appear to have used material from NativCell, who provide internet filtering and management for Haredim (strictly Orthodox).
It’s part of a pattern with Handala where they take some access and spin it to mean something it doesn’t. #handala #threatintel
Handala claim to have done a hack and wipe of MaxShop, a point of sale vendor in Israel.
I have confirmed their website was defaced and has been taken offline. https://maxshop.co.il #handala #threatintel
Handala have posted 300gb of what they claim is IBB - Israel Industrial Batteries - internal data.
Previously they claimed they had access, but hadn’t provided proof.
MaxShop’s website has changed to a Plesk default site. #handala #threatintel
Alex@GossiTheDog probably full of shit.
NosirrahSec 🏴☠️ guillotine enthusiast@GossiTheDog I mean, how's that saying go? "Live by the sword..."
CryptoLek 🍉🌻@GossiTheDog sadly a friend of mine doesn't have enough free time to download and look what's there :(
@GossiTheDog I hope a ton of them experience the receiving end of their own medicine. 🤷
@GossiTheDog let's say, for research purposes, a friend of mine looked at the data. Very briefly, just skimmed through it.
She told me that it doesn't look like a "shin bet" data. Most likely originates from a company NativCell, which makes "smartphoning" kosher.
Isik Mater 
@GossiTheDog @netblocks There are indications of very slight impact to Bezeq but, assuming this is Handala, it hasn’t knocked out the network to the extent of previous attacks.
Fritz Adalis@GossiTheDog
Have any of the dumps been... interesting? Or just flexing that they're in the systems?
Have any of the dumps been... interesting? Or just flexing that they're in the systems?
The Doctor@GossiTheDog We're too busy eating popcorn and laughing.
Xilokar@GossiTheDog
You can't both handle Cups and Iran...
You can't both handle Cups and Iran...
Morten Linderud@GossiTheDog
Bro, can't handle a blue checkmarked CVE 9.9 *and* cyber warfare the same week. This isn't Wendy's.
Bro, can't handle a blue checkmarked CVE 9.9 *and* cyber warfare the same week. This isn't Wendy's.
Ravi Nayyar@GossiTheDog Putting our cyber colleagues aside, why aren’t the cyber journos at specialist/mainstream outlets covering Handala?
Alan Miller 
🇺🇦@GossiTheDog I think it'll be interesting when they start hitting docs or email about cover ups, advance knowledge of civilians in areas being struck, prosecutors declining to do anything about clearly illegal attacks by settlers, etc.
ChicletExactly. It's not particularly interesting. It's embarrassing for them, sure. But nothing so far has any real importance.
That said. I totally believe that Israel's govt is suppressing news coverage. But again... Even that is not too shocking or much of a scandal.
I would think that Israeli media does not need to be twisted too hard to not cover every drop. Journalists often have to decide when reporting on hacktivism is warranted.
The M.O. of this whole thing is TO GET ATTENTION. They're gonna trickle out each drop like it's the ultimate hack, and expect journalists to cover the story like they want, to maximum effect.
But unfortunately, people really just don't care about doxxing personal data (happens all the time).
And until there is a real scandal, it's probably for the best that we don't overreact and play into their games.
@GossiTheDog I've been busy with other projects and school...
@GossiTheDog I need to build a working NAS and start hoarding and scraping data.
Paul Shread@GossiTheDog Any confirmation on the Vidisco backdoor claims?
C-richI'd LOL if they exfiled from a honeypot of disinfo (obviously nuggets of truth must be mixed in).
Scrutinizer
BibbleCo@GossiTheDog Funny how they're so much less bothered by what is pretty *universally* agreed to be a genocide of Muslims going on in China.
@GossiTheDog Cyber Av3ngers will be tasked to attack PLCs in the US Midwest, surely?
Alan@GossiTheDog This one toot sums up my issues with the threat intel community. Well the silence and that time they all went "ah yes, Hamas servers" after server racks were found under the UNRWA HQ with a tunnel entrance.
@GossiTheDog hehe, just wanted to send the screenshots your way. But indeed, good question
drunkenjohn@GossiTheDog Opsec includes not leaving out glaring omissions from your coverage. Focusing only on when Russia or China does bad tells....a story.
Peter Dodemont@GossiTheDog because no-one is as committed as Gossi to never stop, not even for bathroom breaks? 😉
@GossiTheDog Handala just dumped 60K emails allegedly from Gabriel Ashkenazi's gmail account. It comes in 2 archived parts
jonny (good kind)
Mystery Babylon 
VessOnSecurity@GossiTheDog This from Telegram again? How many times have they been kicked out of there?