Kevin BeaumontSome ‘free Palestine’ hacktivist style group called Handala have been defacing websites and claim to exfiltrate data. https://handala.to/ #threatintel
23 orgs hit so far.
Handala, a wiper group posing as a ransomware group who target Israeli companies, claims IIB (Israeli Industrial Batteries) supplied explosive batteries for pagers and Vidisco supplied Xray machines which didn’t detect said batteries.
They claim they will be releasing 6tb of data for IIB and 8tb of data for Vidisco. I tried phoning one of the companies, who said they have an IT issue.
Wrote up the Handala Hack Team thing while on lunch as it was too nuts not to. https://doublepulsar.com/hacker-group-handala-hack-team-claim-battery-explosions-linked-to-israeli-battery-company-5bea086280cd
Iran linked hacker group Handala Hack Team claim pager explosions linked to Israeli battery company
Since May, the group has been attacking organisations in Israeli, and has followed a pattern of wiping victims, exfiltrating data and posting publicly — much like Cyber Toufan, who I covered prior…
Handala Hack Team have started posting files on Telegram. They were kicked off Telegram multiple times prior, they're back on a different username. #threatintel
Handala have released what they claim is source code showing a backdoor in Vidisco scanners, which are used by ports and airports to scan cargo.
Post contains reference to Hodhod drones, which is an Iranian UAV, and makes reference to Vidisco as being a “legal target” #threatintel
The latest on the Handala Hack Team situation with Vidisco and Israeli Industrial Batteries (IIB) breach claims is the file sharing site hosting the downloads say they have received DMCA complaints.
So far only outlets in Italy and Iran have picked up the story, and have done so fairly responsibly, i.e. not saying the claims are true.
I have just published a big update on the Handala situation regarding Vidisco at the bottom of my original post.
tl;dr: They are owned.
Iran linked hacker group Handala Hack Team claim pager explosions linked to Israeli battery company
Since May, the group has been attacking organisations in Israeli, and has followed a pattern of wiping victims, exfiltrating data and posting publicly — much like Cyber Toufan, who I covered prior…
Expect to read 0 about this from your threat intelligence providers btw, there's a cone of silence around this one.
Handala are currently up on https://t.me/Handala_backup on Telegram.
Comes complete with a 1 minute data dump announcement video with reasonable production quality.
There's a lot of time and effort gone into the group's recent efforts, it's a little bit better than NoName and the like.
Handala are now going after Israeli politician Gabi Ashkenazi.
I think what they’re doing is compromising personal cloud accounts. #threatintel
The journalist looking at Handala Hack Team has been told to stop looking at it.
Handala say they plan to post 2k photos from Benny Gantz’ phone in response to rocket attacks. I think my theory they’re targeting Israel’s political’s cloud accounts is looking more likely. #threatintel
Handala appear to have gained access to former Israeli PM Ehud Barak’s personal phone, publishing a series of messages alleging various things and lots of photos and identity documents #threatintel
If you’re reading this thread and thinking ‘why isn’t this mentioned anywhere outside of Gossi The Dog’s toots?’ - that’s a good question. #threatintel
Handala allege they are doing a hack and leak of Soreq Nuclear Research Center in Israel. So far their leak claims have been true.. although the document leaks haven’t resembled all of their claims about the contents to the best of my knowledge.
They also claim journalists in Israel have been told not to cover Handela, which I believe has foundation.
The entire cyber industry coverage of a clear Iranian cyber group doing actual cyber activity during a war: #threatintel #handala
They’ve also done a dump of emails belonging to Gabi Ashkenazi. #threatintel #handala
Handala Hack Team appear to be doing a hack and leak of Ron Prosor (Israel’s ambassador in Germany) next #threatintel #handala
Handala claim to have taken Bezeq offline earlier today. Fact check with @netblocks
Assuming Handala mean network connectivity, their claims do not check out. I guess it is possible they mean something else, eg system wiping. #handala #threatintel
Today Handala have a dump of 110k emails from/to former Israel PM. Emails are again collected from a personal email account. #handala #threatintel
Israel PM office has acknowledged they are dealing with an incident at Soreq referenced above, but no safety impact. #handala #threatintel
Handala are saying they’ve sent 1 million messages, whatever that means. Anybody in Israel got any strange texts? #handala #threatintel
Handala have posted an Iranian propaganda video, with “Great News For Shin Bet On The Way” #handala #threatintel
Handala claims to have performed a supply chain attack on Shin Bet, the Israel Security Agency, they say allowing them to install software on managed mobile phones.
The photos provided appear to show access to some kind of Mobile Device Management platform. They also provided a data dump.
In the screenshots as evidence, one shows a phone screenshot using Maps - at a Kosher bar in Hackney in London.
Additionally, the screenshot of the list of devices almost all have ‘test’ in the device name. #handala #threatintel
The Handala claim of hacking Shin Bet mobiles via a supply chain hack does not appear to stack up.
They appear to have used material from NativCell, who provide internet filtering and management for Haredim (strictly Orthodox).
It’s part of a pattern with Handala where they take some access and spin it to mean something it doesn’t. #handala #threatintel
Handala claim to have done a hack and wipe of MaxShop, a point of sale vendor in Israel.
I have confirmed their website was defaced and has been taken offline. https://maxshop.co.il #handala #threatintel
Handala have posted 300gb of what they claim is IBB - Israel Industrial Batteries - internal data.
Previously they claimed they had access, but hadn’t provided proof.
MaxShop’s website has changed to a Plesk default site. #handala #threatintel
Handala have done a defacement of Silver Shadow, a small exporter of licensed firearms.
Silver Shadow’s website has gone offline, displaying a Wordpress error page. #handala #threatintel
MaxShop’s website is back online. Contains no reference to what happened. #handala #threatintel
Silver Shadow’s website is back online. Makes no reference to what happened. #handala #threatintel
Handala are now upset with Yair Golan, in particular highlighting his comments about a possible attack on Iran.
Contains the usual, a picture dump - so far no email dump. #handala #threatintel
Edit: I broke the thread, the continuing toots are at https://cyberplace.social/@GossiTheDog/113273827448368774
Kevin Beaumont (@[email protected])
Handala's latest is a dump allegedly of Ron Prosor's emails, who they originally mentioned 8 days ago. Ron is the Ambassador of Israel to Germany. Telegram post includes death threats. 50k emails, again looks like a personal email account. #threatintel #handala Edit: I broke the thread on this, the prior ones are at https://cyberplace.social/@GossiTheDog/113267372575167506
Random_Seed 
💾 🇿🇦@GossiTheDog defacing a website is one thing, claiming an extensive data breach is another. Did they in fact compromise their systems?
Ravi Nayyar@GossiTheDog Do you foresee OT attacks?
Alex@GossiTheDog probably full of shit.
NosirrahSec 🏴☠️ guillotine enthusiast@GossiTheDog I mean, how's that saying go? "Live by the sword..."
CryptoLek 🍉🌻@GossiTheDog sadly a friend of mine doesn't have enough free time to download and look what's there :(
@GossiTheDog I hope a ton of them experience the receiving end of their own medicine. 🤷
@GossiTheDog let's say, for research purposes, a friend of mine looked at the data. Very briefly, just skimmed through it.
She told me that it doesn't look like a "shin bet" data. Most likely originates from a company NativCell, which makes "smartphoning" kosher.