Iranian Threat Actor Handala Hack Utilizes Destructive Tactics
TL;DR: Handala Hack, associated with the Iranian Ministry of Intelligence and Security, employs mostly manual operations and multiple destructive techniques targeting organizations in Israel, Albania, and the United States. Their activities include leveraging VPN access and delivering wipers while also adapting some new tactics.
Handala Hack, known in cybersecurity circles as Void Manticore, has been identified as an Iranian threat group notable for its destructive attacks. This group is linked to Iran’s Ministry of Intelligence and Security and operates under several online personas, including Handala and Homeland Justice. Their operations have increasingly targeted a diverse array of sectors, including governments and the telecommunications industry in Albania, as well as U.S.-based enterprises like medical tech firm Stryker.
The group’s operational methodology has largely remained consistent, favoring hands-on techniques and established tools for initial access and data destruction. Historically, Handala Hack has relied on targeting service providers to gain credentials. Recent reports indicate a rise in attempts to compromise VPN infrastructure, mainly utilizing default hostname patterns that signal either default configurations or low-level security awareness. There’s also been a noted decline in their operational security, with connections made directly from Iran rather than through VPNs, resulting in increased exposure.
At the heart of their destructive operations are multiple wiping methods executed simultaneously to enhance impact. Notably, Handala Hack has deployed a custom wiper known as Handala Wiper, initiated via scheduled tasks through Group Policy and capable of overwriting files without writing to disk. Additionally, a PowerShell-based removal script, reportedly assisted by AI, was used alongside the traditional methods to clear user directories, which illustrates an adaptation of modern techniques to achieve destructive outcomes.
Defensive Context
This threat landscape is of particular concern for organizations in sectors highly targeted by Handala Hack, including government and medical technology. Entities engaging with service providers may face enhanced risks due to shared resources and potential credential compromises. The operational actions described indicate that organizations with remote access services and weak VPN security are particularly vulnerable.
Why This Matters
The real-world implications are significant for organizations that maintain critical operations or possess sensitive data. The group’s ability to conduct ransomware-like attacks through data deletion exposes businesses to severe operational disruptions and data loss. Notably, those utilizing widely available commercial VPNs without robust security measures may find themselves particularly at risk.
Defender Considerations
Organizations should closely monitor credential activity and focus on detecting any unexpected logins from unusual geographic locations or unauthorized VPNs. Given the group’s methods rely on VPN services, defenders could consider closely examining and potentially restricting access from known high-risk or compromised IP address ranges associated with Handala Hack. Awareness of the group’s TTPs is crucial for timely identification and response to incidents.
Indicators of Compromise (IOCs)
- Handala Wiper: 5986ab04dd6b3d259935249741d3eff2
- PowerShell Wiper: 3cb9dea916432ffb8784ac36d1f2d3cd
- NetBird Installer: 3dfb151d082df7937b01e2bb6030fe4a
- Starlink IP range used: 188.92.255.X
- Handala VPS IPs: 82.25.35[.]25, 31.57.35[.]223, 107.189.19[.]52
- Use of ATM Protocol Tunneling: NetBird
- Notable affected machine names: WIN-P1B7V100IIS, DESKTOP-FK1NPHF (and others)
Understanding the operational model of Handala Hack can help organizations tailor defenses and respond effectively to this evolving threat.
