Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack
Terrorist actors with ties to Iran successfully breached the personal email account of Kash Patel, director of the US Federal Bureau of Investigation (FBI), and leaked a trove of photos and other documents online.
Handala Hack Team, which broke the law, said on its website that Patel “will now get his name on the list of successful hackers.” In a statement shared with Reuters, the FBI confirmed that Patel’s emails were targeted, and noted that the necessary steps were taken “to minimize the potential risks associated with this operation.”
The agency also said the information published is “historical and does not include government information.” The leak also includes emails from 2010 and 2019 allegedly sent by Patel.
Handala Hack is tested to support an Iranian, pro-Palestinian hacktivist persona adopted by Iran’s Ministry of Intelligence and Security (MOIS). It is followed by the cybersecurity community under monished Kitten, Cobalt Mystique, Red Sandstorm, and Void Manticore, and the group also uses another person called Homeland Justice to target Albanian organizations from mid-2022.
The third person linked to the MOIS affiliate is Karma, who is said to have been replaced by the Handala Hack as of late 2023.
Data collected by StealthMole revealed that Handala’s online presence extends beyond messaging and cybercrime forums like BreachForums to publicize its activities, maintaining a layered infrastructure that includes multiple web domains, Tor-hosted services, and external file hosting platforms like MEGA.
“Handala has been targeting IT and service providers in an effort to obtain credentials, relying heavily on vulnerable VPN accounts to gain access,” Check Point said in a report published this month. “Throughout the past months, we have identified hundreds of hacking and brute-force attempts against the organization’s VPN infrastructure connected to Handala-related infrastructure.”
Attacks mounted by a proxy group are known to enhance RDP background traffic and initiate malicious activities by dropping malware families such as Handala Wiper and Handala PowerShell Wiper through Group Policy logon scripts. Official disk encryption utilities such as VeraCrypt are also used to complicate recovery efforts.
“Unlike financially motivated cybercrime groups, Handala-related activity has historically emphasized disruption, psychological impact, and geopolitical signaling,” Flashpoint said. “The so-called human activities often coincide with periods of national tension and often target organizations with symbolic or strategic value.”
This development comes in the wake of the US-Israel-Iran conflict, which has led to Iran continuing to retaliate with a cyber offensive against Western targets. Notably, Handala Hack claimed credit for disabling the networks of medical services provider Stryker by wiping out a large company’s data and wiping thousands of employee devices. This attack is the first confirmed act of sabotage against a US Fortune 500 company.
In an update posted on its website this week, Stryker said “the incident is contained,” adding that it “responded quickly to not only gain access but also remove the unauthorized person from our site” by breaking down the persistence mechanisms installed. The breach, it said, was limited to Microsoft’s internal environment.
Threat actors have been found using a malicious file to execute commands that allow them to hide their actions. However, the file does not have the ability to spread across the network, Stryker pointed out.
Palo Alto Networks Unit 42 said the main vector of recent malicious activity from the Handala Hack likely involved “exploiting identity theft and administrative access through Microsoft Intune.” Hudson Rock found evidence that vulnerable information related to Microsoft’s infrastructure obtained by the infostealer malware could be used for hacking.
After the breach, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance to harden Windows domains and strengthen Intune to protect against similar attacks. These include implementing a least-privilege policy, enforcing multi-factor authentication (MFA) that can resist phishing, and enabling multi-administrator authorization in Intune for critical changes.
Flashpoint characterized the Stryker attack as a dangerous shift in supply chain threats, as cyber activity targeting key suppliers and logistics providers could have a negative impact on the entire healthcare environment.
Handala Hack’s leak of Patel’s personal emails follows a court-ordered operation that led to the seizure of four domains used by MOIS since 2022 as part of an effort to disrupt its cybercriminal activities. The US government is also offering a $10 million reward for information about members of the group. The names of the seized domains are listed below –
- the justice of the world[.]org
- handdala-hack[.]to
- karmabelow80[.]org
- handdala-redred[.]to
“Seized domains […] “were used by MOIS in furthering psychological operations targeting state opponents by claiming credit for hacking, sending sensitive information stolen during the hack, and soliciting the killing of journalists, dissidents, and Israeli citizens,” the US Department of Justice (DoJ) said.
This includes the names and sensitive information of approximately 190 people associated with or employed by the Israeli Defense Force (IDF) and/or the Israeli government, as well as 851 GB of confidential data from members of the Sanzer Hasidic Jewish community. In addition, the email address associated with the team (“handdala_team@outlook[.]com”) was allegedly used to send death threats to Iranian dissidents and journalists living in the US and elsewhere.
In another advisory, the FBI revealed that Handala Hack and other MOIS cyber actors used social engineering tactics to contact potential victims in social messaging systems to deliver Windows malware capable of enabling persistent remote access using the Telegram bot by making first-class payments such as commonly used programs such as Pictory, Telegram, Telegram, or Telegram.
Using Telegram (or other legitimate services) as C2 is a common tactic of threat actors to hide malicious activity within normal network traffic, and significantly reduce the chances of detection. Related malware artifacts found on compromised devices revealed additional audio and screen recording capabilities while a Zoom session was active. The attacks targeted protesters, opposition groups, and journalists, according to the FBI.
“MOIS cyber actors are responsible for using Telegram as a command and control infrastructure (C2) to push malware targeting Iranian dissidents, anti-Iranian journalists, and other dissident groups around the world,” the office said. “This malware led to intelligence gathering, data leakage, and reputational damage to the target population.”
Handala Hack has resurfaced on a different clearnet domain, “handdala-team[.]to,” where it described the seizure of the site as “a serious effort by the United States and its allies to silence the voice of Handala.”
The ongoing conflict has also prompted new warnings that it risks turning infrastructure industry workers into lucrative targets, just as it has led to an increase in DDoS attacks, database destruction, and hacking and leaking activities against Israel and Western organizations. Business Hacktivists are also involved in psychological and influence activities for the purpose of instilling fear and confusion among the target population.
In recent weeks, a new cyber crime group called Nasir Security has been seen targeting the energy sector in the Middle East. “This group attacks vendors involved in engineering, security, and construction,” said Resecurity. “The supply chain attacks attributed to Nasir Security may have been carried out by cyber-mercenaries or individuals employed or sponsored by Iran or its proxies.”
“Cyber activity related to this conflict is increasingly distributed and destructive,” Kathryn Raines, National Security Solutions’ cyber threat intelligence team at Flashpoint, said in a statement.
“Groups like Handala and Fatimion have targeted private organizations with attacks designed to erase data, disrupt services, and introduce uncertainty to both businesses and the public. At the same time, we are seeing greater use of formal control tools in these online operations, making it more difficult for traditional security controls to be detected.”
It doesn’t end there. Actors connected to MOIS have been heavily involved in the cybercrime ecosystem to support their goals and provide cover for their nefarious activities. These include Handala’s integration of the Rhadamanthys hacker into its operations and MuddyWater’s use of the Tsundere botnet (also known as Dindoor) and Fakeset, the latter of which is the downloader used to deliver CastleLoader.
“This collaboration provides a two-fold benefit: it improves operational capabilities with access to mature criminal tools and robust infrastructure, while complicating interpretation and contributing to ongoing confusion about Iran’s threat activity,” Check Point said.
“The use of such tools has created a lot of confusion, leading to misdirection and misdirection, as well as grouping together activities that are not really related. This shows that the use of criminal software can be effective in order to remain invisible, and highlights the need for greater caution when analyzing overlapping collections.”
