Handala's latest is a dump allegedly of Ron Prosor's emails, who they originally mentioned 8 days ago.
-
Handala claim to have hacked the Ministry of National Security in Israel, activated red alert to get people into shelters, closed the doors, then played a song and wiped the system.
Very unclear how widespread or credible this is, although some Israeli social media posts show devices going off and playing songs.
They also claim they have hacked Israeli police pagers and are broadcasting song on them, claim to have taken security ID information and delivery certificates for weapons. #handala #threatintel
-
They also claim they have hacked Israeli police pagers and are broadcasting song on them, claim to have taken security ID information and delivery certificates for weapons. #handala #threatintel
There’s some coverage in Israeli media suggesting a focus on schools, with Israeli authorities acknowledging the incidents.
https://www.mivzaklive.co.il/archives/879473
מתקפת סייבר במוסדות חינוך: הודעות בערבית ואזעקות במערכות הכריזה
במערכות הכריזה הופעלו הודעות בערבית וכן התראות צבע אדום. קבוצת התקיפה האיראנית "Handala" קיבלה אחריות לאירוע.
ערוץ 7 (www.inn.co.il)
For the record Handala claims they sent 5million text messages at 8am this morning, UK time.
-
There’s some coverage in Israeli media suggesting a focus on schools, with Israeli authorities acknowledging the incidents.
https://www.mivzaklive.co.il/archives/879473
מתקפת סייבר במוסדות חינוך: הודעות בערבית ואזעקות במערכות הכריזה
במערכות הכריזה הופעלו הודעות בערבית וכן התראות צבע אדום. קבוצת התקיפה האיראנית "Handala" קיבלה אחריות לאירוע.
ערוץ 7 (www.inn.co.il)
For the record Handala claims they sent 5million text messages at 8am this morning, UK time.
Handala claim to have done a hack and wipe of Tosaf, a plastics manufacturer.
Screenshots show apparent Windows domain admin access, and they attach CCTV videos of themselves playing songs into a factory and an office, with workers looking confused.
-
Handala claim to have done a hack and wipe of Tosaf, a plastics manufacturer.
Screenshots show apparent Windows domain admin access, and they attach CCTV videos of themselves playing songs into a factory and an office, with workers looking confused.
Handala have been fully kicked off Telegram, including their backup channel.
Achievement unlocked as I can't remember a group ever getting fully booted.
-
Handala have been fully kicked off Telegram, including their backup channel.
Achievement unlocked as I can't remember a group ever getting fully booted.
Handala appear to have fully wiped a company called Stryker, a global healthcare company.
Not in the link but they've got into AD, and wiped all the devices with Intune etc etc.
Stryker cyber attack - Irish unable to work as hackers cripple global systems
All IT systems at Stryker, which employs 4,000 people in its Cork base, remain down.
Irish Mirror (www.irishmirror.ie)
-
Handala appear to have fully wiped a company called Stryker, a global healthcare company.
Not in the link but they've got into AD, and wiped all the devices with Intune etc etc.
Stryker cyber attack - Irish unable to work as hackers cripple global systems
All IT systems at Stryker, which employs 4,000 people in its Cork base, remain down.
Irish Mirror (www.irishmirror.ie)
Some more on Stryker situation.
-
Some more on Stryker situation.
Handala have claimed responsibility to me, saying they wiped about a quarter of a mil endpoints. They say it’s because of the strike on a girls’ primary school in Minab, in Iran’s Hormozgan province, which killed close to 200 people.
-
Handala have claimed responsibility to me, saying they wiped about a quarter of a mil endpoints. They say it’s because of the strike on a girls’ primary school in Minab, in Iran’s Hormozgan province, which killed close to 200 people.
There’s an entire thread tracking Handala above btw, goes back multiple years. Some bits need follow links to the thread as I broke it.
Their MO is break in, lay low for months, when target interesting exfiltrate data and then delete everything including org backups. They pivot to domain admin early and then sit on access for later. They live off land and live off org IT documentation.
-
R relay@relay.infosec.exchange shared this topic
-
Handala have claimed responsibility to me, saying they wiped about a quarter of a mil endpoints. They say it’s because of the strike on a girls’ primary school in Minab, in Iran’s Hormozgan province, which killed close to 200 people.
Yikes! That's a lot of endpoints and associated servers and other infrastructure.
I wonder if they will be able to recover? Particularly if the backups are gone and there are no others in cold storage somewhere.
As they have discovered, blowback can be painful and expensive or even unrecoverable.
-
There’s an entire thread tracking Handala above btw, goes back multiple years. Some bits need follow links to the thread as I broke it.
Their MO is break in, lay low for months, when target interesting exfiltrate data and then delete everything including org backups. They pivot to domain admin early and then sit on access for later. They live off land and live off org IT documentation.
Stryker have filed an 8-K with the SEC for their wiper incident.
"The Company has no indication of ransomware or malware and believes the incident is contained."
Almost like Handala lived off the land..
-
Stryker have filed an 8-K with the SEC for their wiper incident.
"The Company has no indication of ransomware or malware and believes the incident is contained."
Almost like Handala lived off the land..
Handala statement on their hack of Stryker
-
Handala statement on their hack of Stryker
Stryker have a liveblog of their security incident, linked from the front page of their website:
tl;dr is most customer systems aren't impacted as they run on Linux, but their corporate Windows systems are toast so please hold the line.
-
Stryker have a liveblog of their security incident, linked from the front page of their website:
tl;dr is most customer systems aren't impacted as they run on Linux, but their corporate Windows systems are toast so please hold the line.
Stryker filed an 8-K with the SEC saying no indication of malware on their environment - yet Palo-Alto's DFIR statement says they have removed malware from Stryker's environment.
-
Stryker filed an 8-K with the SEC saying no indication of malware on their environment - yet Palo-Alto's DFIR statement says they have removed malware from Stryker's environment.
Handala have phished Kash Patel, the director of the FBI, and released his emails.
See the prior rest of thread on this, they've been doing it for years with Israeli politicians - they just phish Gmail and iCloud logins, then sync devices.
The FBI have confirmed the emails are authentic. It looks like they are releasing them in batches.
-
Handala have phished Kash Patel, the director of the FBI, and released his emails.
See the prior rest of thread on this, they've been doing it for years with Israeli politicians - they just phish Gmail and iCloud logins, then sync devices.
The FBI have confirmed the emails are authentic. It looks like they are releasing them in batches.
@GossiTheDog lawl you can already download them. It’s 1.1 gigs.
-
R relay@relay.infosec.exchange shared this topic
-
Handala have phished Kash Patel, the director of the FBI, and released his emails.
See the prior rest of thread on this, they've been doing it for years with Israeli politicians - they just phish Gmail and iCloud logins, then sync devices.
The FBI have confirmed the emails are authentic. It looks like they are releasing them in batches.
@GossiTheDog something something "but her emails!"
