Introduction
The Iranian cyber group “Handala” reflects a distinctive pattern employed by Tehran in the digital arena: deploying cyber personae that are not officially part of the regime yet operate on its behalf against Israel, target the opposition in exile, and reinforce the regime’s legitimacy at home. Since the Israel–Hamas war erupted in October 2023—and especially since the 12-day war between Israel and Iran in June 2025—Handala has shown how Tehran uses cyber not only as a tool of cognitive and operational warfare but also as a partial substitute for military capabilities degraded by the war.[1]
Through Handala, Iran preserves plausible deniability, wages information warfare against Israel and the Iranian opposition, and extracts a measured cost from Israel with relatively little risk. If the scope and intensity of its operations grow, however, this pattern could evolve into a significant tool of deterrence. For Israel, grasping the role of cyber personae like Handala is critical to shaping a comprehensive cyber strategy—one that combines technological defense, effective deterrence, and management of public perception.
This paper examines the Iranian regime’s view of cyberspace as a theater of conflict, focusing on the case of “Handala,” which Iran’s Ministry of Intelligence has operated since late 2023.
Background
Despite the June 2025 cease-fire that ended twelve days of fighting with Israel, Tehran has continued to target Israeli entities through cyberattacks. Handala is among the most active groups in this context. While it first presented itself as a pro-Palestinian hacktivist collective with only tenuous Iranian ties, changes to its familiar patterns of activity and multiple exposures soon made clear that it works on behalf of the regime’s interests.
Handala has been active since at least December 2023[2], some two months after the beginning of the Hamas-Israel war, though it may have launched in September[3] of that year, establishing a presence on X and Telegram. Before the direct Israel–Iran conflict in summer 2025, it was part of a larger network of Iranian identities[4] operating intensively against Israel. After the cease-fire, it became the most prominent Iranian persona attacking Israel.
Iran’s Offensive Cyber Apparatus
Iran maintains an offensive cyber apparatus that includes operational attack units, some under the Ministry of Intelligence and others under the Revolutionary Guards. These units conduct cyber operations for espionage, influence, disruption, and destruction, while using personae and cover identities to mask the regime’s role.[5]
Governments, media outlets, Microsoft, and cybersecurity companies have exposed many of these units and tied them directly to Iran. For example, the 2020 cyberattack on the Israeli insurance company Shirbit was carried out by “Pink Sandstorm,” a Ministry of Intelligence unit. Responsibility, however, was claimed by the persona “Black Shadow,” designed to obscure Tehran’s involvement.[6]
Handala: Identity and Activities
The persona’s name is derived from the Arabic comic figure “Handala” (حنظلة)—a character laden with symbolic and identity significance in the Palestinian context, and which constitutes an important emblem for the Palestinian people. The figure symbolizes Palestinian refugeehood and the injustices inflicted on the Palestinian people by Israel.[7]
It is difficult to precisely follow the group’s activity since late 2023. Its X and Telegram accounts were repeatedly deleted and replaced. Cyberint, a cybersecurity firm, flagged a December 26, 2023 post in which Handala voiced support for Hamas and declared it began acting against Israel after the killing of IRGC General Seyed Reza Mousavi in a strike in Syria earlier that month that was attributed to Israel.[8]
An additional, although not unequivocal, indication that Handala was affiliated with the regime came when Israel’s National Cyber Directorate issued a warning the day before, on December 25, about a phishing campaign by an unnamed Iranian group impersonating the company F5. The attack sought to install a malicious file called “handala.exe.” That warning included other files with a similar orientation[9]. Around the same time, Handala taunted the Israeli cyber authorities in its channels and even posted a December 19 warning on X that it planned to attack Israel, that included the tag “F5.”[10]
In its early stages, Handala framed itself as part of the “Axis of Resistance,” emphasizing solidarity with the Palestinian struggle rather than explicitly promoting Iranian interests. (Direct Iranian attacks on Israel were not always a priority, at least not before the April 1, 2024 assassination of Qods Force Syria–Lebanon commander Mohammad Reza Zahedi.)
By 2024, reports tied Handala unequivocally to Iran, specifically to Storm-0842,[11] a Ministry of Intelligence unit operating the “DarkBit” and “Homeland Justice” personae,[12] both previously active in Iranian influence operations, as discussed later.
In summer 2025, Handala shifted focus briefly from Israel to hack Telegram accounts of journalists at Iran International, the London-based opposition television channel, releasing extensive personal information about them.[13] The aim was to boost the regime’s standing at home by striking a hostile exile outlet influential among Iranians. Iran International later exposed the Ali Bermoudeh—a close associate of Iran’s cyber police (FATA)—as a key operator. The channel even published details about Bermoudeh’s private life.[14]
After the war with Israel, parallel to the hack against Iran International, Handala more openly aligned itself with Iranian state interests, possibly signaling a shift in its activity and messaging.
Handala’s main focus remains Israel: attacks on companies, government offices, and public bodies through data theft, defacement of websites, and influence operations. Its most prominent operations include the leaking of data on licensed Israeli gun owners in early February 2025[15] and claiming in September 2024 to have breached servers tied to the Nahal Soreq nuclear facility and stolen large amounts of data.[16]
Sometimes Handala used hacked networks to conduct influence operations. In January 2025 it breached “Maagar-Tec,” an electronics equipment distributor, and broadcast sirens and Arabic messages over PA systems[17]—including those installed in Israeli kindergartens. In June 2024 it hijacked the communications system of the Ma’ale Yosef Regional Council[18] in northern Israel to send threatening messages, claiming to have accessed it by breaking into the systems of the “My City” company.[19]
On August 22, 2025, Handala claimed responsibility for wartime hacks against multiple Israeli entities, including the Weizmann Institute, Kibbutz Almog, AeroDreams, Y.G. New Era, communications firm 099, TBN News, Agora, Saban Systems, Al-Wahar Automotive Services, Y.H.D. Group, Ben Hurin & Alexandrovitz, and Job Info. Handala also posted claims on behalf of other groups—“Cyber Support Front,” “Toufan,” and “Phoenix.”[20]
Handala is unique in that it persisted with attacks against Israel even after the June 24, 2025 cease-fire. Although the frequency of its attacks has dropped compared to the period of the war, Handala continued to claim hacks of Israeli firms and to have mounted a major operation against Iran International, which it accused of being Saudi-funded and Mossad-directed. Handala claims to have exposed personal information about employees of Iran International. [21]It also hacked Israeli journalist Yinon Magal’s Telegram account in July 2025 and posted anti-Netanyahu messages.[22]
Though it often exaggerates the impact of its hacks and sometimes claims responsibility without proof, Handala typically releases stolen material as evidence of successful intrusions.
Handala’s Operational Environment
Handala operates under an Iranian Ministry of Intelligence unit specializing in destructive cyberattacks for influence campaigns. Two notable examples illustrate its methods:
- Albania (2022): In response to Albania granting asylum to members of the MEK opposition group, Iran launched a major cyberattack, stealing and deleting sensitive government data from several national authorities. The attackers maintained access to the networks for 14 months, carefully planning the strike for maximum effect.[23] The attack led Albania to sever relations with Iran though Tirana eventually curtailed MEK activity.[24] The “Homeland Justice” persona, also tied to Storm-0842, claimed responsibility.[25]
- Technion (2023): In February 2023, the MuddyWater group struck Israel’s academic sector, including a ransomware attack on the Technion. According to an incident report by Israel’s National Cyber Directorate, a Telegram channel named “DarkBit”[26] was opened as part of the operation, claiming responsibility for the attack and demanding a ransom of 80 bitcoin (about six million shekels at the time of the report)[27]. The persona later announced that the ransom price would rise, and after more than a month, it put the data up for sale when Israeli authorities did not respond.[28] The attack forced the Technion to initiate a shutdown of its computer systems.[29] Although the Technion attack resembled criminal ransomware operations conducted by groups such as LockBit, it was most likely not an operation conducted for profit but rather to harm Israel—consistent with a known Iranian pattern, as in the Shirbit insurance company case.
Iran’s Use of Cyberattacks against Israel
Handala is a prime example of how Iran uses cyber offensively against Israel, including in the post-cease-fire period. The Iranian identity of the persona is clear for all to see, as are its organizational affiliation and the identity of its operators, but it does not present itself as an official arm of the regime arm and preserves plausible deniability. Moreover, its attacks usually cause only limited damage, which Israel is able to absorb.
Before the latest war, cyberspace was already a shadow battlefield between the two states, and cyber operations continued during open hostilities. There is considerable evidence that the Iranians compartmentalized their fight against Israel into separate arenas, including the cyber domain. Attackers with varying degrees of affiliation to both Israel and Iran have conducted significant operations against their adversary in recent years. This has taken place within the broader framework of a “semi-official” confrontation between Israel and Iran, which included reciprocal uses of force—sometimes through proxies—but without formal acknowledgment. Even during the “official” war between the two countries, cyberattacks attributed to both sides were conducted.
It appears that Tehran still treats cyber as distinct from the kinetic battlefield, which allows it to justify ongoing attacks against Israel despite the cease-fire. It is noteworthy in this context that Iranian leaders insist the war continues. On August 7, 2025, the head of IRGC Intelligence declared: “The war has not ended. We are in a temporary pause. The enemy is conducting psychological operations, information warfare, and cognitive campaigns. Its main hope is to create internal crises.”[30] The significance of the intelligence chief’s statement, along with similar remarks by other senior officials, lies not only in Tehran’s refusal to formally recognize the cease-fire but also in providing justification for the continuation of actual hostilities between the sides—above all in the cyber domain, which has become a central battlefield for psychological and information warfare.
At the same time, cyber may eventually come to be seen by the Iranians as an integral part of the overall battlefield. For Iranian decision-makers, cyber already constitutes a significant arena, and Iranian media are increasingly voicing the need to treat the threats cited by the head of IRGC Intelligence as part of a unified threat framework faced by Iran.
In covering the reestablishment of the Supreme Defense Council—revived in Iran after the cease-fire with Israel—Nour News (affiliated with Iran’s Supreme National Security Council) wrote on August 4, 2025:
“The experience of the past three decades shows that at critical junctures, Iran needs special and dynamic structures for crisis management… coherence in setting defense and security policy is useful both for strengthening deterrence and for enhancing the state’s diplomatic capabilities at the regional and international levels. With the expansion of hybrid wars and multi-dimensional pressures against Iran, such coherence is a necessity, not a tactical choice.”[31]
Beyond this, cyberattacks may serve Iran as a partial substitute for the military capabilities it lost in the war—both as a way to restore its image and internal legitimacy, as seen in the hack of the accounts of Iran International journalists, and as a potential tool for creating external deterrence. Iran’s military apparatus suffered heavy damage in its confrontation with Israel, and Tehran failed to mount an effective counter-response. Cyber operations give the regime a convenient means of exacting a price from Israel at relatively low risk, thereby creating— domestically and potentially externally—the appearance of a “pseudo-balance” with Israel.
In the short term, Tehran will use this balance primarily for internal needs: reinforcing the regime’s legitimacy, strength, and how the public perceives its capablities—as it almost certainly intended in the Iran International hack. At this stage, Iran is likely to maintain a separation between arenas in order to preserve maximum freedom of action. At a later stage, as cyber becomes more fully integrated into the broader battlefield, it may also be used as an instrument of external deterrence. A clear indication of such a shift would be a rise in both the frequency and severity of attacks. In any of these scenarios, Handala remains a central tool for implementing Iranian policy and can be expected to continue playing that role in the near term.
Conclusion
The regime’s use of Handala illustrates its approach to asymmetric cyberwarfare: targeted strikes, amplification in the cognitive domain, and preservation of deniability. With Iran’s military power eroded in its confrontation with Israel, cyberattacks give the regime a readily available, flexible, and lower-risk instrument for sustaining ongoing conflict. For Israel, the implication is that even in periods of relative calm, cyberspace remains an active battlefield —one that demands a combined response of technological defensive capabilities, strategic communication, and effective deterrence. Understanding Handala’s place in Iran’s wider threat matrix is essential to shaping a comprehensive strategy that secures Israel’s resilience both digitally and cognitively.
[1] The information in this paper is current as of August 22, 2025.
[2] https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/
[3] https://namnak.com/hanzaleh-cyber-group.p107935
[4] In this context, a “persona” or “identity” refers to a social media page or online forum account with a distinctive name and symbol, ostensibly belonging to the hacker group carrying out the cyberattacks. It usually includes a statement or hint regarding the motives for the attack—whether ideological or financial—as well as an allusion to the perpetrators’ identity.
[5] https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas/
[6] https://www.gov.il/BlobFolder/reports/alert_1727/he/ALERT-CERT-IL-W-1727.pdf
[7] https://he.wikipedia.org/wiki/%D7%97%D7%A0%D7%93%D7%9C%D7%94
[8] https://www.ynet.co.il/news/article/hkipdfdwt
[9] https://www.gov.il/he/pages/alert_1691
[10] https://intezer.com/blog/stealth-wiper-israeli-infrastructure/
[11] https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf
[12] https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas/
[13] https://www.dw.com//a-73202383
[14] https://www.iranintl.com/202508143905
[15] https://www.pc.co.il/news/426334/
[16] https://www.ynet.co.il/digital/technews/article/hkz211m00cc
[17] https://www.kan.org.il/content/kan-news/local/852212/
[18] https://www.israelhayom.co.il/tech/tech-news/article/15843626
[19] https://t.me/CyberSecurityIL/5210
[20] https://t.me/Handala_channal/110
[21] https://www.dw.com/fa-ir/a-73202383
[22] https://www.maariv.co.il/culture/article-1214484
[23] https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a
[24] https://albaniandailynews.com/news/pm-rama-mujahideen-must-leave-albania-if-they-want-to-fight-iran
[25] https://cyberscoop.com/iran-hack-albania-ransomware-mek/
[26] According to information available online, DarkBit is not affiliated with MuddyWater, although both are subordinate to the Ministry of Intelligence. It is possible that this was a cross-group collaboration in which MuddyWater carried out the breach while Banished Kitten—the group known to operate DarkBit—executed the influence component of the operation.
[27] https://www.gov.il/he/pages/_muddywater
[28] https://www.csoonline.com/article/574899/darkbit-puts-data-from-israel-s-technion-university-on-sale.html?utm_source=chatgpt.com
[29] https://www.calcalist.co.il/calcalistech/article/bkb9d78pj
[30] https://www.hamshahrionline.ir/news/969438
[31] https://vista.ir/n/nournews-cshpw
JISS Policy Papers are published through the generosity of the Greg Rosshandler Family.
Former IDF Intel Chief: Can Hamas Release All Hostages in 72 Hours?