Handala Hack: Unpacking Void Manticore’s Destructive Wiping and Hack-and-Leak Operations
- Actor Motivations: Exfiltration,Sabotage
- Attack Vectors: Brute-force,Compromised Credentials,Malware,Wiper,Compromised software
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
Handala Hack, an Iranian MOIS-affiliated threat actor also tracked as Void Manticore, executes destructive wiping and hack-and-leak operations against targets in Israel, Albania, and the United States. They primarily target the government, telecommunications, and medical technology sectors. The group relies on compromised VPN accounts for initial access, subsequently moving laterally via RDP and the zero-trust mesh platform NetBird. Their hands-on attacks involve disabling Windows Defender and conducting extensive credential dumping via LSASS extraction and ADRecon. To maximize operational impact, Handala simultaneously deploys custom MBR and PowerShell wipers via Group Policy, leverages VeraCrypt for disk encryption, and manually deletes virtual machines, causing severe data destruction.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Stryker Stryker Corporation is an American multinational medical technologies corporation based in Portage, Michigan, United States. Stryker has been targeted by Handala as the main target. | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Information Technology | Medium |
| Sector | Information Technology | Medium |
| Sector | Medical | Verified |
| Sector | Medical | Verified |
| Sector | Telecommunication | Verified |
| Sector | Telecommunication | Verified |
| Region | Albania | Verified |
| Region | Israel | Verified |
| Region | United States | Verified |
Extracted IOCs
- 3236facc7a30df4ba4e57fddfba41ec5
- 3cb9dea916432ffb8784ac36d1f2d3cd
- 3dfb151d082df7937b01e2bb6030fe4a
- 5986ab04dd6b3d259935249741d3eff2
- e035c858c1969cffc1a4978b86e90a30
- 107[.]189.19.52
- 146[.]185.219.235
- 31[.]57.35.223
- 82[.]25.35.25
Tip: 9 related IOCs (4 IP, 0 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.
FAQs
Understanding the "Handala Hack" Cyber Threat: A Quick Guide
The "Handala Hack" cyber group has been conducting destructive cyberattacks and data leaks against various organizations. Recently, they have expanded their operations to include major U.S.-based enterprises, causing significant data loss and system damage.
The attacks are carried out by an Iranian threat actor known as Void Manticore, which is affiliated with Iran's Ministry of Intelligence and Security (MOIS). They operate using several fake online identities, primarily calling themselves "Handala Hack" or "Homeland Justice."
The group heavily targets IT and technology service providers to steal credentials that give them access to other networks. They have also directly attacked government agencies, telecommunications companies, and medical technology firms.
The attackers typically break in by guessing or stealing passwords for a company's remote work network (VPN). Once inside, they manually navigate the network to steal high-level administrative passwords, which they then use to launch destructive, data-wiping software across all connected computers at once.
Organizations must secure their remote access points with strong multi-factor authentication and monitor for unusual login locations. It is also critical to keep secure, offline backups of all data and heavily restrict who holds top-level administrative passwords.
While the attackers use fairly common and opportunistic methods to break into networks, their overall campaigns are highly targeted. They focus on specific countries and high-value corporate targets that align with their state-sponsored motivations.