"We're not dealing with a classic hacker group with deep intelligence capabilities, but rather a 'loud' actor whose main goal is psychological and cognitive influence," Rafael Franco, former deputy head of Israel's National Cyber Directorate and currently CEO of CODE BLUE, said, characterizing the Iranian hacker group "Handala."
The group, which published materials from the phone of Tzachi Braverman, a close associate of Prime Minister Benjamin Netanyahu, on Sunday morning, has become one of the most prominent players in cyber attacks against Israel in recent months.
According to Franco, "Most of its mission is to damage public trust, create a sense of penetration, and amplify media resonance, sometimes by inflating achievements." However, he emphasizes that "its activity sometimes integrates into a broader campaign, including ideological and sometimes infrastructural overlap with state actors or regional proxies."
According to reports from intelligence agencies and cybersecurity companies, the group is affiliated with an Iranian unit connected to the Ministry of Intelligence and specializes in cyberattacks for influence operations. Its name is derived from the comic character of the same name that has become a Palestinian symbol representing the Palestinian "refugee" issue. The group calls itself "The Popular Resistance Front of People Seeking Justice" and has been active since at least December 2023, about two months after the outbreak of the Iron Swords war.
From Bennett to nuclear scientists
Handala's target list includes senior politicians, security officials, and Israeli civilians. About 10 days ago, the group claimed it had breached former Prime Minister Naftali Bennett's Telegram account and published personal correspondence, contact lists, and photos. Bennett eventually admitted that "access to the Telegram account was obtained," but emphasized that the phone device itself was not breached.
About three weeks ago, the group published documentation of a red flower bouquet that, according to its claim, was left in the vehicle of a senior Israeli nuclear scientist. "Yesterday, you received our flower bouquet. It's an apparently harmless object, but did you notice its weight?" the threatening message read. Alongside the documentation, a list of names and phone numbers was published that allegedly belongs to members of Unit 8200.
In addition, Handala published the names and detailed profiles of 14 individuals who, according to the group, serve as key figures in planning and developing drone systems in the IDF and defense industries, and attached a monetary "reward" of $30,000 to each.
The group's activity focuses on attacks against Israeli companies, government offices, and public bodies. Among the prominent cases: the leak of details on many Israelis carrying licensed weapons in early February 2025, and the claim in September 2024 of a breach of servers related to the Nahal Sorek nuclear facility, in which the hackers claimed they had obtained approximately 197 gigabytes of data.
Clear Iranian affiliation
According to a position paper by the Jerusalem Institute for Strategy and Security, the Handala group is affiliated with an Iranian unit connected to the Ministry of Intelligence. The cybersecurity company Cyberint pointed to a post from December 2023 in which Handala expressed support for Hamas and wrote that it began operating against Israel after the assassination of Revolutionary Guards commander Mousavi.
In 2024, Microsoft published reports unequivocally attributing the group to the Iranian attack group Storm-0842, which is connected to the Iranian Ministry of Intelligence and also responsible for activity under the identities "DarkBit" and "Homeland Justice."
Exploitation of human weaknesses
"Its main operation relies on unsecured breaches, information leaks, and targeted dissemination of materials on social networks," Franco explains. According to him, Handala is characterized by a low to medium level of technological sophistication, but by intensive activity and high focus on creating public and media effect.
Franco emphasizes: "The threat is not measured only by the direct technological damage, but by the ability to exploit human and organizational weaknesses, and to turn isolated cyber incidents into a tool in an ongoing consciousness war against Israel."
