Handala Hack’s Destructive Cyberattacks: A Deep Dive into RDP Exploitation and Parallel Wipers
In a series of aggressive cyberattacks, the Iranian-linked group known as Handala Hack has targeted organizations across Israel, Albania, and the United States. Operating under the broader identity of Void Manticore—also tracked as Red Sandstorm and Banished Kitten—this group is directly associated with Iran’s Ministry of Intelligence and Security (MOIS). Unlike typical cyber-espionage campaigns, Handala Hack’s operations are explicitly designed to destroy data and cripple recovery efforts.
Origins and Evolution
Handala Hack derives its name from the iconic Palestinian cartoon character Handala and has been active since late 2023. The group maintains three public-facing personas: Handala Hack, Karma, and Homeland Justice. Since mid-2022, Homeland Justice has been used to target government agencies, telecom providers, and other sectors in Albania. Over time, Karma appears to have been phased out, with Handala becoming the primary alias. In recent operations, the group has extended its reach to the United States, striking organizations such as the medical technology firm Stryker.
Attack Methodology
Check Point researchers have identified the group’s evolving attack patterns across multiple intrusions. While its core methods have remained consistent since 2024, several new techniques have emerged in recent campaigns. These include the use of NetBird, a legitimate peer-to-peer networking tool employed to tunnel traffic within victim networks, and an AI-assisted PowerShell script deployed as part of its wiping toolkit. Notably, researchers observed a decline in the group’s operational discipline, with activity traced directly to Iranian IP addresses rather than the commercial VPN services previously utilized.
The attack chain typically begins with compromised VPN credentials, obtained through brute-force attempts or supply chain breaches against IT service providers. Once inside, the attackers rely on Remote Desktop Protocol (RDP) to manually navigate between systems before initiating destructive actions. In some instances, at least five attacker-controlled machines were observed operating simultaneously within a single victim environment, reflecting the group’s intent to cause damage as swiftly and broadly as possible.
Parallel Wiping Operations
A distinguishing feature of Handala Hack’s operations is its multi-layered approach to data destruction, deploying multiple wipers simultaneously to ensure rapid and comprehensive damage. This strategy leaves organizations with minimal chances of meaningful recovery.
1. Handala Wiper: Distributed via Group Policy logon scripts through a batch file named `handala.bat`, this custom wiper overwrites file contents and corrupts the Master Boot Record (MBR) for deep, low-level damage. Since the executable runs remotely from the Domain Controller and is never written to disk on targeted machines, it evades detection by security tools.
2. AI-Assisted PowerShell Wiper: This wiper removes all files from user directories and is executed alongside the Handala Wiper to maximize destruction.
3. Additional Wiping Tools: The group employs other wipers in parallel, each targeting different aspects of the system to ensure comprehensive data destruction.
Implications and Recommendations
The aggressive tactics employed by Handala Hack underscore the evolving nature of cyber threats, where state-sponsored actors are increasingly focusing on destructive operations rather than mere data exfiltration. Organizations must adopt a multi-faceted defense strategy to mitigate such threats:
– Enhanced Monitoring: Implement continuous monitoring of network traffic and user activities to detect anomalies indicative of a breach.
– Strict Access Controls: Enforce the principle of least privilege, ensuring that users have only the access necessary for their roles.
– Regular Patching: Keep all systems and software up to date to close vulnerabilities that could be exploited by attackers.
– Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a breach.
By understanding the methods and motivations of groups like Handala Hack, organizations can better prepare and defend against the growing threat of destructive cyberattacks.
