The Iran-linked threat actor Handala this week targeted US troops in Bahrain in an influence campaign carried out on WhatsApp.
The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles.
“Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles,” the messages reportedly read.
On Tuesday, the group boasted on its Telegram channel about publishing the personal information of 2,379 US Marine Corps members stationed in the Persian Gulf. The Navy warned service members earlier this month about Iran’s influence campaigns, Stars and Stripes reports.
Also tracked as Handala Hack, Banished Kitten, Dune, Hanzalah Hacking Group, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore, Handala has been active since at least 2008, engaging in a broad range of activities, from hacktivism to destructive attacks.
In March, the US officially linked Handala to Iran’s Ministry of Intelligence and Security (MOIS), following the disruptive attack on the US-based medical technology giant Stryker.
According to SOCRadar, Handala’s association with MOIS and not Iran’s Islamic Revolutionary Guard Corps (IRGC) suggests that the group is “more of an intelligence and influence operation than a purely military one. The goal is psychological damage and data collection, not just technical disruption.”
The targeting of US troops in Bahrain is the latest step in a campaign that started earlier this year with attacks against Israeli infrastructure and ramped up into direct clashes with US institutions and military personnel.
Boasting about the Stryker attack, Handala claimed wiping out over 200,000 systems using compromised administrator credentials in Microsoft Intune.
The group also claimed to have hacked FBI Director Kash Patel’s personal Gmail account. The US confirmed the incident and posted a $10 million reward for information leading to the identification and arrest of Handala members.
Using custom malware, commercial tools, and social engineering tactics, the group previously targeted numerous Israeli organizations, ranging from kindergartens to nuclear research centers.
Handala also relies on wipers (BiBi Wiper, CoolWipe, ChillWipe, Hamsa, and Hatef) and leverages the Telegram Bot API for command-and-control (C&C) communication.
“The group operates inside a larger Iranian intelligence structure, gets initial network access handed to it by more sophisticated actors, and has shown it can cause significant operational damage when it reaches its target. The shift toward directly threatening military personnel through personal communications channels shows it is willing to move beyond corporate or infrastructure targets,” SOCRadar notes.
Related: Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions
Related: Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says
Related: Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare
