2 Years of Service
55%
In just 48 hours, a group known as Handala Group carried out a series of cyberattacks against key Israeli targets in what will likely be remembered as one of the most significant cyber incidents of the year. Handala Group is part of the wider network of over 60 pro-Iranian hacker groups operating globally. These groups engage in cyber operations aligned with Iranian strategic interests and often target Iran’s adversaries in what is considered an ongoing cyberwarfare campaign.
On June 14, the group announced on its dark web platform that it had successfully breached two of Israel’s largest energy companies: Delkol and Delek. These companies play a central role in the country’s oil and gas production and distribution, and compromising their systems implies direct access to Israel’s energy infrastructure. Following the announcement, Delek’s CEO, Idan Wallace, claimed that the incident was minor and that only a few non-sensitive files had been accessed. In response, Handala Group published approximately 300,000 confidential documents from both companies, some dated 2025, which included sensitive banking information, fuel distribution logistics, supplier lists, and detailed data related to oil and gas production.
Later that same day, the group revealed a cyberattack on Aerodreams, a defense contractor closely linked to the Israeli Air Force. The company is responsible for military drone programs and pilot training. According to the group, 400 GB of sensitive data was extracted during the breach and may be released publicly soon.
Also on the same day, the group announced an attack on Y.G. New Idan, a company affiliated with Israel’s Ministry of Defense, which is involved in the design and construction of military bases. They claim to have exfiltrated 339 GB of highly sensitive internal designs and network infrastructure data, with plans to release it shortly.
The group also reported a breach of 099 ISP, a medium-sized internet service provider. In this case, they did not leak internal data but instead used the company’s servers to send over 150,000 fake emergency warning emails to the public, instructing them to evacuate. This operation was clearly designed as a psychological tactic rather than a data theft.
On the following day, Handala Group announced another significant breach, this time targeting TBN Israel, a prominent Israeli media company known for its role in shaping international narratives favorable to Israel. The group claims to have extracted 542 GB of data, including raw and unedited footage of programs that aim to present Israel as a victim. They have already released 8 GB of behind-the-scenes footage and indicated that the full leak is forthcoming.
This is not the first major campaign by Handala Group. On February 9, they claimed responsibility for a breach of the Israeli police, leaking 2.1 terabytes of internal data including officer profiles, armament details, and information on both public and classified deployments. Earlier, on January 29, they had already announced an attack on the Ministry of National Security, exfiltrating nearly 4 terabytes of critical data. They also accessed and disrupted the Integrated Management System, which coordinates various Israeli security and administrative systems. During the breach, they triggered the national missile alert system (Red Alert), prompting civilians to seek shelter and allegedly causing temporary malfunction in shelter access systems. They also wiped sensitive data from multiple platforms and managed to hijack internal broadcast systems, sending a message that included the phrase “Khaybar, Khaybar, O Jews,” a reference to the historical Battle of Khaybar and a phrase often used in political protests against Israel.
Iran is considered one of the world’s top five nations in terms of cyber capabilities, hosting a wide array of advanced persistent threat (APT) groups. The most notable among them include MuddyWater, OilRig, APT35, and APT39, as well as groups known collectively as the “Kittens,” such as Fox Kitten, Charming Kitten, Domestic Kitten, and Flying Kitten. Many of these have not yet been actively deployed in the current conflict, indicating that Iran has so far only engaged a fraction of its cyber arsenal. If operations like those conducted by Handala Group are only the beginning, future escalations may prove to be far more impactful.
On June 14, the group announced on its dark web platform that it had successfully breached two of Israel’s largest energy companies: Delkol and Delek. These companies play a central role in the country’s oil and gas production and distribution, and compromising their systems implies direct access to Israel’s energy infrastructure. Following the announcement, Delek’s CEO, Idan Wallace, claimed that the incident was minor and that only a few non-sensitive files had been accessed. In response, Handala Group published approximately 300,000 confidential documents from both companies, some dated 2025, which included sensitive banking information, fuel distribution logistics, supplier lists, and detailed data related to oil and gas production.
Later that same day, the group revealed a cyberattack on Aerodreams, a defense contractor closely linked to the Israeli Air Force. The company is responsible for military drone programs and pilot training. According to the group, 400 GB of sensitive data was extracted during the breach and may be released publicly soon.
Also on the same day, the group announced an attack on Y.G. New Idan, a company affiliated with Israel’s Ministry of Defense, which is involved in the design and construction of military bases. They claim to have exfiltrated 339 GB of highly sensitive internal designs and network infrastructure data, with plans to release it shortly.
The group also reported a breach of 099 ISP, a medium-sized internet service provider. In this case, they did not leak internal data but instead used the company’s servers to send over 150,000 fake emergency warning emails to the public, instructing them to evacuate. This operation was clearly designed as a psychological tactic rather than a data theft.
On the following day, Handala Group announced another significant breach, this time targeting TBN Israel, a prominent Israeli media company known for its role in shaping international narratives favorable to Israel. The group claims to have extracted 542 GB of data, including raw and unedited footage of programs that aim to present Israel as a victim. They have already released 8 GB of behind-the-scenes footage and indicated that the full leak is forthcoming.
This is not the first major campaign by Handala Group. On February 9, they claimed responsibility for a breach of the Israeli police, leaking 2.1 terabytes of internal data including officer profiles, armament details, and information on both public and classified deployments. Earlier, on January 29, they had already announced an attack on the Ministry of National Security, exfiltrating nearly 4 terabytes of critical data. They also accessed and disrupted the Integrated Management System, which coordinates various Israeli security and administrative systems. During the breach, they triggered the national missile alert system (Red Alert), prompting civilians to seek shelter and allegedly causing temporary malfunction in shelter access systems. They also wiped sensitive data from multiple platforms and managed to hijack internal broadcast systems, sending a message that included the phrase “Khaybar, Khaybar, O Jews,” a reference to the historical Battle of Khaybar and a phrase often used in political protests against Israel.
Iran is considered one of the world’s top five nations in terms of cyber capabilities, hosting a wide array of advanced persistent threat (APT) groups. The most notable among them include MuddyWater, OilRig, APT35, and APT39, as well as groups known collectively as the “Kittens,” such as Fox Kitten, Charming Kitten, Domestic Kitten, and Flying Kitten. Many of these have not yet been actively deployed in the current conflict, indicating that Iran has so far only engaged a fraction of its cyber arsenal. If operations like those conducted by Handala Group are only the beginning, future escalations may prove to be far more impactful.