Skip to main content

Handala: The Barefoot Boy Who's Breaking the Internet (Literally)

April 02, 20268 min

A deep-dive for the people who actually want to understand what's going down - not just the headlines.

Wait, Who Even Is Handala?

Okay so before we get into the chaos, let me set the scene.

"Handala" is actually a famous Palestinian political cartoon - a barefoot, 10-year-old refugee boy drawn by artist Naji al-Ali in 1969. He stands with his back to the viewer, arms clasped behind him. He's become a global symbol of resistance and displacement.

A hacker group borrowed that name - and that energy - and has been making headlines ever since.

Handala Hack Team (also called Handala, Hatef, Hamsa) first appeared in December 2023. They present themselves as a scrappy, pro-Palestinian hacktivist collective. But here's the twist: every major cybersecurity firm - Check Point Research, Palo Alto Networks Unit 42, CrowdStrike, Microsoft - has linked them to Iran's Ministry of Intelligence and Security (MOIS).

They're also tracked as Void Manticore (aka Red Sandstorm, Banished Kitten) - a state-sponsored Iranian threat actor with a long record of destructive operations. The "hacktivist" branding? That's largely a PR move. A very effective one.

"It's a mixture of lies and real attacks, making it hard to parse out what's exactly happening."
- Cynthia Kaiser, former FBI Cyber Division Deputy Assistant Director

The Playbook: Hack, Wipe, Leak, Repeat

Handala doesn't just break into systems for data. Their MO has three moves:

  1. Wiper Attacks

    They don't encrypt your files for ransom. They delete everything. Permanently.

  2. Hack & Leak

    Steal sensitive data, publish it publicly to humiliate targets and influence public opinion.

  3. Psychological Warfare

    Loud claims, exaggerated numbers, dramatic manifestos. Even if half their claims are false, the fear they generate is very real.

Former Israeli National Cyber Directorate deputy head Rafael Franco literally called them a "loud actor" - meaning their bark is often bigger than their bite. But some of their bites? Genuinely devastating.

The Timeline of Carnage

Let's walk through their greatest hits - all verified:

Early Operations (Late 2023 - 2024)

  • Phishing via fake F5 security updates: Disguised malware as software patches targeting Israeli organizations. Classic social engineering.
  • Website defacements: Multiple Israeli sites hit in coordinated campaigns.
  • SMS attack on Ma'ala Yosef (June 2024): Citizens received alarming texts with links to a fake "MyCity" crisis management app - actually malware.
  • CrowdStrike Outage Phishing (July 2024): When the infamous CrowdStrike Windows sensor crash caused global BSODs, Handala immediately rode the wave - launching phishing campaigns with fake "remediation tools" targeting Israeli organizations. The payload? A wiper. Multi-stage execution chain involving an NSIS installer, obfuscated scripts, and AutoIT loaders.

Escalation (2025)

  • Naftali Bennett's phone hacked (December 2025): Former Israeli PM's personal phone compromised. Contacts, images, and messages leaked. Same methods later used against other senior officials.
  • Israeli Police (February 2025): Claimed 2.1 TB exfiltrated - personnel records, weapons inventories, psychological profiles.
  • Soreq Nuclear Research Center (September 2024): Claimed 197 GB of classified nuclear data. Israel's National Cyber Directorate assessed it as mostly psychological warfare. Global headlines ran anyway.
  • Iran International journalists doxxed (July 2025): Five journalists from the Farsi news channel had their personal IDs, intimate photos, and passwords leaked. The operation was documented by Rapid Response Mechanism Canada (RRM Canada) and amplified across X, Facebook, Instagram, and Telegram.
  • Clalit Health Network breach (February 2026): Medical data of 10,000+ patients from Israel's largest healthcare network allegedly accessed and published.

Going Global - Targeting the US (2026)

After Operation Epic Fury (US-Israeli airstrikes on Iran, February 28, 2026), the gloves came off. Handala expanded from Israel to American targets - hard.

The Big One: The Stryker Attack

"On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank."

This is the attack that made the world sit up.

Who is Stryker?

Stryker Corporation (NYSE: SYK) is a Fortune 500 medical technology giant:

  • $25 billion in 2025 revenue
  • ~56,000 employees globally
  • Surgical equipment, orthopedic implants, neurotechnology in hospitals worldwide, impacting 150+ million patients
  • A $450M Department of Defense contract in 2025 to supply medical devices to the US military - that's why they became a target

What Happened - Step by Step

Step 1: Getting In (Months Before the Detonation)

Check Point Research confirmed that initial access was established well before the attack - network access dated back several months. This is called pre-positioning, and it's a hallmark of nation-state tradecraft, not random hacktivism.

Investigators identified hundreds of brute-force attempts against Stryker's VPN infrastructure from commercial VPN nodes. After Iran's January 2026 internet shutdown, Handala switched to routing their reconnaisance through Starlink IP ranges - a deliberate technique to blend into legitimate satellite internet traffic.

Stryker also had a previous breach in 2024 (unauthorized access from May-June 2024, exfiltrating PII and medical records - not even disclosed until December 2024). Whether that earlier compromise left persistent footholds? Still under investigation.

Step 2: The Credential Game

Once inside the VPN or network perimeter, attackers moved toward the cloud identity layer. Most large enterprises sync their internal Active Directory with Microsoft Entra ID (formerly Azure AD) using a tool called AD Connect. When password sync is enabled? Same credentials work in both environments.

Standard MFA (SMS codes, app OTPs) doesn't protect against AiTM (Adversary-in-the-Middle) phishing:

  • Victim completes a real MFA challenge on the real Microsoft login page
  • Attacker captures the session token issued after successful MFA
  • They steal what comes after authentication, not the authentication itself

This is how they got Global Administrator credentials for Stryker's Microsoft environment.

Step 3: The Kill Switch

Here's where it gets technically wild.

Microsoft Intune is a cloud-based Mobile Device Management (MDM) platform. It lets enterprise IT teams:

  • Push security policies to all enrolled devices from a single web console
  • Enforce compliance
  • And - critically - remotely wipe any enrolled device

Attackers with admin access to Intune have a kill switch for every single device enrolled in the organization. Worldwide.

Between approximately 5:00 and 8:00 AM EDT on March 11, 2026, Handala used Stryker's own Intune console to issue a remote wipe command across the entire global device fleet simultaneously.

No novel exploit. No custom malware deployed to individual endpoints. Just: click. wipe. done.

The Handala logo appeared on blank screens across 79 countries.

Step 4: The Human Fallout
  • 200,000+ devices wiped (Handala's claim - likely inflated, but disruption is confirmed)
  • Stryker offices in 79 countries forced offline
  • ~5,500 employees sent home in Cork, Ireland alone (Stryker's largest non-US hub)
  • Employees who enrolled personal phones under Stryker's BYOD program? Those were factory reset too - personal photos, eSIMs, banking authenticator apps. Gone.
  • Corporate communications collapsed. Staff were coordinating via WhatsApp because corporate systems were down.
  • Stryker filed a Form 8-K with the SEC confirming "a global disruption to the Company's Microsoft environment as a result of a cyber attack."
  • Some hospitals had to postpone surgeries.

Stryker confirmed the incident contained to its Microsoft environment, with no indication of ransomware or malware - consistent with the Intune remote wipe vector (no malware needed).

The FBI Director's Email Got Popped Too

Because Handala wasn't done in March.

On March 27, 2026, the group claimed to have compromised the personal email account of FBI Director Kash Patel. The FBI confirmed the account was targeted. The group published an old resume, personal photos (including one with a cigar and one with a bottle of rum), and old emails from the account.

The FBI noted the data was "historical in nature" and contained "no government information." But the symbolism? Massive. Iran-backed hackers dumping the FBI director's personal files publicly, right in the middle of an active war.

The Trump administration responded by:

  • Offering $10 million reward for information on Handala members
  • The Justice Department seized four web domains tied to Handala's operations

Handala rebuilt new infrastructure almost immediately. Iranian cyber actors can reregister domains and spin up new accounts through bulletproof hosting services faster than domains can be seized.

Why Does This Keep Happening? The Uncomfortable Truth

We have zero-trust frameworks. We have EDR tools. We have MFA everywhere. We have billion-dollar security budgets. So why does this keep working?

1. The Admin Console Blind Spot

Traditional wiper malware triggers EDR alarms - anomalous disk writes, suspicious processes. But a remote wipe issued through legitimate Intune admin commands looks like... a legitimate admin action. Until it's too late. Most orgs don't have anomaly detection on bulk administrative MDM actions.

2. AiTM Phishing Defeats Standard MFA

SMS codes, push notifications, TOTP apps - none of these stop an attacker who intercepts your session token after you successfully authenticate. Phishing-resistant MFA (FIDO2/hardware keys) is the answer. Most enterprises still haven't fully deployed it.

3. Pre-Positioning is the New Normal

Handala was inside Stryker's environment for months before pressing the button. Nation-state actors don't rush. They park, wait, explore, and detonate when it hurts most. Traditional "detect the intrusion" security often catches attacks in progress - but misses actors who move slowly and deliberately.

4. BYOD is a Double-Edged Sword

Employees enrolling personal devices in corporate MDM was a security best practice (centralized control). Handala turned it into collateral damage. Personal phones factory reset. Personal data gone. This creates psychological trauma beyond the corporate damage.

5. Geopolitical Hacking Doesn't Care About Your Security Posture

Stryker wasn't targeted because their security was weak. They were targeted because:

  • They had a $450M DoD contract
  • They acquired an Israeli company (OrthoSpace) in 2019
  • Disrupting them disrupts hospitals globally

No amount of patch management prevents being on a nation-state's hit list.

MITRE ATT&CK Mapping (For the Nerds)

Tactic Technique
Initial Access T1566 - Phishing (AiTM), T1078 - Valid Accounts (VPN credential abuse)
Credential Access T1110 - Brute Force, T1539 - Steal Web Session Cookie (AiTM)
Persistence T1078.004 - Cloud Admin Accounts
Defense Evasion T1562.001 - Disable Windows Defender, T1036 - Masquerading (Starlink IP blending)
Discovery T1087 - Account Discovery, T1082 - System Info Discovery
Impact T1485 - Data Destruction (Intune Remote Wipe), T1486 - Data Encrypted/Wiped for Impact
Exfiltration T1041 - Exfiltration Over C2 Channel

What Should Organizations Actually Do?

Based on guidance from Check Point, Arctic Wolf, Sygnia, and Palo Alto Unit 42:

For Microsoft Intune / Entra ID:

  • Enable Multi-Admin Approval for destructive Intune actions (remote wipe, bulk policy deployment) - a second authorized admin must approve
  • Treat your Intune admin console like a domain controller in terms of access controls
  • Monitor for anomalous bulk device wipe actions in audit logs - alert on any wipe affecting more than a handful of devices in a short window
  • Enable Conditional Access policies with strict device compliance requirements

For Identity:

  • Enforce FIDO2 / phishing-resistant MFA for all privileged accounts (Global Admins, Intune admins)
  • Audit and minimize Global Administrator role assignments - least privilege, always
  • Monitor Entra ID sign-in logs for logins from unusual IPs, especially VPN exit nodes or Starlink ranges

For Wiper Readiness:

  • Maintain immutable, offline backups - backups Intune cannot reach
  • Extend IR playbooks beyond EDR to include tenant lockdown procedures: session revocation, privileged role disablement, Intune emergency access policies
  • Test your wipe recovery procedures. Have you actually tried restoring 10,000 devices from backup recently?

For Threat Intel:

  • Track Handala/Void Manticore IOCs - Check Point published a list of C2 IPs including 107.189.19[.]52
  • If your organization has any ties to Israel (acquisitions, contracts, partnerships) - elevate your threat posture now

The Bigger Picture: Cyber as a War Extension

Iran's approach here is textbook hybrid warfare:

  • Military strikes happening physically (Operation Epic Fury, Feb 28, 2026)
  • Cyber operations running in parallel - targeting US/Israeli critical infrastructure
  • Hacktivist branding providing plausible deniability ("it's just activists!")
  • Exaggerated claims maximizing psychological impact beyond actual technical damage

The line between a state cyberattack and a "hacktivist group" is basically nonexistent at this point. Handala is a state operation wearing a keffiyeh.

As cyber policy expert Mieke Eoyang (former US Deputy Assistant Secretary of Defense for Cyber Policy) noted: "They don't necessarily need tight command and control to deliver significant disruption."

That's the nightmare scenario. Destruction without coordination overhead. Chaos as a product.

The Scale of It So Far

Incident Date Scale
CrowdStrike phishing campaign July 2024 Multiple Israeli orgs targeted
Soreq Nuclear Research Center breach claim Sep 2024 197 GB claimed (mostly psyops per INCD)
Israeli Police exfiltration Feb 2025 2.1 TB claimed
Iran International journalist doxxing July 2025 5 journalists, intimate data leaked
Naftali Bennett phone hack Dec 2025 Ex-PM contacts + data published
Clalit Health Network Feb 2026 10,000+ patient medical records
Stryker Corporation Mar 11, 2026 200K+ devices claimed wiped, 79 countries, hospitals disrupted
FBI Director Kash Patel email Mar 27, 2026 Personal email compromised, files published
60+ Israeli companies wiped Ongoing 2026 Israeli National Cyber Directorate confirmed

The Harsh Reality

Handala is not a random hacktivist group rage-posting from a basement. They are a state-directed cyber operation running under a humanitarian brand, executing destructive attacks with geopolitical precision.

They've shown the world that in 2026, you don't need a zero-day exploit or custom malware to wipe a Fortune 500 company. You just need one compromised admin account, a cloud console, and the patience to wait.

The tech is advanced. The defenses exist. But humans still get phished. Admins still don't have hardware keys. MDM consoles still don't require dual approval for mass wipes. The tooling outpaces the governance - and that gap is exactly where Handala lives.

The barefoot boy with a slingshot? He's got admin access now.

References

  1. Check Point Research - "Handala Hack: Unveiling Group's Modus Operandi" (March 2026)
  2. KrebsOnSecurity - "Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker" (March 2026)
  3. Times of Israel - "Iran-linked hacker group claims to breach data of Israel's largest healthcare network" (February 2026)