Handala Group Doxes Israeli Intel Agents in Psyops Campaign

Iran-Linked Handala Group Leaks Identities of Israeli SIGINT Officers in Targeted Information Warfare Campaign

HIGH
January 3, 2026
5m read
Threat ActorData BreachCyberattack

Impact Scope

People Affected

15 officers publicly named

Industries Affected

GovernmentDefense

Geographic Impact

Israel (national)

Related Entities

Threat Actors

Handala Banished Kitten

Organizations

Israeli Army Unit 8200KELAIran's Ministry of Intelligence

Products & Tech

Telegram

Other

Naftali BennettBenjamin NetanyahuTzachi Braverman

MITRE ATT&CK Techniques

T1566Initial Access

Phishing

T1539Credential Access

Steal Web Session Cookie

T1530Collection

Data from Cloud Storage

T1589Reconnaissance

Gather Victim Identity Information

T1485Impact

Data Destruction

Full Report

Executive Summary

On January 3, 2026, the Iran-linked hacktivist group Handala claimed to have exposed the personal details of 15 Israeli Signal Intelligence (SIGINT) officers. This incident is not a result of sophisticated device exploitation but rather a targeted information and psychological warfare operation focused on compromising individual messaging accounts, specifically Telegram. The group, assessed to be a proxy for Iranian intelligence, is leveraging these high-profile leaks to create an atmosphere of vulnerability and distrust within Israel's defense and intelligence apparatus. The campaign relies on social engineering and session hijacking to gain access to accounts, after which they exfiltrate contact lists and fabricate conversations to maximize psychological impact. This tactic has been used previously against former Israeli Prime Minister Naftali Bennett and the Chief of Staff for Prime Minister Benjamin Netanyahu.

Threat Overview

The threat actor, Handala, has been active for several years, conducting a series of cyber operations against Israeli targets. This latest incident, dubbed "Handala RedWanted," involves the doxing of 15 individuals purported to be officers in Israeli SIGINT units. The group published a "wanted" list with their names, presenting it as a major intelligence failure for Israel.

However, technical analysis from cybersecurity firm KELA indicates that Handala's claims of deep system compromise are often exaggerated. Their primary modus operandi involves gaining access to cloud-based services like Telegram rather than the physical devices themselves. This is achieved through common attack vectors such as phishing for credentials, tricking users into revealing one-time passwords (OTPs), or exploiting weak session management. The goal is less about gathering sensitive intelligence and more about public humiliation and spreading disinformation. The group's connection to the Iranian threat actor known as Banished Kitten suggests a state-sponsored campaign aimed at undermining Israeli national security through low-cost, high-impact psychological operations.

Technical Analysis

The attack chain employed by Handala is focused on the user, not the technology. Instead of exploiting zero-day vulnerabilities, they leverage social engineering and credential theft.

  1. Reconnaissance (T1592 - Gather Victim Host Information): The actors identify high-value targets within the Israeli government and military.
  2. Initial Access (T1566 - Phishing): Targets are likely sent spearphishing messages designed to trick them into revealing their Telegram login credentials or OTP codes. This could also involve SIM swapping to intercept SMS-based recovery codes.
  3. Credential Access (T1539 - Steal Web Session Cookie): By gaining access to a user's session token or credentials, the attackers can log into the victim's Telegram account from their own infrastructure.
  4. Collection (T1530 - Data from Cloud Storage): Once inside the account, Handala exfiltrates the contact list. As noted by KELA, many of the "leaked chats" are merely empty contact cards automatically generated by Telegram's contact synchronization feature, which the attackers then present as evidence of a full compromise.
  5. Impact (TA0040 - Impact): The primary impact is not technical but psychological. The collected names and photos are published on social media and pro-Iranian news outlets to create a narrative of a powerful hacking group that has deeply penetrated Israeli intelligence.

This attack highlights a critical distinction: compromising an application is not the same as compromising a device. The lack of evidence of device-level exploits suggests the targets' phones themselves remained secure, but their online accounts were breached.

Impact Assessment

The primary impact of Handala's campaign is psychological and reputational. For the affected individuals, being publicly identified as intelligence officers poses a significant personal security risk. For the Israeli Army and its intelligence units like Unit 8200, the incident creates a perception of vulnerability, which can erode morale and public trust. While no sensitive operational data appears to have been compromised, the campaign forces the organization to expend resources on damage control, internal investigations, and reinforcing security protocols for personnel's personal communications.

Operationally, the impact is low. However, from a counter-intelligence perspective, it is a significant nuisance that could potentially expose networks of contacts if a compromised account was used for any semi-official communication.

Cyber Observables for Detection

  • Monitor for anomalous login activity on corporate or personal messaging applications, especially from unusual geographic locations or IP ranges.
  • Look for a sudden spike in outbound traffic from messaging apps, which could indicate contact list exfiltration.
  • Network traffic to and from IP addresses associated with Iranian state-sponsored actors.
  • Social media and dark web monitoring for mentions of employee names, official titles, or organizational data.
Type Value Description Context Confidence
log_source Telegram Monitor Telegram login and session logs for anomalies. Cloud Service Logs high
network_traffic_pattern Telegram API Unusual or high-volume API calls to api.telegram.org from non-standard devices or locations. Network Flow Logs medium
user_account_pattern Doxbin/Pastebin Proactive searches on paste sites for employee names or email addresses. OSINT high

Detection & Response

Detection of such attacks is challenging as it occurs on third-party platforms. Key strategies include:

  • User Training: Educate high-risk employees to recognize phishing attempts targeting their personal and work accounts. Emphasize the dangers of sharing OTPs and the importance of unique, strong passwords for every service.
  • Behavioral Analysis: Use D3-UBA: User Behavior Analysis to monitor for unusual account access patterns. An Israeli official's Telegram account suddenly being accessed from an IP in Tehran should trigger an immediate alert.
  • Incident Response Playbook: Have a specific playbook for doxing incidents, including legal, PR, and personal security support for affected employees. The first step should be to secure the account, revoke all active sessions, and change the password.

Mitigation

  • Multi-Factor Authentication (MFA): Mandate the use of app-based MFA (e.g., Google Authenticator, Authy) instead of SMS-based MFA, which is vulnerable to SIM swapping. This is a core component of D3-MFA: Multi-factor Authentication.
  • Session Management: Regularly review and terminate old or unused sessions in all cloud and messaging applications. Instruct users on how to do this in their personal apps like Telegram (Settings > Devices).
  • Application Hardening: Advise personnel to configure privacy settings within applications to the highest level. For Telegram, this includes hiding their phone number and limiting who can find them by their number. This aligns with D3-ACH: Application Configuration Hardening.
  • Restrict Work on Personal Apps: Enforce strict policies prohibiting the use of personal messaging apps for official communication. Provide sanctioned, secure communication channels for all work-related matters.

Timeline of Events

1
January 3, 2026
Handala group announces it has exposed the identities of 15 Israeli SIGINT officers.
2
January 3, 2026
This article was published

MITRE ATT&CK Mitigations

User Training

M1017

Train users to recognize phishing attempts, especially those targeting credentials for personal communication and social media applications.

Multi-factor Authentication

M1032enterprise

Enforce strong, phishing-resistant MFA on all accounts to prevent takeovers even if credentials are stolen.

Mapped D3FEND Techniques:

D3-MFA

Behavior Prevention on Endpoint

M1040enterprise

Use behavioral analytics to detect anomalous logins or session activity that deviates from established user patterns.

Mapped D3FEND Techniques:

D3-RAPAD3-UGLPA

Software Configuration

M1054enterprise

Guide users on hardening the security and privacy settings of their personal applications to minimize their attack surface.

Mapped D3FEND Techniques:

D3-ACH

D3FEND Defensive Countermeasures

Multi-factor Authentication

D3-MFAMaps to MITREM1032
D3FEND

Implement and enforce phishing-resistant Multi-Factor Authentication (MFA) for all personnel, especially those in high-risk roles, across all cloud services, including personal messaging apps like Telegram. Prioritize hardware tokens (FIDO2/WebAuthn) or authenticator apps over SMS-based MFA, which is susceptible to SIM-swapping attacks—a common tactic in targeted campaigns. For an organization like the Israeli military, this should be a mandatory policy. This directly mitigates the primary attack vector used by Handala: credential and session theft. Even if an attacker successfully phishes a user's password, they cannot complete the login without the second factor. This transforms the attack from a simple credential compromise into a much more complex real-time session hijacking attempt, significantly raising the bar for the attacker.

User Geolocation Logon Pattern Analysis

D3-UGLPAMaps to MITREM1040
D3FEND

While direct monitoring of personal apps like Telegram is not feasible for an organization, high-risk individuals should be educated on how to monitor their own account activity. Furthermore, for any corporate-sanctioned applications, implement User Geolocation Logon Pattern Analysis. This involves establishing a baseline of normal login locations for each user and flagging or blocking logins from anomalous or impossible-to-travel-to locations. For example, if a known Israeli-based officer's account suddenly has a login attempt from Iran, the system should automatically block the attempt and trigger a high-priority alert. This requires a SIEM or identity and access management (IAM) solution capable of ingesting and correlating geolocation data with authentication logs. This technique provides a critical layer of detection for when credential-based defenses fail.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

Develop and disseminate clear guidance for hardening the privacy and security settings of commonly used personal applications, with a specific module for Telegram. This guidance should be part of mandatory annual security training for all personnel. Key recommendations for Telegram should include: 1) Setting the 'Phone Number' privacy setting to 'Nobody'. 2) Setting 'Who can find me by my number' to 'My Contacts'. 3) Enabling a 'Passcode Lock' within the app. 4) Regularly reviewing 'Active Sessions' and terminating any unrecognized devices. This proactive hardening reduces the attack surface by making it harder for attackers to discover accounts and by limiting the window of opportunity for compromised sessions. It shifts the defensive posture from purely reactive to preventative, empowering users to protect themselves.

Sources & References

Ransomware Group handala Hits: 15 SIGINT Agents Exposed — $50,000 Reward
Hookphish (hookphish.com) January 3, 2026
Handala Hack: Telegram Breach of Israeli Officials
KELA (kela.com) January 1, 2026
Identities of 15 Israeli SIGINT Officers Exposed
WANA News (wana.news) January 4, 2026
Iran-linked hacking group claims access to phone of Netanyahu aide
Reuters (reuters.com) December 28, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

HandalaDoxingInformation WarfarePsychological OperationsTelegramIranIsraelThreat Actor

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next