On April 7, six US government agencies issued a critical advisory warning domestic private sector organizations of potential infrastructural cyberattacks conducted by Iranian-affiliated Advanced Persistent Threat (APT) actors. The advisory stops short of attributing these threats to a single group but makes reference to 2023 attacks on US water and wastewater facilities linked to the known Iranian APT “CyberAv3ngers”, suggesting a possible correlation between historical and current incidents.
Reports on “CyberAv3ngers” and analogous group “Handala Hack Team” — who have recently been in headlines for their numerous clashes with the FBI — emphasize that while these operations present themselves as radical pro-Palestinian hacktivist collectives, both are believed to be heavily-resourced and directly tied to the Iranian Ministry of Intelligence (MOIS).
Sometimes referred to as “fronts”, “proxy insurgents” or “ghost groups”, these presumed false flag operations represent a longstanding obfuscation tactic amongst the so-called “Big Four” of cybercrime — Russia, China, North Korea and Iran. Notably, Russia’s largest military intelligence agency, the GRU, is widely known to recruit talented threat actors to execute complex cyber campaigns against political enemies.
The Big Four are known for their pervasive assertions of soft power, otherwise known as ‘Influence Cyber Operations’ (ICOs). Each has a flagship operation in this field: Russia with disinformation campaigns, China with long-term operational technology espionage, North Korea with remote worker scams and laptop farms, and Iran with critical infrastructure disruptions.
The “gray area” of plausible deniability
Iran’s use of proxy insurgent groups follows a clear line of logic.
A radical activist organization would be expected to execute politically motivated attacks, but not on a large scale or with exceptional technical skill. In the case of a group like Handala, openly proclaiming to be pro-Iranian nationalists aligns their interests with the Iranian government, making them a perfect cover for state-backed operations. It’s a strategy that allows for symbolic retributive actions by Iran without having to reveal the extent of its tactical power, and — crucially — one that allows for attacks to continue in times of supposed peace.
This “death by a thousand cuts” approach — sometimes referred to as “soft warfare” or “gray warfare” — follows a military doctrine centered around a consistent, slow erosion of the enemy via covert operations. Obscuring the state’s involvement beneath a grandiose, pro-Iranian rhetoric allows it to affect change in the US with less chance of immediate retaliation, especially compared to an act of direct physical aggression, such as an overseas bombing on US soil.
A state of perpetual interference
To understand how proxy insurgent groups such as Handala fit within Iran’s modern-day intelligence ecosystem, we first need to look at the historical development of the country’s intelligence operations.
In 1953, the United States and Britain (via conduit operations of the CIA and MI6, respectively) instigated a coup in Iran that displaced then-Prime Minister Mohammad Mosaddegh in favor of strengthening the imperialist power of its Shah, Mohammad Reza Pahlavi. The US hoped that by bolstering Iran’s monarchical leader in exchange for underlying influence in a newly pro-Western regime, it would be able to gain access to Iran’s rich petroleum resources.
Part of this influence included the establishment and shaping of SAVAK in 1957, the first intelligence agency and secret police of the Imperial State of Iran. Despite being classed as a civilian organization, SAVAK was primarily composed of military figures whose objectives involved suppressing opposition, surveillance of threats to the monarchy and media control within Iran, often operating outside existing laws.
When the group was violently dismantled following the 1979 Iranian Revolution, its replacement MOIS — still the country’s dominant intelligence organization — borrowed significantly from its personnel, core philosophy and tactics. All current Iranian entities involved in intelligence are technically required to report to and collaborate with MOIS, including the Islamic Revolutionary Guards Corps (IRGC), which was notably created directly in response to the first Supreme Leader’s suspicions of Iran’s existing military forces.
Iran’s modern-day intelligence capabilities have ultimately formed from a mishmash of competing outfits. This includes MOIS, the Islamic Revolutionary Kumitehs, SAVAMA, the IGRC and its paramilitary force the IRGC-QF, all of which were established to support various pro-revolutionary and counterintelligence directives at the end of the 1970s and throughout the 1980s.
In short, Iran’s cyber ecosystem has been shaped by decades of political upheaval, revolutionary factioning and calculated external influence. The protective front of a “pro-revolutionary” ideology, therefore, has long been used by the Iranian state to justify acts of political violence, espionage, surveillance and subterfuge.
What do these groups actually represent?
Western perceptions of groups such as Handala Hack Team and CyberAv3ngers are likely distorted by culturally based assumptions. In the US, for example, we tend to associate terms like “insurgent” with anti-authoritarians, not government loyalists. However, historically in Iran, civilian and military intelligence enterprises have been simultaneously enmeshed and compartmentalized by design.
While there hasn’t been much discussion of the semantics in this scenario to-date, there’s no real qualifier preventing Handala from technically being considered a “radical hacktivist group” while also being a highly intentional product of the state. Whether they actually carry the values that they espouse publicly is anyone’s guess.
Think of it this way: a radical activist organization is created to fight whatever it deems as an “oppressive system”, using symbolic direct action to compensate for its lack of size. And while Iranian APT groups are well-resourced domestically, in a global arena, they are still undeniably small. When held next to cyber superpowers like the US and Israel, even Iran’s most elite task forces are microscopic by comparison.
A captive audience
Experts have noted that Handala’s social media posts often contain exaggerated, near-theatrical claims. One blog post reads: “The slightest aggression against Iran’s vital facilities will mean the beginning of a devastating reaction that will turn all these vital infrastructures to ashes.” The group makes constant, unsubstantiated threats with claims of successful breach operations that quickly fade into the ether, never to be backed with evidence.
However, to dismiss Handala’s evangelizing as laughable is missing the point — intentionally or not, Handala’s outsized assertions of its own power to retaliate against its aggressors highlight just how asymmetric the whole conflict really is. If nothing else, readers of Handala Hack’s messaging — conveniently written in English — are forced to grapple with the reality of a massive power imbalance between “us” and “them” just to figure out how safe they are allowed to feel.
Americans engaging with Handala’s threats will likely feel alarmed, with that fear quickly turning to frustration that random American businesses are being symbolically attacked on behalf of entire industries due to Iran’s limited targeting capabilities. Suddenly, the imminent specter of Iran as presented by the US begins to fall apart.
This is the true advantage of a state entity adopting a radical persona, particularly one with an air of “righteous fury” or a “bleeding heart”. Many have accused Handala of falsely claiming to be a pro-Palestinian group, but from a strategic standpoint, they are, because they are explicitly and violently anti-Israel — for a group with such radical political goals, sometimes ideology just means having a shared enemy.
Beneath their seemingly unshakeable veneer, however, it’s only becoming clearer that Handala’s words are those of a state in crisis, one which has been hampered by sanctions into near technological autarky and that is literally struggling to keep the lights on thanks to repeated sieges of its own critical infrastructures.
Lest we forget, the “world’s first cyberweapon”, Stuxnet, was created as a joint US-Israeli venture for the express purpose of destroying Iran’s nuclear program by targeting its SCADA and PLC systems. When the US warns that Iran is capable of targeting those same systems, it is merely positioning Iran as an enemy that is capable of doing to us exactly what we are to them.
Although its motivations are ultimately multilayered and complex, Handala/the Iranian state’s “goal” is likely not simple fear-mongering. It’s to cause embarrassment, eroding the public’s good faith assumptions of its leaders’ motivations in the Global East as their actions are brought to light. Given the group’s level of media coverage for its minor hacking feats, who’s to say that things aren’t going as planned?
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses