‘Pro-Palestine’ hacking group banned on X as US criticizes Iran over cyberattacks

The social media platform X banned an account used by a self-described pro-Palestinian hacking group on Tueday, shortly after the United States issued a warning about Iranian cyber actors targeting the country’s presidential election.

Although the group — known as Handala, after a cartoon and national symbol in Palestine — has not claimed to be behind any attacks on the United States, the timing of the ban indicates there may be concerns about its links to Tehran.

The @Handala_Hack account had been active on both X and Telegram, as well as hacking site Breach Forums, since December 2023, regularly announcing operations targeting Israeli entities amid the ongoing war in Gaza.

Cybersecurity company Trellix described Handala’s attacks as sophisticated and said it was “a group which at least pretends to act based on pro-Palestinian motives,” although it cautioned this motive may be a “façade for an ulterior motive.”

Back in July, Handala claimed to be behind a phishing campaign impersonating cybersecurity firm Crowdstrike that attempted to install a wiper on Israeli victims’ networks — an operation that prompted an urgent warning from the Israel National Cyber Directorate. They also claimed to launch other attacks, including on Israeli Iron Dome radars.

In its report on Handala, Trellix stated that “an undisclosed commercial company attributed the group to Iran” on the Israeli government’s official website, although Recorded Future News was unable to locate this attribution.

Israeli cybersecurity company Cyberint reported that the group shared a post last December identifying itself as “a small fighter” in the Hamas movement. U.S. and British sanctions have described Hamas as funded by the Islamic Republic of Iran.

Handala’s X account was banned shortly after a joint statement from U.S. intelligence community agencies accused Iran of being behind several cyberattacks targeting the presidential election, including the recently announced cyberattack on the campaign of former President Donald Trump

Despite an alert sent to X users who had reported @Handala_Hack, stating the group had violated the platform’s “abusive behavior rule” and wasn’t allowed to create new accounts, it already appears to be operating the @Handala_Backup account.

Trellix noted that the group’s public activities are consistent with their proclaimed activist nature, and noted how within the wiper malware the group included a failsafe that would block the code from executing on any devices named “Gaza Hackers Team Handala Machine.”

Self-proclaimed pro-Palestine hacktivist groups have previously been linked to the Iranian state. The Cyber Av3ngers group, which conducted attacks globally against an Israeli-made programmable logic controller used by water facilities, has been attributed to the Islamic Revolutionary Guard Corps Cyber-Electronic Command.