{"id":16119,"date":"2026-04-21T09:06:27","date_gmt":"2026-04-21T09:06:27","guid":{"rendered":"https:\/\/newestek.com\/?p=16119"},"modified":"2026-04-21T09:06:27","modified_gmt":"2026-04-21T09:06:27","slug":"the-thin-gray-line-handala-cyberav3ngers-and-irans-proxy-ops","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16119","title":{"rendered":"The thin gray line: Handala, CyberAv3ngers and Iran\u2019s proxy ops"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

On April 7, six US government agencies issued a critical advisory<\/a> warning domestic private sector organizations of potential infrastructural cyberattacks conducted by Iranian-affiliated Advanced Persistent Threat (APT) actors. The advisory stops short of attributing these threats to a single group but makes reference to 2023 attacks on US water and wastewater facilities linked to the known Iranian APT \u201cCyberAv3ngers\u201d, suggesting a possible correlation between historical and current incidents.<\/p>\n

Reports on \u201cCyberAv3ngers\u201d and analogous group \u201cHandala Hack Team\u201d \u2014 who have recently been in headlines for their numerous clashes with the FBI<\/a> \u2014 emphasize that while these operations present themselves as radical pro-Palestinian hacktivist collectives, both are believed to be heavily-resourced and directly tied to the Iranian Ministry of Intelligence (MOIS)<\/a>.<\/p>\n

Sometimes referred to as \u201cfronts\u201d, \u201cproxy insurgents\u201d or \u201cghost groups\u201d, these presumed false flag operations<\/a> represent a longstanding obfuscation tactic amongst the so-called \u201cBig Four\u201d of cybercrime \u2014 Russia, China, North Korea and Iran. Notably, Russia\u2019s largest military intelligence agency, the GRU, is widely known to recruit talented threat actors to execute complex cyber campaigns<\/a> against political enemies.<\/p>\n

The Big Four are known for their pervasive assertions of soft power, otherwise known as \u2018Influence Cyber Operations<\/a>\u2019 (ICOs). Each has a flagship operation in this field: Russia with disinformation campaigns, China with long-term operational technology espionage, North Korea with remote worker scams and laptop farms, and Iran with critical infrastructure disruptions.<\/p>\n

The \u201cgray area\u201d of plausible deniability<\/h2>\n

Iran\u2019s use of proxy insurgent groups follows a clear line of logic.<\/p>\n

A radical activist organization would be expected to execute politically motivated attacks, but not on a large scale or with exceptional technical skill. In the case of a group like Handala, openly proclaiming to be pro-Iranian nationalists aligns their interests with the Iranian government, making them a perfect cover for state-backed operations. It\u2019s a strategy that allows for symbolic retributive actions by Iran without having to reveal the extent of its tactical power, and \u2014 crucially \u2014 one that allows for attacks to continue in times of supposed peace.<\/p>\n

This \u201cdeath by a thousand cuts\u201d approach \u2014 sometimes referred to as \u201csoft warfare\u201d or \u201cgray warfare<\/a>\u201d \u2014 follows a military doctrine centered around a consistent, slow erosion of the enemy via covert operations<\/a>. Obscuring the state\u2019s involvement beneath a grandiose, pro-Iranian rhetoric allows it to affect change in the US with less chance of immediate retaliation, especially compared to an act of direct physical aggression, such as an overseas bombing on US soil.<\/p>\n

A state of perpetual interference<\/h2>\n

To understand how proxy insurgent groups such as Handala fit within Iran\u2019s modern-day intelligence ecosystem, we first need to look at the historical development of the country\u2019s intelligence operations.<\/p>\n

In 1953, the United States and Britain (via conduit operations of the CIA and MI6, respectively) instigated a coup in Iran that displaced then-Prime Minister Mohammad Mosaddegh in favor of strengthening the imperialist power of its Shah, Mohammad Reza Pahlavi. The US hoped that by bolstering Iran\u2019s monarchical leader in exchange for underlying influence in a newly pro-Western regime, it would be able to gain access to Iran\u2019s rich petroleum resources.<\/p>\n

Part of this influence included the establishment and shaping of SAVAK in 1957, the first intelligence agency and secret police of the Imperial State of Iran. Despite being classed as a civilian organization<\/a>, SAVAK was primarily composed of military figures whose objectives involved suppressing opposition, surveillance of threats to the monarchy and media control within Iran, often operating outside existing laws.<\/p>\n

When the group was violently dismantled following the 1979 Iranian Revolution, its replacement MOIS \u2014 still the country\u2019s dominant intelligence organization \u2014 borrowed significantly from its personnel, core philosophy and tactics. All current Iranian entities involved in intelligence are technically required to report to and collaborate with MOIS, including the Islamic Revolutionary Guards Corps (IRGC), which was notably created directly in response<\/a> to the first Supreme Leader\u2019s suspicions of Iran\u2019s existing military forces.<\/p>\n

Iran\u2019s modern-day intelligence capabilities have ultimately formed from a mishmash of competing outfits. This includes MOIS, the Islamic Revolutionary Kumitehs, SAVAMA, the IGRC and its paramilitary force the IRGC-QF, all of which were established to support various pro-revolutionary and counterintelligence directives at the end of the 1970s and throughout the 1980s.<\/p>\n

In short, Iran\u2019s cyber ecosystem has been shaped by decades of political upheaval, revolutionary factioning and calculated external influence. The protective front of a \u201cpro-revolutionary\u201d ideology, therefore, has long been used by the Iranian state to justify acts of political violence, espionage, surveillance and subterfuge.<\/p>\n

What do these groups actually represent?<\/h2>\n

Western perceptions of groups such as Handala Hack Team and CyberAv3ngers are likely distorted by culturally based assumptions. In the US, for example, we tend to associate terms like \u201cinsurgent\u201d with anti-authoritarians, not government loyalists. However, historically in Iran, civilian and military intelligence enterprises have been simultaneously enmeshed and compartmentalized by design.<\/p>\n

While there hasn\u2019t been much discussion of the semantics in this scenario to-date, there\u2019s no real qualifier preventing Handala from technically <\/em>being considered a \u201cradical hacktivist group\u201d while also<\/em> being a highly intentional product of the state. Whether they actually carry the values that they espouse publicly is anyone\u2019s guess.<\/p>\n

Think of it this way: a radical activist organization is created to fight whatever it deems as an \u201coppressive system\u201d, using symbolic direct action to compensate for its lack of size. And while Iranian APT groups are well-resourced domestically, in a global arena, they are still undeniably small. When held next to cyber superpowers like the US and Israel, even Iran\u2019s most elite task forces are microscopic by comparison.<\/p>\n

A captive audience<\/h2>\n

Experts have noted<\/a> that Handala\u2019s social media posts often contain exaggerated, near-theatrical claims. One blog post reads: \u201cThe slightest aggression against Iran\u2019s vital facilities will mean the beginning of a devastating reaction that will turn all these vital infrastructures to ashes.\u201d <\/em>The group makes constant, unsubstantiated threats with claims of successful breach operations that quickly fade into the ether, never to be backed with evidence.<\/p>\n

However, to dismiss Handala\u2019s evangelizing as laughable is missing the point \u2014 intentionally or not, Handala\u2019s outsized assertions of its own power to retaliate against its aggressors highlight just how asymmetric the whole conflict really is. If nothing else, readers of Handala Hack\u2019s messaging \u2014 conveniently written in English \u2014 are forced to grapple with the reality of a massive power imbalance between \u201cus\u201d and \u201cthem\u201d just to figure out how safe they are allowed to feel.<\/p>\n

Americans engaging with Handala\u2019s threats will likely feel alarmed, with that fear quickly turning to frustration that random American businesses are being symbolically attacked on behalf of entire industries due to Iran\u2019s limited targeting capabilities<\/a>. Suddenly, the imminent specter of Iran as presented by the US begins to fall apart.<\/p>\n

This is the true advantage of a state entity adopting a radical persona, particularly one with an air of \u201crighteous fury\u201d or a \u201cbleeding heart\u201d. Many have accused Handala of falsely claiming to be a pro-Palestinian group, but from a strategic standpoint, they are<\/em>, because they are explicitly and violently anti-Israel \u2014 for a group with such radical political goals, sometimes ideology just means having a shared enemy.<\/p>\n

Beneath their seemingly unshakeable veneer, however, it\u2019s only becoming clearer that Handala\u2019s words are those of a state in crisis, one which has been hampered by sanctions into near technological autarky and that is literally struggling to keep the lights on thanks to repeated sieges of its own critical infrastructures.<\/p>\n

Lest we forget, the \u201cworld\u2019s first cyberweapon\u201d, Stuxnet, was created as a joint US-Israeli venture for the express purpose of destroying Iran\u2019s nuclear program by targeting its SCADA and PLC systems. When the US warns that Iran is capable of targeting those same systems, it is merely positioning Iran as an enemy that is capable of doing to us exactly what we are to them.<\/p>\n

Although its motivations are ultimately multilayered and complex, Handala\/the Iranian state\u2019s \u201cgoal\u201d is likely not simple fear-mongering. It\u2019s to cause embarrassment, eroding the public\u2019s good faith assumptions of its leaders\u2019 motivations in the Global East as their actions are brought to light. Given the group\u2019s level of media coverage for its minor hacking feats, who\u2019s to say that things aren\u2019t going as planned?<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

On April 7, six US government agencies issued a critical advisory warning domestic private sector organizations of potential infrastructural cyberattacks conducted by Iranian-affiliated Advanced Persistent Threat (APT) actors. The advisory stops short of attributing these threats to a single group but makes reference to 2023 attacks on US water and wastewater facilities linked to the known Iranian APT \u201cCyberAv3ngers\u201d, suggesting a possible correlation between historical… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16119","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16119"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16119\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}