FBI: Handala Hackers Use Telegram for Malware Attacks
▼ Summary
– The FBI warns that Iranian hackers linked to the MOIS are using Telegram as command-and-control infrastructure for malware attacks.
– These attacks target journalists critical of Iran, dissidents, and opposition groups, leading to intelligence collection and data leaks.
– The activity is attributed to Iranian-linked groups including Handala and the state-sponsored Homeland Justice threat group.
– In a related action, the FBI seized four domains used by these threat groups to leak stolen data from global cyberattacks.
– Separately, the FBI also warned that Russian intelligence-linked actors are targeting high-value individuals via phishing on Signal and WhatsApp.
The FBI has issued a new alert concerning Iranian state-sponsored hackers who are leveraging the Telegram messaging platform as a command-and-control infrastructure for malware campaigns. These attacks specifically target journalists critical of Iran, Iranian dissidents, and opposition groups globally. According to the bureau, this activity is linked to Iran’s Ministry of Intelligence and Security and is being highlighted due to the current elevated geopolitical tensions in the Middle East.
Malware deployed through these campaigns enables threat actors to collect intelligence, leak sensitive data, and cause reputational damage to victims. The FBI connected the operations to the pro-Palestinian Handala hacktivist group, also known as the Handala Hack Team, and the state-sponsored Homeland Justice threat group affiliated with Iran’s Islamic Revolutionary Guard Corps. Attackers use social engineering tactics to infect Windows devices, allowing them to exfiltrate files and screenshots from compromised systems.
This public warning follows law enforcement action to disrupt the hackers’ online presence. One day prior to the alert, the FBI seized four clearnet domains used by the Handala, Homeland Justice, and a third group tracked as Karma Below. These websites served as platforms for the groups to leak stolen data from victims in the United States and worldwide. The seizure is a direct response to recent cyberattacks, including a major incident where Handala hackers targeted U. S. medical manufacturer Stryker. In that attack, they compromised a domain administrator account and used a Microsoft Intune command to factory reset roughly 80,000 company-managed devices.
A Telegram spokesperson responded to the report by noting that malicious actors can use any available channel for malware control, including other messengers or direct web connections. The spokesperson stated that while using Telegram for this purpose is not unique, platform moderators routinely remove accounts found to be involved with malicious software.
This alert is part of a broader series of warnings from the FBI about foreign threat actors exploiting popular communication services. Just last week, the bureau cautioned that Russian intelligence-linked hackers are targeting Signal and WhatsApp users in sophisticated phishing campaigns. Those operations have compromised thousands of accounts belonging to high-value targets such as current and former U. S. officials, military personnel, political figures, and journalists. Similar account-hijacking activity was previously detailed by cybersecurity authorities in the Netherlands and France.
(Source: BleepingComputer)