Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
What should you do if a
hacktivist is on your tail?
Welcome to Threat Talks.
My name is Lieuwe Jan Koning,
and here, from headquarters at ON2IT
we bring you Threat Talks.
And the subject of today is APT Handala.
Let's get onto it. Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
I'm joined here today by my two dear colleagues.
First of all, Yuri Wit.
He's a SOC analyst.
Welcome.
That means that he looks a lot at
anything that happens in the world.
And so he knows a thing or two
about how hacktivists work.
So we're going to learn from you today.
And on the other side,
a familiar face to all of us
also, it’s Rob Maas. He's the field
CTO of ON2IT and everything
he learns from what we see, he has to adjust
the strategy of our customers to make sure
that these things do not do
any harm to those organizations.
Welcome, Rob. Thank you.
Gentleman, hacktivism.
We talked a lot about
different types of hackers.
It's about time that we talk
about this specific group. Most of it,
we talk about cyber criminals
that do ransomware, for example,
for financial gain, nation state actors.
We love to talk about them, because they
have the coolest tech, more or less, right?
But, hacktivism is also a real thing.
So, let's explore a little bit.
Yuri, could you explain what
motivates a, what is a activist?
Well, a hacktivist is similar in a sense
to a nation state where they are
definitely politically motivated.
But instead of a nation state being
directly backed by a nation, they're not.
They're just on their own initiative.
Doing their thing,
trying to get their word out.
Their message out. So everybody with
an opinion can try to become a hacktivist?
Yeah. Okay.
And this particular, I mentioned
the APT Handala group, right?
What's their cause?
Their cause is a very, very strong
pro-Palestinian movement.
Anti-Israeli movement.
So they have been especially active during
the recent surge in the conflict there.
Yeah.
They're motivated purely with a sense of
disrupting anything and everything Israeli.
Do we have any notable examples, Rob?
Yeah.
I think they had a big, bold claim that
they took down parts of the Iron Dome.
So I think if that's...
I'm not sure if it is verified or not,
but at least they have claimed it.
I think that's a pretty massive thing
that they have done then.
Yeah.
Okay. So, let's explore how this group works.
And we thought we’d use
the Lockheed Martin
kill chain model or philosophy
to explain all this.
It's seven steps that every hacker needs
to go through to end up at the last step.
The last step is act on objectives.
Now, we just heard about the objective,
disrupt, right, here or hinder the Israeli forces.
That's the objective here.
But there are, in total seven
steps to get there, and, well,
let's explore them one by one.
And then also, we'll ask you,
what this group does,
to achieve this step,
and then we get to Rob, because
he has to solve this, right?
Yeah, yeah.
Let's try to make it hard for him. Okay.
So the first one is, reconnaissance, right?
What is the goal of reconnaissance?
Why do we have this step first?
Why does a hacker do this?
Well, reconnaissance in a general sense,
is just to define the target.
It's the preliminary step to figure
out the scope of the attack,
where they can attack, how they
can attack, who they’re going to attack.
Now, for something
like a nation state APT,
this reconnaissance would primarily
be focused around identifying the targets
infrastructure and entry points and
stuff like that. IP addresses, that stuff.
Exactly.
Yeah.
But for a hacktivist group
like APT Handala,
their primary goal of reconnaissance
is to identify
their targets via social media or via
the internet, just in general,
not specifically on target networks,
but on target people.
So, yeah, identifying people
through stuff like LinkedIn,
is a major step, identifying spokespeople
for specific organizations
with a strong anti-Israeli
sense. And why? Because they want
to get into their systems or they
want to target them with emails
or shame them or what?
Mostly to target them with emails
and other phishing tactics.
It's not necessarily focused
on actually exploiting
infrastructure, but more
focused on exploiting people.
Rob, what are we going to do against this?
This is already a very hard one.
Because, you cannot do much about it.
So the main thing here is awareness,
that everything you put on the internet
can be found by anyone.
So also including this group.
But most people are on LinkedIn. Yeah.
So it would be nice if, as an example,
if you have a very specific
operating system or very specific system
that your people won't say, hey, I'm
engineer of system X,
on LinkedIn, for example.
Because then you're already giving
away: hey, so we run system X.
But yeah, it's really hard.
It's really a soft measure.
And I prefer always
that we can do things really
with systems and techniques.
So you prefer not to focus
your efforts on...
No, awareness is good to do.
But it's not where you win
these kinds of battles. Yeah.
Luckily, we have seven steps,
and we only have to catch them once.
Correct.
That's the benefit... So, the next
one is weaponization, Yuri.
What is that?
Weaponization is the stage
purely used to arm the bomb,
to get ready to actually exploit some flaw,
either human or physical. Or digital, sorry.
In this case, for the group, weaponization
is usually the creation of
specific crafted, malicious phishing
emails or SMSes or other messaging,
that either contain links
to malicious domains.
Either contain malicious files that
contain other payloads, maybe like a PDF,
that has some exploitation measures inside of them.
We commonly see with this group that they
craft their emails and their SMSes
in Hebrew, which again,
shows that they specifically target,
Israeli organizations.
So this step is completely done
in your own home, more or less.
Right?
You're writing your email, you're
setting up some infrastructure, etc..
So, I'm betting that Rob is not
going to help us here, right Rob?
This is the step where we
can do absolutely nothing.
Okay. It's completely offline for-
Delivery.
Yeah, that's the next step. Yeah.
What does that mean?
Well the delivery that's the...
Well, if the previous step
was arming the bomb,
then the delivery is literally
delivering the bomb.
In this case, it's those same emails
that they crafted beforehand.
It is just sending them out in bulk
towards all the lists of targets.
Now this can go via emails.
This can also go again via SMS.
Doesn't matter how it gets there,
as long as it gets to a person
who has the potential to open something
malicious and detonate it. Yeah, so this is
the first time your organization
actually sees something about...
that someone is trying
to talk to you. Before,
in the early stages, you will
probably not see it. Yes.
At least not with this, at this ...
No. Exactly. Yeah.
Are you going to be more happy yet?
Finally we can do something.
Still ... Tell us all about it.
So still awareness is a thing here.
But now we can also put some
real measures in place.
So, like anti-spam filters.
Also maybe blocking attachments,
if there are any attachments, scan
for the attachments, well,
sometimes that's in the anti-spam.
Also making sure that the URLs in the
email themselves are not
clickable, or that at least the
firewall, for example,
will block them.
So we have a lot of measures here
that we can hopefully prevent
the email from reaching the target
or at least preventing them from
opening any files that are in there.
Yeah.
Because it's probably very hard to make
sure that nobody ever clicks on the link.
That's impossible.
So in the end, so,
if it is a mass email,
then you might be able to filter out,
hey, this looks like very generic,
it might be spam.
But if it's more spearfishing, that's
more targeted to one organization
or even one person,
then it's becoming really hard
to see if the link is valid or not.
So in the end, people will click-
Yeah, user training
is the myth, that you need
to train your users.
Yeah, awareness is always good.
But I would say awareness is,
the best thing about awareness
is that people say, okay, I accidentally
clicked and I’m not afraid
to tell that in the company,
so that people can take action.
So awareness is a good thing to do,
but also foster a culture
where people are not afraid to say, hey,
I might accidentally click a link [ ]
Yeah, or I saw something. Isn’t it becoming
harder and harder, because now with AI and,
I mean, before, if you need
to write a Hebrew email,
then you would probably
learn the language, nowadays,
I mean, I can write it.
I speak no words in Hebrew,
but I can write it thanks to AI.
Right? Yeah.
And they also can be really,
really, simple. Like, really,
you don't have to have a lot of knowledge
to make a perfect phishing email.
Correct.
We did a workshop the other day.
We told people who have
no experience with,
hacking, or computers in general.
And we just gave them ChatGPT
and we made a phishing website.
It's so simple and it looked really genuine.
So, that means, so
awareness is good,
like I said, but it will
not solve the problem.
There needs to be technical measures ...
Yeah, there needs to be technical measures
that will block the newly registered domains.
The URLs will scan for things,
in the email. Would you say
it would be good that we say
you can click on any link... [ ]
Assume that every link will be
clicked, that you will receive.
And still you need to have the
protection to block the delivery.
Correct.
Human error will always be
the largest CVE.
Yeah.
Yeah. Yeah.
And we cannot rely on patching it, because...
No. Well, maybe we can replace humans
with the AIs. That's a few years out.
Let's save that for another
Threat Talks. Next season
we’ll explain how that went.
We or the AI?
Just replace all of us with an AI.
You assume I’m not AI.
Yeah. So, delivery.
We can do a lot in delivery then
that helps, but we cannot be sure...
That's in step three.
We still have four to go. Let's see.
So, the next one is exploitation.
Well following the same bomb... Analogy.
Analogy that I was using,
the bomb has been delivered,
it has reached the targets.
Now it's time to detonate it.
And that's the exploitation.
In this case, for this APT, it's usually
in the form of a URL being clicked,
credentials being put into a phishing site,
or the execution
of a malicious attachment.
Either a zip file containing just
a binary that is executed
with a payload, or a PDF with
malicious behavior built into it.
A credential phishing site,
I can imagine is fairly easy to make.
What would they do, this group?
This group, they do
phishing attacks where they literally
just try to phish for credentials.
Their primary focus, however, is to use
existing credential dumps from other hacks,
can be completely unrelated to the target
at hand, just for credential stuffing.
Once they know usernames, they can
just try brute forcing those usernames.
Until they get a hit and gain
entry into anything.
And from there, they continue. Yeah.
But then, this step, exploitation, generally
is a more difficult step for the attacker.
I mean, because you need
some kind of binary
then, once you have
the credentials, need
to install something
to elevate privileges.
That's also what you're talking
about. I think. Yeah. Well,
that's true in a sense, but mainly
for this APT, their goal
isn't to get, like, the highest privileges
in some of somebody’s network.
Their main goals are the disruption
of services and the exfiltration of data.
You don't really need
high privileges for that.
I mean, any employee of any company
has access to at least
some data, which they might already
find sufficient for their attack.
And as long as they can deploy
their wipers or deploy ransomware
or anything on a high value
target machine, then they're done.
They don't really need access to the entire-
Wiper is not this step yet, I think. No, no, no.
Well, no.
We’ll get to ...
So, the exploitation, Rob,
what can we do against this?
So because, he just managed
to have someone to
click on a link, and the delivery went on
because we weren't able to detect it.
So now there is an executable
on this machine.
So we have a few options here.
So first, so we failed to prevent
the link from being clicked,
whether it was awareness
or any URL filtering.
So the URL was clicked or
the binary was downloaded.
Or it may be directly delivered.
Then on the execution,
we can rely on EDR software.
So the endpoint detection and response that
might say, hey, this binary has never been run before.
Let's check if it is valid or not.
So strict policies can help there.
Even if the binary is seen as valid
then during the execution,
proper EDR software will say, hey,
this is really strange
what this process is doing.
I will kill it.
So that's on the binary side.
For the credential part:
implement multi-factor authentication.
So that credential phishing
is much, much harder.
And even if you have credentials
that you cannot easily use them.
[ ] Preferably a technique that doesn't
require you to type in stuff,
like passkeys or so.
Yeah, also I like the trend where we go
to passwordless authentication,
makes it also a bit harder,
although we still have the problem that
there is then one system, mainly email,
that if you have access to that...
[ ] as soon as possible anyway.
Yeah, that's a long debate.
So there's quite... Quite some
things you can do here.
Quite an important step to
put some measures in place
for attacks like this
and in general probably.
Yeah.
So the next step, Yuri, after
exploitation, is installation.
What's the difference?
The difference is, the exploitation is still
trying to get into the system, at installation
they are in, they're trying
to, or they're ready
to put their measures to
good use, to fulfill their attacks,
basically. To good use: in their view.
In their view, of course. Yeah.
We're getting to the final steps, before-
If you’re a SOC analyst at
ON2IT, you put yourself
really in the hacker's mind.
Yeah. You can see that.
Okay. Yeah.
So for, well, exploitation would be
the execution of malicious
payload or, the stuffing of credentials
into a login page somewhere.
The installation would be actual execution
of the payload doing something.
Such as? Such as a wiper malware,
where the goal is to just wipe
the entire machine clean
where it's run on...
So destroy information or make it
malfunctions so systems go down.
Yeah. Exactly. Wiper.
There is really only [one]
purpose to wiper malware
and that is the disruption of services.
You can't really do anything
else with wiper malware.
But, the installation of wiper
malware would be
to actually load it into memory
and have it go through the entire disk
space to remove everything that can be found.
And another part of their installations
that we have seen would be, not
necessarily the destruction of data,
but the exfiltration of data.
So they were able to successfully stuff
credentials into some page of their target.
And then during the installation,
they would start to retrieve all the
juicy information that they might want to
exfiltrate and potentially leak to the public.
Okay. What can we do against this?
What can we do against this, Rob?
Also a few steps.
So we, already discussed EDR
software, that will help here.
I can prevent the installation of
the binary into the system,
because most attacks want
to have persistence on the system.
So if the system is being rebooted,
they don't want to rely on
the user clicking the binary
again on the email,
but that it will be automatically
start with the system.
So EDR software will help.
Also, hardening systems.
So a lot of tools will make use of existing
other tools on the system: living off the land,
it's called, to get that installation done
or getting things into the registry
or into automatic server startup.
So hardening the system,
make sure that the user
doesn't have these tools or at
least doesn't have the privileges
to run these tools, to make it much harder
to get successful installation.
And depending on the operating system,
this is either by default, impossible
already or really hard to do.
Yeah, that’s correct. Not naming any names.
Sometimes it takes some time to get it done.
Okay, so what is not clear to me yet,
you say it's also the exfiltration
part could be here as well. Don't we
need to a next step for this?
No. Not the exfiltration,
the gathering of the data
they might want to exfiltrate.
Yeah. Okay.
The autonomous part of it,
without any... Yeah.
Because the next step is
command and control.
Yeah. What's command and control?
Well, command and control in a general
sense is to control and command
whatever you might have attacked
or gotten access to within a target system.
In this case, command and control
for this group is much more plain.
It isn't necessarily to send
commands to certain systems.
It might be. We have seen that the
Handala wiper, which they've used
before does have a C2 component,
but it's very limited.
The main part of C2 for this group would be
the exfiltration of the actual data.
And the- I can also imagine that you first
want to focus on spreading your malware
more, than in one big bomb, wipe
everything out at the same time.
And for that you would need, well,
you could probably set a timer, say at
midnight or so, on a certain date.
But it's much more convenient that
you can, if you can send a message.
Yeah.
How do these things
get implemented?
The well, the group has
a very strong presence
on channels like Telegram or,
sorry, apps like Telegram,
where they spread their message,
their malicious links.
And they use that as an attack factor
for their targets as well.
Yeah.
So it could be that the malware
that's installed up until now,
also connects to a Telegram channel,
and that's their form of command
and control. Yeah.
That would be yeah,
that would be consistent-
Is it always malware
that's phoning home?
Command and control?
Mostly. Yes.
At least for this group. Yes.
You also have the other way around,
passive backdoors.
But we don't really see
this group doing that.
It requires a much more
sophisticated level of attacks.
In this case it's usually just phoning home.
So the malware, once we get to the stage,
you could see some traffic
going out to some...
Because this sounds a bit
like a weak point.
Yeah, right.
You'd better make it autonomous.
Like we have Stuxnet
that we have seen that one
that was on the other side
of this conflict. I think. Yeah.
So Rob, this guy wants to
command and control.
What can we do against that? So,
we can put network filters in place.
So DNS is often used, so DNS filtering
is very workable to do here.
Also- About that, you mean
if the malware requests
a certain hostname, and
it will get an IP address back
of course, that's how DNS works.
And the IP address is the codification...
No, sometimes...
Yeah, the DNS requests itself.
So it's going to a hostname that's owned
by the attacker in most cases.
And then they can prepend the
sub domain in front of a domain
that will also end up with the attacker.
And then you can there,
for example, leak information.
That’s one way of doing it.
The other way is using Telegram,
X, previously known as Twitter-
I thought this group was
banned from X at some point.
Yeah.
They were.
They were, they are, they were.
Oh really. Yeah. But blocking,
so let's start with servers.
Servers should not have any access
to external systems whatsoever
unless very specific and
very much required.
Yeah. The Telegram connection
shouldn't be possible.
No. Why would you allow a server...
Exactly.
So that's the easy part.
The hard part here is often
the user systems.
You say the easy part,
let me pause you there for a moment, because
is this common practice with organizations?
No, unfortunately it is not.
But it is easy to do.
Yes, it's low hanging fruit
to defend yourself.
Yes, I would say it's low hanging fruit.
You can easily figure out
what a system needs-
And very effective.
And very effective. Yeah.
Even if malware is installed, you can
prevent it from becoming active,
if there is no command
or control system, in most cases.
But on user systems this is quite
hard, because we're now in
a time where we allow people
to go to the internet freely
most of times and we put
some URL filtering place.
But I think if you test it out
that most users can just
go to Telegram or WhatsApp or x.com.
And that can also be
used by these malware.
Yeah.
The trick is to use a very
commonly used ecosystem.
Yeah.
And play into that are you blend in
with the regular traffic. Yeah.
And then detecting
if there's anything sent
that looks like command and
control traffic is really hard,
but it's even much harder because, not
everyone has implemented decryption.
I would even say, just a small part
of organizations have decryption.
So if it is encrypted,
then, you're more or less lost
in protecting yourself from command
and control traffic coming
in, and then you solely
rely on your EDR system.
You also mentioned DNS.
I mean, if exfiltration, or
the command and
control is through DNS,
every server has DNS enabled.
Yeah.
Kind of. Otherwise nothing would
work, right? So how do we...
Yeah. So there are a few options here.
DNS security that, for example,
can filter out the main
generation algorithm, DGA,
that’s often used, so then
the malware will generate a lot of
domain names, and only a few are valid.
And you can figure that out- Where is this
implemented? In the DNS server itself
or is it in the firewall?
Mostly in firewalls.
Sometimes you have external software
for it, but mostly in the firewalls.
And that can, for example, detect,
hey, this host name is, or this
domain name is getting
a lot of sub domains.
So this looks like a domain generation
algorithm that's being used.
So that's one way of detecting it.
Another one very simple is,
check for newly registered domains.
So, quite- Don't resolve them.
Don't resolve them.
Most of the times they are only
short lived, there for a few days,
and then they're already detected
because the threat intel
is being shared and then the
attacker moves on to the next one.
So that's very effective.
But sometimes, some attackers that plan more
in advance, will have a few domain names ready
that are already registered for
at least more than 30 days.
Clear.
Last step is: act on objectives.
Is the final step where we
can’t do anything anymore?
Or, how does that work?
Well, if the attackers get to this step,
you're kind of lost already.
This is the step where they do actually,
achieve their exfiltration of data.
They achieve the wiping
of a target’s system.
When you get to this point, there's
not a lot that Rob would be able to do.
At this point, the target machine
is wiped, the data is
exfiltrated, and they'll be getting
ready to share their success
on their social media platforms.
So what does APT Handala do in this step?
APT Handala, well, they like
to boast about their attacks.
They have their own website,
accessible either via an onion link,
but they also just have a regular domain,
where they- An onion link is? Onion link is
a URL. It's like a domain name.
But it's only usable over
the dark web.
So you need a Tor browser
to travel to an onion link,
because it will be proxied through
a lot of different servers.
I don't think there's a single APT worth it’s salt,
that doesn't have its own domain on an onion link.
Unless they specifically don't-
But their goal is to spread the word,
so you can make your
news only available in the dark
web for the other hackers,
but that's not their goals, so therefore
they also have a regular site.
They have a regular site.
They have a Telegram channel.
They have very known accounts on a lot
of major forums online, like breach forums.
They have a Twitter account, or X account.
They have many different ways
of spreading their message,
of boasting for their attacks
of saying, hey, we did this.
And that includes also the leaking of
data that they might have exfiltrated,
whereas another APT or ransomware gang
might exfiltrate data just as like, a backup
for if the customer doesn't
want to pay the ransom.
APT Handala exfiltrates their data
with the primary function
of leaking that data,
sensitive informations about,
user accounts on specific websites,
sensitive information, technical
specifications for the military.
And this is probably where hacktivists
are different from all the other groups.
Because, so far we've heard
a lot of, defense that we can apply.
We should apply anyway.
And, it's effective for
multiple types of attackers.
But this is a different thing. Yeah.
Is there anything in particular
we can do against this?
For example, if you are likely on
the receiving end of a group like this
and we talk now about Israel,
it could also be oil companies
or governments and all that ...
Is there anything
in communication, for example,
what's a good way to respond to this?
If you are a victim?
It depends a bit, I think. In general,
I think, if you become a victim,
it's good to be open about it.
Of course you can, have a discussion
on what details do we bring out,
but just to open up and tell what's
going on and also how you’ll approach
the solving of the problem.
I think that's good to do.
I believe I've seen it in the past.
It's always appreciated
by a lot of people. Hey.
Okay. We know now what's going on,
why the phone is not picked up or whatever.
We can also mention in this case,
if the Israeli forces will rather not say
yes, they hacked us.
No, that's, I think that's quite sensitive
for those- [ ] to downplay it.
They must have some kind of playbook.
What is the playbook of
the Israelis against this?
Mostly deny. Pretty much every
attack against direct Israeli
organizations, either the military
or critical infrastructure for
Israel has been deny, there was
a breach for the Israeli police.
Handala has leaked data about it.
The internet pretty much agrees
that the attack actually happened.
Israel does not agree.
They deny, deny. No confirmed
sources for journalists and everything.
So and that's why we say
allegedly they did this.
Exactly.
But it very much looks like it.
Quacks like a duck, right?
Yeah.
Okay. So, downplaying this for,
we always advocate be open about everything,
but maybe this is the best strategy
if you're in a political fight then.
Yeah.
The difference between a group like
Handala and other APTs is that,
a nation state APT might target a lot of different
organizations from a lot of different nations.
In that case, be open about it,
because all the mistakes that you made,
people can learn from.
But in this case, since pretty much
the only target is Israel and Israeli
backed organizations, there is no
benefit to sharing that data.
If you’re attacked-
They probably do that internally in their
cyber security center.
Of course. Yeah.
But they wouldn't state it online
saying, hey, we got breached again.
Hey, and what if you are indeed in the oil
industry and there's some environmental
organization that attacks you,
is that the same,
is the best playbook for them
to defend, also to deny
and to say it's not really an attack
or it wasn't that sophisticated,
small portion of the network, whatever.
I think it also depends on
the actual impact it will have.
If a lot of people are impacted,
then you should do something,
whether as a government or
as a company, to address this.
So you need some kind of openness,
how far you will go;
that’s still a debate, I think.
But you need to inform people that
this is the reason why you cannot
get water or electricity
or whatever is being hacked.
What I hear from
you both is always be open
about as much as possible,
unless you have a really good reason.
Yeah. Well, with that, let's conclude
this episode of Threat Talks.
Gentlemen, thank you very much.
For giving us an insight into the
interesting world of hacktivists.
And I'm happy that we have so many things
that we can do against it, to prevent those things.
So I thank you both.
And for our listeners,
thank you very much for tuning in.
I hope you enjoyed today.
Well, if you did, don't forget to like us
because we would like that.
And while you're in that area
of your podcast app,
also press the subscribe button,
because that means that next week
you have yet another episode of Threat Talks.
And here from the headquarters at ON2IT,
I thank you once again
and hope to see you next time.
Bye bye!
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.