\n
<\/p>\n
As Iran escalates its retaliatory attacks against the United States and Israel with missiles and drones, heading into a fifth week of war, its cyber warriors are beginning to do the same.<\/p>\n
One prominent hacking group secured a particularly attention-grabbing moment on Friday, compromising an old personal email address belonging to FBI Director Kash Patel and publishing many of its contents online, including an old resume<\/a> and pictures<\/a> of him smoking cigars and posing in a mirror with a bottle of rum.<\/p>\n<\/p><\/div>\n As Iran escalates its retaliatory attacks against the United States and Israel with missiles and drones, heading into a fifth week of war, its cyber warriors are beginning to do the same.<\/p>\n One prominent hacking group secured a particularly attention-grabbing moment on Friday, compromising an old personal email address belonging to FBI Director Kash Patel and publishing many of its contents online, including an old resume<\/a> and pictures<\/a> of him smoking cigars and posing in a mirror with a bottle of rum.<\/p>\n An FBI spokesperson acknowledged that Patel\u2019s email had been targeted. \u201cThe information in question is historical in nature and involves no government information,\u201d the spokesperson told Foreign Policy<\/em>, adding that the agency had offered a reward of up to $10 million for information on the group, known as Handala Hack Team, which is linked to Iran\u2019s Ministry of Intelligence and Security.<\/p>\n The breach of Patel\u2019s email was the latest salvo in a tit-for-tat exchange over the past week that saw the U.S. Justice Department seize<\/a> four websites belonging to Handala on March 19\u2014a week after Handala took credit for a massive cyberattack on U.S. medical equipment<\/a> manufacturer Stryker. The company was still working to fully restore systems as of Tuesday.<\/p>\n \u201cWe are working closely with our global manufacturing sites as operations steadily improve towards full capacity,\u201d a Stryker spokesperson said in an emailed statement. \u201cManufacturing capability is quickly ramping with most of our sites and critical lines restored.\u201d<\/p>\n Handala, which also recently said it leaked the personal information of several Lockheed Martin engineers based in Israel, is one of several hacking groups linked to the Iranian regime that have targeted U.S. officials and companies over the past week. Another group, known as APT Iran, claimed<\/a> to have stolen 375 terabytes worth of data from the U.S. defense contractor, according to the threat intelligence firm Flashpoint. Those breaches have not officially been confirmed, and the company told Foreign Policy<\/em> that \u201cthere is no evidence indicating an impact to Lockheed Martin systems, operations or data at this time.\u201d<\/p>\n But for Iranian hacking groups, the obfuscation is often the point, said Cynthia Kaiser, who served as a deputy assistant director of the FBI\u2019s cyber division until May 2025.<\/p>\n \u201cYou\u2019ve seen Handala do this a lot \u2026 it\u2019s a mixture of lies and real attacks, making it hard to parse out what\u2019s exactly happening,\u201d said Kaiser, who is now the senior vice president of ransomware research at the cybersecurity firm Halcyon. \u201cBut if the ultimate aim is showing you can retaliate\u2014either for an internal Iranian audience or for those whose activity you\u2019re trying to dissuade\u2014going public is important,\u201d she added, describing such operations as \u201ckind of cyber-enabled PR campaigns.\u201d<\/p>\n Handala and other groups have also repeatedly targeted Israel, with the Israeli National Cyber Directorate saying<\/a> that Iran-linked hackers had erased data from at least 60 Israeli companies through so-called \u201cwiper\u201d attacks.<\/p>\n \u201cThe borders between nation-state and cyber criminals are blurred very clearly in the case of Iranian actors,\u201d said David Carmiel, the CEO of the Israeli cybersecurity firm Kela. Kela and Halcyon found<\/a> evidence<\/a> on the dark web of Iran-linked ransomware group Pay2Key offering 80 percent of profits to hackers targeting \u201cenemies\u201d of Iran(an uptick from its previous 70 percent cut), which it described as \u201c[s]pecial advantageous conditions for Iran\u2019s friends.\u201d<\/p>\n Carmiel said that unlike the ransomware groups typically linked to Russia\u2014whose disruptions are largely focused on making money by seizing access to systems and then restoring them in exchange for multimillion-dollar payouts\u2014Iranian ransomware groups are focused on damage. \u201cIt\u2019s less about helping you recover and more about getting some financial gain and doing damage in a destructive manner to your infrastructure.\u201d<\/p>\n Iranian cyber retaliation was relatively muted in the early days of the conflict, when U.S. and Israeli forces used both offensive cyber operations<\/a> and kinetic airstrikes to kill senior leaders<\/a> of the Iranian regime and take out a cyber command center.<\/p>\n \u201cBut anyone with a laptop could find a way to reengage; it\u2019s not like there\u2019s something magic about the building,\u201d said Mieke Eoyang, who served as the U.S. deputy assistant secretary of defense for cyber policy until April 2025 and is now a visiting professor at Carnegie Mellon University\u2019s Institute for Strategy and Technology. \u201cA lot of the infrastructure malicious actors operate off is virtual anyway, so I would expect that we would see those types of operations coming over time,\u201d she added. \u201cThey don\u2019t necessarily need to have that kind of tight command and control structure to deliver significant disruption.\u201d<\/p>\n None of what cyber experts have seen so far from Iranian groups is really out of the ordinary\u2014Iran has a long history of going after Washington and its allies in cyberspace, including compromising critical U.S. infrastructure such as water treatment plants.<\/p>\n Those attacks could still happen as Iran hunkers down in the war and finds its cyber footing. \u201cThis is the Iranian playbook,\u201d Kaiser said. \u201cThey see cyber as a means to retaliate\u2014it\u2019s a little less escalatory than a physical or kinetic type attack, but it allows them to say they\u2019ve retaliated.\u201d<\/p>\n It also means that even in the unlikely event of a negotiated end to the war, the cyber threat from Iran won\u2019t necessarily dissipate.<\/p>\n \u201cEven if there is some sort of a cease-fire, cyber will keep going because it\u2019s under the radar in many cases,\u201d Carmiel said. \u201cThe target universe for Iranian groups just became bigger.\u201d<\/p>\n<\/p><\/div>\n This post is part of FP\u2019s ongoing coverage<\/i>.\u00a0<\/i>Read more here<\/a>.<\/em><\/p>\n<\/p><\/div>\n<\/p><\/div>\n