Iran International, one of the nation's only sources of independent news, is allegedly hit by a massive breach on Tuesday, carried out by the pro-Tehranian hacktivist group known as Handala. Now, the group has begun to threaten the outlet's top journalists.
-
One of Iran's only independent news souces is allegedly hacked by the long-time pro-Iranian hacktivist group Handala.
-
The hackers claims to have complete control of the media outlet's systems and communications, including personal and secuity details of staff, media liasions, and 70,000 site supporters.
-
Handala has singled out at least one UK journalist, threatening to release personal images if he does not stay silent, and says it plans to target female staffers on Wednesday.
The hacker group took to its dark leak blog and Telegram channel Tuesday morning, claiming a large-scale cyberattack on the news outlet, boasting that it has compromised the identities of both its readers and the staff who work there.
The Handala group, which has been operating since late 2023, is just one of about 130 pro-Iranian hacktivist groups being tracked by security experts, a small portion of them newly created in response to Israel’s (and the US’s) recent strikes on Iran.
“Iran International has been successfully hacked,” the group said, labeling the attack “Operation Handala.”
“All of the network’s systems, servers, and communication infrastructure have been fully compromised and infected. A complete internal data dump has been extracted,” it wrote in a lengthy post.
Handala promised to release the stolen cache “within minutes,” but has provided no proof samples of exfiltrated data, nor any downloadable links on the leak site.
If true, the stolen data dangerously exposes the personally identifiable information (PII) of both journalists and readers, which could easily be used for further targeted attacks, both physical and digital.
According to Handala, this PII and company data includes:
- Confidential internal and external communications
- Personal and security details of staff members
- Identities and contact logs of media liaisons
- Bank records, financial contracts, and transaction history
- Personal data, editorial content archives, and coordination with foreign services
The group alleges to have fully taken over Iran International’s “main message-receiving account,” which it says has long been used as a “so-called ‘secure line’ for communication with informants, spies, traitors, and foreign agents.”
It claims to have the “full identity profiles” of over 71,000 such individuals.
Furthermore, Handala also claims to have exfiltrated all incoming messages, attachments, reports, images, and videos shared on the account and is currently cross-referencing them against “multiple intelligence and identification databases.”
“These names and data are now classified, indexed, and archived. Selected portions will be released soon,” it said.
Handala Manifesto
Since the attack on Iran’s nuclear sites, Handala has been keeping busy alongside several other pro-Iranian hacktivist groups, such as the 311 and Mysterious Teams, Cyber Jihad Movement, Mr. Hanza, the Holy League, and the Cyber Islamic Resistance.
Typically going after Western nations, this is the first such attack on what one might consider a homegrown organization supporting the Iranian people, but the group had no problem explaining its rationale.
On its dark leak site, Handala went on to call Iran International a “falsely-branded “independent media outlet.”
Handala accused the news outlet of receiving tens of millions of dollars per month “from the Mossad intelligence service” as well as “operating as a propaganda weapon for psychological warfare and disinformation across the region.”
The group said after analyzing the content, "it confirms the existence of a media-based espionage and influence network directed by Mossad,” also threatening the outlet’s viewers.
“To everyone who has reached out to this network: You are being watched. Your information has been logged. And your reckoning is near.”
“This is not just a breach. This is a warning. This is a direct declaration of presence by the resistance inside the heart of enemy systems,” it said.
Payback for Telegram boot directed at journalists
Soon after the alleged media hack, the pro-Iran hacktivists also announced on their dark blog Tuesday the creation of yet another official Telegram channel after being booted off the messaging app for the 20th time.
“The 20th official channel of HANDALA has now been taken down , By the self-proclaimed defenders of ‘free speech,’” the group wrote on its latest “Handala Hack” channel, claiming the removal was triggered by its last conquest.
“Following the successful breach of Iran International, those who hide behind the mask of journalism and liberty have once again revealed their true face: Media terrorism and digital censorship,” Handala posted to about 1600 channel subscribers.
But alas, the resurgence of a 21st channel was short-lived, as Telegram administrators, once again, removed the Handala Hack channel from the encrypted messaging site.
The takedown seemed to escalate Handala's ire toward the media organization, and in another long rant, set its sights on Iran International's top journalist, Mojtaba Pourmohsen, threatening to leak personal footage of the newscaster if he did not stop talking about Handala on the airwaves.
The group even claimed on its dark website to have known about an "afternoon call" between the UK-based Pourmohsen and presumably one of his sources, which they called his "Mossad handler."
"Our infiltration into the Iran International network remains deep, extensive, and largely uncharted. The full extent of our access is still unfolding, but make no mistake: the foundation of their security is broken."
Handala said starting tomorrow (Wednesday), it will move on to "targeting select female staff and affiliated analysts of the network.“
Iran International has been target before
Iran International is headquartered in London under its parent company, Volant Media, which Cybernews contacted for a comment on the purported hack, but has not heard back.
The self-proclaimed, independently run news organization is said to provide a “fair and balanced view of what happens inside Iran,” sharing world news and opinions with the media-starved Iranian population.
Still, some critics say the news outlet is not completely free of Iranian government oversight.
Volant states its flagship news brand is the number one broadcast among the 80 million who live in Iran, as well as the 10 million living outside the Middle Eastern nation.
And despite attempts at Iranian censorship, the Persian language news site can be streamed 24/7 via satellite, radio, social media, web, and Video-on-Demand.
With additional offices in Washington, DC, and Paris, threats against its UK-based journalists triggered the outlet to temporarily move its London headquarters to Washington, DC, back in February 2023.
Par for the course, US Homeland Security officials have issued several security advisories warning of Iranian hackers targeting American critical infrastructure since the June 21st bunker busting bombs were dropped by the Trump Administration on Iran’s three main nuclear sites.
Since then, Iranian hackers have used mostly low-level DDoS attacks to go after at least a dozen US banks, oil companies, and even US President Donald Trump himself, threatening to release fresh Trump email communications and hacking into his social media platform TruthSocial.
Your email address will not be published. Required fields are markedmarked