JUST IN: Iranian Hacker Group Handala Says It Will Pause Cyberattacks on US Infrastructure in Light of Ceasefire
Published on Reflecto News | World News | Cybersecurity & Geopolitics
In a significant development following the announcement of a two-week ceasefire between the United States and Iran, the prominent Iranian-aligned hacker group Handala has declared that it will temporarily suspend its cyber offensive against U.S. critical infrastructure. The group announced it has “currently postponed overt confrontation” with the United States following orders from the “highest leadership” .
However, the group’s statement came with a stark warning: the pause is temporary, and the cyber war “will not end with any military ceasefire” .
Handala’s Statement: ‘Currently Postponed Overt Confrontation’
Handala, a pro-Palestinian and pro-Iranian hacker network that has claimed responsibility for numerous high-profile cyberattacks against U.S. targets, issued its statement on Telegram following the announcement of the ceasefire . The group’s messaging reflected a calculated decision to align with the broader diplomatic pause while maintaining its long-term commitment to cyber warfare.
“The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.” — Handala statement
The group further elaborated that its decision to pause was taken “per ‘highest leadership’ orders” . This suggests that the directive to scale back cyber operations came from the highest levels of Iranian leadership, potentially as part of the broader ceasefire understanding between Tehran and Washington.
Handala also revealed that some of its members had been killed during the conflict, stating that the group had “witnessed the martyrdom of our most cherished anonymous Handala fighters, youths whose own families were unaware of their sacrifice” .
The Warning: ‘When the Time Comes’
Despite the announced pause, Handala’s statement carried an unmistakable threat of future action. The group framed its temporary restraint as a strategic pause rather than a cessation of hostilities in the cyber domain.
“Rest assured: when the time comes, the darkest of nights will have only just begun for America and all its supporters.” — Handala statement
The group vowed that its “cyber jihad is the extension of our martyrs’ blood, and it will go on until full vengeance is achieved” . This language suggests that Handala views its cyber operations as an ongoing moral and strategic obligation that transcends any temporary diplomatic agreements.
Handala also issued an appeal to “all cyber resistance fighters” to “join the united front of cyber struggle,” offering to provide “technical and strategic” backing to any actions taken against “the infrastructures of the Zionist regime, the US, and their allied states” .
CyberAv3ngers: No Pause, Continued Operations
While Handala announced a pause, not all Iranian-aligned cyber actors have followed suit. CyberAv3ngers, an Iranian cyber actor affiliated with the Islamic Revolutionary Guard Corps (IRGC) that has claimed multiple critical infrastructure attacks, indicated it was proceeding with attacks on both U.S. and Israeli interests .
In late Tuesday posts on Telegram, CyberAv3ngers posted a video screen grab to support their claim that they had tampered with alert sirens in Israel. The group then posted images of screens appearing to be associated with industrial control systems, claiming that an operative “has access to America’s electrical infrastructure and telecommunications sites” .
This fragmentation among Iranian-aligned hacking groups highlights a key challenge for the ceasefire’s implementation: while some actors may be willing to pause operations in line with diplomatic agreements, others may continue or even intensify their activities.
The Handala Threat: A History of High-Profile Attacks
Handala has established itself as one of the most capable and aggressive Iranian-aligned hacking groups. The group has claimed responsibility for a series of significant cyberattacks in recent weeks, including:
| Target | Attack Details |
|---|---|
| Stryker Corporation | Major medical equipment manufacturer; disruption of operations |
| FBI Director Kash Patel | Personal email account compromised; personal photos leaked |
| Water, electricity, oil sectors | Group claimed readiness to inflict attacks “to send your lives back to the Middle Ages” |
The group has also demonstrated a sophisticated understanding of psychological warfare. After the FBI seized four web addresses used by Handala to spread its message, the group responded by leaking several old photos of Patel after claiming to have hacked into his personal email account .
Handala’s threat to target U.S. water infrastructure has been particularly concerning. On March 27, Handala, APT IRAN, and CyberAv3ngers vowed to inflict “irreparable damages” on U.S. water infrastructure if water systems in Iran were threatened .
US Government Warning: Ongoing Threat to Critical Infrastructure
The announcement of Handala’s pause comes just days after a sweeping federal government warning about Iranian cyber threats. On Tuesday, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and other agencies issued an urgent advisory stating that Iranian-affiliated hackers have “successfully targeted and caused disruptions at multiple U.S. oil and gas and water sites” in recent weeks .
Key findings from the federal advisory include:
| Threat | Details |
|---|---|
| Targets | Water and wastewater systems, energy sector, government facilities |
| Method | Exploitation of internet-exposed programmable logic controllers (PLCs) |
| Impact | Operational disruptions, financial losses, safety system compromises |
| Recent escalation | Campaigns have escalated “likely in response to hostilities” |
The advisory warned that Iranian-affiliated actors are targeting Rockwell Automation/Allen-Bradley-manufactured PLCs “with the intent to cause disruptions, including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays” .
Joe Slowik, director of cybersecurity alerting strategy at Dataminr and an industrial cybersecurity expert, told CNN that the targeting of these devices “opens up the opportunity not just for immediate disruption, but potentially modification of operating parameters that could impact physical operations” .
“The latter could lead to physical impacts and safety concerns, which is a serious issue and represents a notable extension of adversary capability and intent,” Slowik said .
Expert Analysis: Ceasefire May Not Reduce Cyber Threats
Cybersecurity experts have cautioned that the ceasefire may not lead to a reduction in cyber threats—and could even result in an increase.
Markus Mueller, a cybersecurity executive at Nozomi Networks, told the Associated Press that he anticipates an increase in cyberattacks on American organizations following the ceasefire .
“With a ceasefire, we will likely see an expansion of cyber activity both in scale and scope. These groups will likely try to execute a high-profile attack such as what we saw with Stryker.” — Markus Mueller, Nozomi Networks
Mueller explained that any lull in hostilities could allow hackers to shift from regional targets directly involved in the conflict to efforts to infiltrate U.S. organizations that participated in the war effort, including data centers, tech companies, and defense contractors .
Retired war planner and two-star general Lynn Hartsell told KELOLAND News that for any agreement to last, “it would have to be a complete change of interest in the leadership of Iran,” noting that “a lot of that regime is gone” .
Ashley Podhradsky, Vice President of Research and Economic Development at Dakota State University, warned that many industrial control systems are “built for easy access for U.S. operators, but aren’t always properly secured, making them easy targets” for Iranian hackers .
“If an attacker can gain access and shut it down, you have the ability to disrupt power,” Podhradsky said. “You have the ability to change a chemical composition in water that makes it unsafe, and really impact society’s ability to function” .
The Broader Cyber Landscape: Russian Support and Other Actors
The Iranian cyber threat does not exist in isolation. The Russian hacking group Killnet posted on its Telegram channel: “Our friends in Iran are going through a difficult time right now; let us support our brothers’ resistance against all American and Israeli scum” .
Killnet, which specializes in DDoS attacks, has previously coordinated with Iranian-aligned groups. RuskiNet Group, a Russian hacking collective, has carried Handala posts on its Telegram channel and recently claimed to have swiped personnel information from the General Services Administration .
Other Iranian-aligned groups have also made statements regarding the ceasefire:
| Group | Statement |
|---|---|
| Cyber Islamic Resistance | Promised “a large-scale attack on the Zionist entity’s servers” |
| APT IRAN | Allied with Handala and CyberAv3ngers for water infrastructure threats |
| NoName057(16) | Pro-Russian group; conducted DDoS attacks on Israeli and Cypriot targets |
This coordination between Iranian and Russian cyber actors suggests that even if Tehran orders a pause, affiliated groups in other countries may not comply.
The ‘Living-off-the-Land’ Tactic: A New Cyber Threat
Handala has demonstrated a sophisticated understanding of modern cyber warfare techniques. The group has reportedly transitioned from traditional malware to “Living-off-the-Land” (LOTL) tactics, utilizing legitimate cloud administrative tools for large-scale data destruction .
In the attack on Stryker Corporation, Handala allegedly used Microsoft’s legitimate remote administration tools to issue “remote wipe” commands against all connected devices, rather than deploying traditional wiper malware . This approach makes detection significantly more difficult, as the attacks use authorized tools and appear as legitimate administrative activity.
The group claimed to have wiped 200,000 systems across 79 countries and exfiltrated 50 terabytes of data in that single operation .
Implications for the Ceasefire
Handala’s announcement of a pause in U.S.-targeted cyberattacks represents a significant—if potentially temporary—concession by Iranian-aligned cyber forces. The fact that the group cited orders from the “highest leadership” suggests that Tehran is taking the ceasefire seriously and is willing to restrain its proxy actors, at least for now.
However, several factors complicate the cyber landscape during the ceasefire:
1. Fragmentation Among Groups
Not all Iranian-aligned groups have agreed to pause. CyberAv3ngers has indicated it will continue operations against both U.S. and Israeli targets .
2. Continued Targeting of Israel
Handala itself has stated that while it is pausing attacks on the U.S., it will “continue its cyber operations against Israeli infrastructure at full force” .
3. The ‘When the Time Comes’ Threat
Handala’s explicit warning that its pause is temporary and that “when the time comes, the darkest of nights will have only just begun for America” suggests that the group views the ceasefire as an interlude, not an end.
4. Potential for High-Profile Attacks
Cybersecurity experts warn that some groups may seek to execute a “high-profile attack” during the ceasefire to demonstrate that the truce does not constrain them .
5. The Water Infrastructure Threat
Handala and its allies have specifically threatened U.S. water infrastructure. Any attack on water systems would have immediate and severe consequences for public health and safety.
Looking Ahead: A Fragile Cyber Truce
The announcement by Handala that it will pause cyberattacks on U.S. infrastructure in light of the ceasefire represents a positive development for American cybersecurity. However, the fragility of this pause cannot be overstated.
The group’s statement makes clear that it views the ceasefire as a temporary constraint rather than a fundamental shift in its mission. Handala’s “cyber jihad” will continue, and its members have been promised that “when the time comes,” they will be unleashed again.
For U.S. critical infrastructure operators, the message is clear: the ceasefire offers a window of reduced threat, not an end to the danger. As federal agencies have warned, organizations should use this time to secure their systems, remove operational technology assets from direct internet exposure, and ensure that remote access is properly secured .
The coming weeks will test whether Handala’s pause holds and whether other Iranian-aligned groups follow suit. For now, American infrastructure remains in the crosshairs—even if the trigger has been temporarily released.
Frequently Asked Questions (FAQs)
1. Which Iranian hacker group announced a pause in attacks on US infrastructure?
Handala, a prominent pro-Iranian and pro-Palestinian hacker network, announced it would “currently postpone overt confrontation” with the United States following orders from the “highest leadership” .
2. Is the pause permanent?
No. Handala made clear that the pause is temporary. The group stated that “the cyber war did not begin with the military conflict, and it will not end with any military ceasefire” and vowed that “when the time comes, the darkest of nights will have only just begun for America” .
3. Will Handala continue attacking Israel?
Yes. Handala stated that it will “continue its cyber operations against Israeli infrastructure at full force” for the time being, even while pausing attacks on the U.S. .
4. Have all Iranian-aligned hacking groups agreed to pause?
No. CyberAv3ngers, an IRGC-affiliated group, has indicated it is proceeding with attacks on both U.S. and Israeli interests. The group claimed on Telegram that an operative “has access to America’s electrical infrastructure and telecommunications sites” .
5. What recent attacks has Handala claimed responsibility for?
Handala has claimed responsibility for disrupting operations at Stryker Corporation, a major medical equipment manufacturer, and hacking into FBI Director Kash Patel’s personal email account, leaking personal photographs .
6. What has the US government warned about Iranian cyber threats?
On April 7, the FBI, CISA, NSA, and other agencies issued an urgent advisory warning that Iranian-affiliated hackers have successfully targeted and disrupted multiple U.S. oil, gas, and water facilities, causing operational disruptions and financial losses .
7. What is the “Living-off-the-Land” tactic?
Handala has reportedly transitioned to using legitimate cloud administrative tools for data destruction rather than traditional malware. In the Stryker attack, the group allegedly used Microsoft’s remote administration tools to issue “remote wipe” commands against connected devices .
8. What do experts predict will happen to cyberattacks during the ceasefire?
Some cybersecurity experts predict an increase in cyberattacks on American organizations following the ceasefire. Markus Mueller of Nozomi Networks expects “an expansion of cyber activity both in scale and scope,” with groups likely trying to execute high-profile attacks .
9. How should US critical infrastructure operators respond?
Federal agencies have urged operators to remove operational technology assets from direct internet exposure, secure remote access, review logs for indicators of compromise, and watch for suspicious traffic on OT ports, especially from overseas hosting providers .
10. Does the ceasefire include cyber operations?
While Handala has indicated it received orders from the “highest leadership” to pause overt attacks, the group’s statement makes clear that it does not consider cyber warfare bound by military ceasefires, stating that the cyber war “will not end with any military ceasefire” .
Stay informed with Reflecto News – Your trusted source for breaking cybersecurity and geopolitical intelligence. Subscribe for real-time updates on the ceasefire and evolving cyber threats to US infrastructure.