image: Prof. Gabriel Weimann, Senior Researcher at the International Institute for Counter-Terrorism (ICT) at Reichman University and Professor Emeritus in the Department of Communication at the University of Haifa.
Credit: None
A new study by Prof. Gabriel Weimann, a senior researcher at the International Institute for Counter-Terrorism (ICT) at Reichman University and Professor Emeritus in the Department of Communication at the University of Haifa, and Daniel Haberfeld, a researcher and Head of the Cyberterrorism Desk at ICT, explored the activities of the Handala hacker group, which is linked to Iran’s Ministry of Intelligence and Security (MOIS). The study sought to determine whether the group’s operations are best characterized as cyberterrorism or psychological warfare.
Published in the academic journal Studies in Conflict & Terrorism, the study analyzed more than 200 posts published by the group on social media and its website between 2023 and 2026. The researchers employed qualitative content analysis and Natural Language Processing (NLP) tools to examine the group’s operational patterns and messaging strategies.
The findings indicate that Handala functions as an Iranian state-sponsored proxy that combines cyberattacks with influence and psychological campaigns. According to the researchers, the group’s primary objective is not necessarily to inflict significant physical or infrastructural damage, but rather to create a sense of threat, insecurity, and diminished public resilience, particularly in Israel.
The study found that Handala portrays itself as a defender of the Palestinian people and an exposer of “hidden truths” about Israel. Key themes identified in its messaging include ideological justification for its actions, claims of technological superiority, efforts to foster a sense of constant surveillance through messages such as “We see everything,” the publication of sensitive information, and ongoing threats against future targets. The researchers explain that these messages are designed to amplify the psychological impact of each attack and depict Israel as vulnerable and incapable of defending itself.
The study further found that most attacks attributed to the group during the period they studied targeted Israeli entities, particularly in the private sector, alongside defense, government, academic, and media institutions. The researchers identified a growing focus over the years on the targeting of public figures and political leaders — a shift that has generated broader media coveraged and greater public impact. In addition, the researchers found that the group’s activities are conducted as carefully orchestrated campaigns: threats and hints are released first, followed by the disclosure of the attack itself, and finally by the gradual release of stolen information. According to the study, this strategy prolongs the attention of the public and magnifies the psychological impact of each incident.
The researchers conclude that Handala is a model of a state-sponsored cyber group that uses offensive cyber capabilities primarily as a vehicle for psychological warfare and cognitive influence. In their assessment, cyberattacks serve as a means of gathering information, generating media attention, and instilling public fear, more than as a tool for causing substantial and sustained damage to critical infrastructure. At the same time, the study cautions against assuming that the group lacks significant offensive capabilities, noting that its objectives and operational focus may evolve in the future.
Journal
Studies in Conflict and Terrorism