Handala Hack Sends Threatening Messages to Bahrain Service Members
U.S. service members in bahrain received threatening WhatsApp messages on Monday from a group linked to Iranian cyberattacks, and the texts warned that their identities were known and that they could be hit with drones and missiles. Stars and Stripes reviewed identical messages sent to two service members stationed in Bahrain, where U.S. Naval Forces Central Command is based.
The messages said, "Your identities are fully known to our missile units, and every move you make is under our surveillance," and, "Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles." They also said, "We will deal with you, the terrorists whose hands are stained with the blood of the Minab schoolchildren," and, "We suggest you call your families now and say your final goodbyes." The texts were signed "Handala" and included a link to the group's website.
Handala's Bahrain messages
The messages appeared to come from a Bahraini cellphone number linked to a legitimate business on the island. That detail matters for personnel and families in Bahrain because it suggests the messages were tailored to look local, not routed through an obvious foreign number. The group has presented itself as a pro-Palestinian collective, while the Department of Justice said Handala has for years operated as a front group for Iran's Ministry of Intelligence and Security.
John Phelan, then the Navy secretary, warned earlier this month that adversary cyber actors were running a "social engineering campaign" that targeted Navy personnel and their families through individual phishing attempts and social media accounts. Phelan said, "These actors seek to psychologically influence [Navy] personnel and their families, and also seek to trick personnel into clicking on/opening potentially malicious links and files," and the Navy advised sailors to lock down their phones and social media accounts and not respond to suspicious emails or text messages.
Justice Department actions
The threat to the two service members came after the Department of Justice seized four web domains linked to Handala last month. The Justice Department said those domains were used to publish personally identifiable information and harass targeted individuals in the United States and abroad, and Handala was also found behind a major cyberattack on medical technology company Stryker last month.
On Tuesday, Handala claimed to have published the full personal details of 2,379 U.S. Marines stationed in the Persian Gulf. The group has also been linked to previous attempts to infiltrate U.S. and Israeli organizations, and it reportedly managed to hack into FBI Director Kash Patel's personal email inbox.
Next warning for U.S. personnel
For personnel stationed in Bahrain, the immediate concern is not just the messages themselves but the overlap between direct intimidation and broader online targeting. The messages targeted service members in a country that hosts U.S. Naval Forces Central Command, and the Navy has already told sailors to harden phones and social media accounts against phishing and malicious links.
