The Iranian hacking group Handala said Thursday that it had deeply and covertly penetrated the phone of former IDF chief of staff Lt. Gen. Herzi Halevi in an alleged new cyber incident that could rattle the defense establishment.
In a statement, the group said the operation lasted for years and resulted in the theft of about 19,000 sensitive files. According to the group, the material includes visual documentation of secret meetings, strategic maps and personal details from Halevi’s private home.
Footage allegedly taken by Herzi Halevi aboard an aircraft carrier, as published by the Iranian hacking group
(Video: from social media)
Another video of former IDF chief Herzi Halevi published by the Iranian hacker group
(Video: from social media)
The hackers said the material in their possession does not consist only of documents, but also live visual records from what they described as “crisis rooms” and highly secret facilities. They said that, unlike IDF censors, who often obscure the faces of officers and pilots, they possess thousands of fully exposed images of fighters and commanders at the highest ranks.
Based on the group’s posts on its website, the claims appear credible. Dozens of sample photos and videos were published with the statement, including material from Halevi’s official activities as military chief, such as visits to an Israeli Air Force base, meetings and other high-level discussions.
The archive also appeared to include photos and videos from Halevi’s family life, including images of his identity card and that of his wife.
5 View gallery
Alleged images of Herzi Halevi published by the Iranian Handala group
(Photo: from social media)
The incident is being viewed as part of an aggressive psychological warfare campaign, and the timing of the release, a day after U.S. President Donald Trump’s announcement of a ceasefire in Iran, is unlikely to be coincidental.
The group also chose to publish what were described as supposedly embarrassing personal details, including a video showing Halevi in a humorous family setting at home. The stated goal of the publication was not only intelligence gathering but also to undermine the sense of security among Israel’s top military leadership under the message: “We are the shadow at the heart of your command.”
The alleged attack on Halevi does not stand alone. It joins a series of Iranian attempts to target symbols of Israeli government and security, and the current case was described as one that should shake the sense of security among senior figures in Israel’s defense leadership.
It was described as the fourth breach involving devices used by senior officials in Israel’s political and security establishment.
Previous breaches involved the devices of former defense minister Yoav Gallant, former prime minister Naftali Bennett, Benny Gantz and Tzachi Braverman, all senior officials with access to classified material.
It remains unclear how such incidents continue to occur despite earlier cases, particularly during wartime. The key difference this time is the scale of the material. The reported 19,000 files amount to a volume of information that could provide a broad intelligence picture, beyond mere personal harassment.
Social engineering
The technology underpinning these attacks does not necessarily require a direct breach of classified military networks that are segregated from the internet. More often than not, it involves social engineering techniques and the exploitation of civilian cloud services.
The track record of groups like Handala shows they specialize in spear phishing. The technology has been around since the 1990s, but it has evolved, now making use of artificial intelligence to craft credible-looking messages. Once a single personal device is compromised, or an iCloud or Google password is stolen, any information backed up automatically — including photos shared in family WhatsApp groups or documents photographed by mistake — effectively falls into the attacker’s hands.
The ability to maintain access for years, as the hackers claim, points to the use of sophisticated backdoors embedded in legitimate software updates or seemingly harmless applications.
According to Gil Messing, chief of staff at Check Point: “As in the past, the fact that there is a ceasefire in the kinetic war does not mean the cyberwar stops. On the contrary, after Operation Rising Lion, we saw an increase in attacks from Iran following the ceasefire, and as early as last night, Iranian attack groups made clear that the war in cyberspace would continue and intensify.
“So this morning, their target is the former chief of staff, in what appears to be access to a repository of personal photos and videos, which could, for example, be sitting in some email account or a personal account belonging to someone in his circle, and of course his own.
“There is no reason to assume this attack was carried out recently. It is entirely possible they simply sat on the material and waited for what they saw as the right moment to release it.
“It should be remembered that, as in the past, the group publicizes attacks that have some basis in reality, but with no small degree of exaggeration. In other words, there was likely some kind of breach connected to the former chief of staff, though not necessarily of a military system, as they claim. That said, it is important to stress that they are talking about very large volumes of material and warning that further leaks are coming. Past experience shows they tend to follow through on such claims.”
The defense establishment has not yet confirmed the authenticity of all the material, but the highly detailed publication itself amounts to a psychological win for the Iranians. The IDF has yet to respond to a request for comment.