The perfect recipe for how to turn even a petty theft into an event of a world scale.
Cyberattacks are increasingly going beyond the usual scenario, where malware and vulnerabilities play a major role. A new study shows that today the effect of hacking is often created not so much by technical means as by competent work with the information agenda and public attention.
DomainTools analysts came to the conclusion that the groups Homeland Justice, Karma and Handala are not scattered associations. We are talking about a single ecosystem associated with the Ministry of Intelligence and Security of Iran. Different names are only as masks that allow you to flexibly change the rhetoric, goals and level of responsibility, while maintaining the overall infrastructure and working methods.
The campaign began to emerge in 2022 against the backdrop of attacks against Albania. Even then, a model was formed, in which the hacking served only the first stage. After gaining access, the attackers unloaded the data, disrupted the operation of the systems and almost immediately published information in open sources, enhancing the effect through media and social networks. Over time, the approach has become more complicated: observation tools and control channels through Telegram were added to the basic methods.
Special attention is paid to how the logic of attacks itself changes. In new operations, hacking, surveillance, leakage and information pressure occur at the same time. An example was the attack on Stryker, where the attackers combined access to data with the management of corporate infrastructure and the parallel distribution of statements in the public space.
Telegram took a central place in this scheme. The platform is used both to control infected systems and to distribute messages and publish stolen data. Due to this, dependence on its own infrastructure decreases and the stability of operations increases.
At the same time, the real technical results of attacks are often inferior to the effect that is created around them. Many statements remain partially confirmed or not confirmed at all, but the very fact of publication forces the organization to respond, and the media to actively cover the incidents. As a result, even limited access to an account or a small amount of data turns into an event with serious reputational consequences.
The authors of the report emphasize that attackers rarely use complex vulnerabilities. More often, password selection, phishing or operation of weak access settings are used. The key difference is not in the way of penetration, but how the data obtained are turned into an information tool of pressure.
This model shows a shift in the development of cyber operations. The technical part remains important, but a decisive role is played by the ability to control attention and form the perception of what is happening. In the new conditions, even a small leak can become a large-scale incident, if it is competently integrated into the information agenda.
Cyberattacks are increasingly going beyond the usual scenario, where malware and vulnerabilities play a major role. A new study shows that today the effect of hacking is often created not so much by technical means as by competent work with the information agenda and public attention.
DomainTools analysts came to the conclusion that the groups Homeland Justice, Karma and Handala are not scattered associations. We are talking about a single ecosystem associated with the Ministry of Intelligence and Security of Iran. Different names are only as masks that allow you to flexibly change the rhetoric, goals and level of responsibility, while maintaining the overall infrastructure and working methods.
The campaign began to emerge in 2022 against the backdrop of attacks against Albania. Even then, a model was formed, in which the hacking served only the first stage. After gaining access, the attackers unloaded the data, disrupted the operation of the systems and almost immediately published information in open sources, enhancing the effect through media and social networks. Over time, the approach has become more complicated: observation tools and control channels through Telegram were added to the basic methods.
Special attention is paid to how the logic of attacks itself changes. In new operations, hacking, surveillance, leakage and information pressure occur at the same time. An example was the attack on Stryker, where the attackers combined access to data with the management of corporate infrastructure and the parallel distribution of statements in the public space.
Telegram took a central place in this scheme. The platform is used both to control infected systems and to distribute messages and publish stolen data. Due to this, dependence on its own infrastructure decreases and the stability of operations increases.
At the same time, the real technical results of attacks are often inferior to the effect that is created around them. Many statements remain partially confirmed or not confirmed at all, but the very fact of publication forces the organization to respond, and the media to actively cover the incidents. As a result, even limited access to an account or a small amount of data turns into an event with serious reputational consequences.
The authors of the report emphasize that attackers rarely use complex vulnerabilities. More often, password selection, phishing or operation of weak access settings are used. The key difference is not in the way of penetration, but how the data obtained are turned into an information tool of pressure.
This model shows a shift in the development of cyber operations. The technical part remains important, but a decisive role is played by the ability to control attention and form the perception of what is happening. In the new conditions, even a small leak can become a large-scale incident, if it is competently integrated into the information agenda.
