Beyond Handala: Iran's Expanding Cyber War and What the United States Must Do Now

As the Handala Hack Team's breach of FBI Director Kash Patel's personal email reverberates through Washington, OSRS examines the full landscape of Iranian cyber actors, projects where this escalation is headed, and delivers actionable guidance for government agencies and American businesses operating in the crosshairs of Tehran's digital war machine.

The breach of FBI Director Kash Patel's personal Gmail by the Handala Hack Team is a headline. However, it is not the whole story. Behind Handala stands an ecosystem of Iranian cyber actors. Each has distinct mandates, technical signatures, and target sets. They are now operating under wartime conditions following the launch of Operation Epic Fury on February 28, 2026. To understand where this threat is going, one must first understand who is driving it.

IRAN'S CYBER ARMY: MAPPING THE THREAT LANDSCAPE

Iran does not fight its cyber battles with a single weapon. It fields a layered architecture of state-directed units, contracted hacker groups, and influence operation cells. Each plays a distinct role in the broader strategic campaign. The following are the principal actors American government agencies and businesses must now track.

Handala Hack Team (MOIS)

As established in OSRS's previous analysis, Handala is a persona controlled by Iran's Ministry of Intelligence and Security. It specializes in high-visibility intrusions, data theft, psychological operations, and violence incitement. Its recent breach of Patel's Gmail and claimed attacks on Lockheed Martin and Stryker Corporation mark it as the most operationally aggressive Iranian actor currently in the field.

APT33 (Refined Kitten) — IRGC-Linked

APT33 is one of Iran's most technically sophisticated persistent threat groups, linked to the Islamic Revolutionary Guard Corps. It has historically targeted aviation, energy, and defense sectors in the United States, Saudi Arabia, and South Korea. Its signature tools include destructive wipers and spear-phishing campaigns tailored to industrial control systems. In a wartime posture, APT33's most dangerous capability is not data theft but infrastructure destruction.

APT34 (OilRig) — MOIS-Linked

APT34 is a long-running Iranian espionage group with deep penetration experience in the Middle Eastern financial, government, and energy sectors. It has demonstrated the ability to maintain persistent, undetected access inside victim networks for extended periods. Its tradecraft includes DNS hijacking, credential harvesting, and the deployment of custom backdoors. In the current conflict environment, APT34 represents Iran's premier long-game intelligence collection capability against American partner nations.

Charming Kitten (APT42) — IRGC Intelligence Organization

Charming Kitten specializes in social engineering and targeted surveillance of dissidents, journalists, academics, policy researchers, and government officials. It has successfully compromised personal accounts belonging to U.S. think tank scholars, nuclear negotiators, and Iranian-American community leaders. Charming Kitten's current priority target set almost certainly includes anyone advising the U.S. government on Iran policy, anyone with access to Operation Epic Fury planning circles, and diaspora community leaders in cities with large Iranian-American populations.

Moses Staff and Abraham's Ax

These Iran-linked groups have demonstrated a willingness to deploy destructive ransomware-style attacks not for financial gain but purely for reputational and operational damage. Their model is to encrypt, exfiltrate, and leak, with no intention of negotiating decryption. Any U.S. organization that finds itself targeted by these actors should assume its data will be published, not ransomed.

HOW FAR WILL THEY GO? AN OSRS THREAT PROJECTION

The central intelligence question facing American security planners right now is not whether Iranian cyber actors will escalate further. They will. The question is along which vectors, at what pace, and against which target categories.

Short-Term Projection (30 to 90 Days)

OSRS assesses with high confidence that the next phase of Iranian cyber operations will feature continued personal account compromises of senior U.S. officials and their immediate networks. The Patel breach was a proof of concept and a provocation simultaneously. Iran is gauging the American response.

If that response is limited to domain seizures and press statements, additional personal compromises of cabinet-level officials, senior military officers, and key congressional figures should be anticipated. Simultaneously, Handala and affiliated actors will almost certainly continue targeting U.S. defense contractors. This is particularly true for those supplying munitions, missile defense systems, and precision-guided weaponry to Israel. Lockheed Martin, Raytheon, Boeing Defense, and L3Harris are all elevated-risk targets in this window.

Medium-Term Projection (90 to 180 Days)

If the kinetic conflict continues or intensifies, OSRS projects a meaningful probability of destructive cyberattacks against U.S. critical infrastructure. This is not speculative. Iran has previously demonstrated the willingness and technical capability to target water treatment facilities, power grid management systems, and financial sector networks. Under wartime conditions, with domestic pressure mounting inside Iran and the IRGC seeking to demonstrate strategic deterrence, a destructive attack against a U.S. critical infrastructure sector becomes a plausible contingency rather than a worst-case scenario.

The energy sector warrants particular attention. Iranian actors have deep familiarity with operational technology environments in oil, gas, and electricity generation from years of operations against Gulf state producers. American energy infrastructure, particularly in Texas and the Gulf Coast, should be considered an elevated-risk target category.

Long-Term Projection (Beyond 180 Days)

The most consequential long-term risk is not a single spectacular attack but sustained, low-visibility intelligence penetration of U.S. government and defense contractor networks. Iran does not need to blow up a pipeline to win strategically. It needs to understand American military planning, weapons system capabilities, diplomatic communications, and negotiating positions well enough to neutralize American strategic advantages. APT33 and APT34 are the tools designed for exactly this mission. Every month this conflict continues is another month Iran's persistent access campaigns are running inside networks their operators have already breached.

WHAT THE UNITED STATES GOVERNMENT MUST DO

Mandate Personal Device and Account Security for All Senior Officials

The Patel breach was a personal Gmail account. This is a systemic vulnerability, not an individual failure. The U.S. government must immediately implement mandatory multi-factor authentication, regular dark web monitoring of official personal accounts, and security briefings that address personal digital hygiene as a national security imperative, not an IT formality.

Elevate the CISA Threat Advisory to Wartime Posture

The Cybersecurity and Infrastructure Security Agency must issue sector-specific wartime-level threat advisories to all 16 critical infrastructure sectors. There is particular urgency for energy, defense industrial base, water systems, and financial services. These advisories must go beyond generic warnings and deliver specific indicators of compromise associated with the full Iranian actor ecosystem, not only Handala.

Accelerate the Disruption of Iranian Cyber Infrastructure

Domain seizures are necessary but insufficient. The United States Cyber Command must be authorized and resourced to conduct sustained offensive cyber operations against Iranian threat actor infrastructure. This includes command-and-control servers, malware staging environments, and the financial networks that fund Iranian contractor hacking groups. Reactive defense alone will not deter a state actor operating under wartime conditions.

Strengthen Diaspora Community Cybersecurity

Iranian-American community organizations, journalists, dissidents, and civic leaders are active targets of Iranian cyber and hybrid operations. CISA and the FBI must extend dedicated cybersecurity support and threat briefings to diaspora communities, particularly in major metropolitan areas. This is not a peripheral concern. It is a front in the current conflict.

Formalize the Iran-Cartel Hybrid Threat Response

The confirmed nexus between Handala and CJNG cartel operatives requires a whole-of-government response. This response must bridge the traditional separation between cybersecurity and organized crime enforcement. The FBI, DEA, and DHS must establish a formal joint task force structure to monitor, interdict, and prosecute cartel-facilitated violence commissioned through Iranian cyber channels.

WHAT AMERICAN BUSINESSES MUST DO NOW

The private sector is not a bystander in this conflict. It is a primary target. The following measures represent the minimum acceptable security posture for any organization operating in sectors of interest to Iranian cyber actors.

Assume You Are Already Targeted

Any organization connected to U.S. defense, energy, healthcare, finance, or technology that has not already conducted an Iranian threat-focused security audit is operating with an unexamined risk profile. The first step is acknowledging that Iranian actors have the motivation, the capability, and potentially the existing access to cause significant damage.

Harden Operational Technology Environments

For energy companies, manufacturers, water utilities, and transportation operators, operational technology network segmentation is not optional in this environment. The air gap between information technology and operational technology systems must be verified, not assumed. Iran's most dangerous destructive capabilities are aimed at OT environments.

Implement Executive and Board-Level Personal Security Protocols

As the Patel breach demonstrates, the personal accounts of senior executives are legitimate intelligence collection targets. Boards of directors and C-suite leadership at organizations in Iranian target sectors should immediately receive personal cybersecurity assessments. They should also have dedicated threat monitoring for personal email and social media accounts, along with guidance on reducing personal digital exposure.

Activate Threat Intelligence Sharing

Organizations with existing relationships with Information Sharing and Analysis Centers in their respective sectors must maximize threat intelligence sharing in real time. Iranian actor indicators of compromise, phishing lures, and malware signatures are circulating within the security research community. No organization should be learning about a Handala or APT33 campaign from a news headline when it could have had the intelligence days earlier through active sharing channels.

Review Third-Party and Supply Chain Risk

Iranian actors frequently use third-party vendors, subcontractors, and technology suppliers as initial access vectors into larger target organizations. Every organization in a high-risk sector must audit its third-party access privileges. They should require security certifications from vendors with network access and implement continuous monitoring of third-party connections.

CONCLUSION: THE WAR IS ALREADY INSIDE THE NETWORK

The breach of Kash Patel's email is a warning written in plain language. Iran is at war with the United States in cyberspace. It is prosecuting that war with discipline, creativity, and escalating audacity. Handala is the visible edge of a much larger and more capable threat ecosystem. Behind the headlines about leaked photographs and personal emails lies a sustained strategic campaign. This campaign aims to degrade American information advantage, terrorize diaspora communities, disrupt critical infrastructure, and project Iranian power in a domain where geography offers no protection.

The United States and its private sector partners have the capability to defend against and disrupt Iranian cyber operations. The question is whether they will deploy that capability with the urgency this moment demands or continue treating a wartime threat with a peacetime response. OSRS will continue to monitor and report on this campaign as it develops.

Dr. Sunday Oludare Ogunlana is the Founder and CEO of OGUN Security Research and Strategic Consulting LLC (OSRS), a Texas-licensed intelligence and security consulting firm. A Professor of Cybersecurity and national security scholar, he advises global intelligence and policy bodies on cyber threats, AI governance, and geopolitical risk at the intersection of emerging technology and state power. His work spans counterterrorism, digital forensics, and strategic threat analysis across the United States, Africa, and the Middle East. Learn more at *www.ogunsecurity.com