As ongoing tensions escalate, reports indicate that Iranian cyber threat actors are leveraging Elon Musk's Starlink satellite internet service to remain operational. This reliance on American technology comes as one of Iran's most notorious hacker crews claims responsibility for retaliatory cyberattacks against the United States.

Handala Group's Reliance on Starlink Technology

Notorious Group Claims Retaliation

The Iranian hacker collective known as Handala has used the social media platform X (formerly Twitter) over the past two days to issue threats against Western nations. These threats are framed as retaliation following recent missile strikes conducted by the U.S. and Israel.

However, analysis from the Israeli cybersecurity firm Check Point reveals that Handala has been dependent on Starlink for connectivity. The group has reportedly been using the satellite internet service since at least mid-January, coinciding with Iran's internal internet shutdowns due to fears of foreign cyber intrusions.

Confirmation of Continued Use

Gil Messing, Chief of Staff at Check Point, confirmed that their data shows Handala maintained Starlink usage up until at least February 28, the day the missile strikes occurred. Messing stated his belief that the group is still actively using the service today.

Messing described Handala as "the most notorious hacking group the regime uses." He further noted that the group is either operated or directed by Iran’s Ministry of Intelligence and Security (MOIS). Check Point reportedly contacted Starlink to report the hackers' use of their technology but had not received a response.

Starlink's Presence in Iran Despite Bans

Circumventing Restrictions

Starlink terminals, which provide crucial satellite internet access, are officially prohibited for use within Iran due to both the regime's regulations and existing American sanctions.

Despite these prohibitions, an estimated 30,000 Starlink terminals are currently operational inside the country, according to Holistic Resilience, a nonprofit organization dedicated to maintaining internet access for Iranians. These terminals are reportedly being smuggled into the nation.

It is noted that the Trump administration previously facilitated the smuggling of Starlink technology into Iran, primarily to enable protestors to broadcast events in Tehran internationally. This encouragement of Starlink use appears to have inadvertently benefited anti-American entities like Handala.

Handala's Recent Cyber Claims

In recent days, Handala has used X to voice support for Iran and claim successful breaches against Jordan’s fuel infrastructure, along with unspecified oil and gas sector businesses.

On the Sunday following the missile strikes, Handala posted on X: "Those who started the fire will hear the echo of our response in their own skies tonight. Our patience has reached its end, and our answer will be as decisive as history itself."

Sanaz Yashar, co-founder and CEO of cyber company Zafran and a former Israeli intelligence staffer, suggested that Handala's continued operations show that missile strikes are not an effective means to neutralize cyber capabilities. She noted, "It can work temporarily, but they will come back."

Implications for Elon Musk's Platforms

Sanctions Violation Concerns

Given Handala's documented ties to MOIS, the group's continued use of a premium X account—which costs $8 monthly—presents a potential legal issue for Elon Musk. U.S. sanctions prohibit American companies from conducting business with MOIS.

Handala is not the only government-linked Iranian entity utilizing paid features on X. The Tech Transparency Project previously released data showing that high-ranking Iranian officials, including the head of the judiciary, and state media outlets like Al-Alam, had purchased premium accounts.

Other Related Cyber Activity

Following the weekend missile exchanges, both sides reportedly launched cyber operations. Flashpoint, an American cybersecurity research company, reported that Fatimiyoun Electronic Team, another MOIS-affiliated group, attempted to deploy "wiper" malware against Israeli computers to erase data.

Additionally, BadeSaba, a popular Iranian prayer and calendar application used by over five million people, was breached. Hackers used the compromised app to broadcast messages instructing members of the Iranian Revolutionary Guard Corps to surrender and providing coordinates for anti-regime protestor "safe zones."