For over a decade, Iran has invested heavily in cyber warfare as a strategic capability, recognizing early that future conflicts would not be limited to physical battlefields, unfolding; instead, across digital environments and, more importantly, within the minds of populations.
Iranian cyber doctrine has consistently focused on three primary pillars: psychological impact, financial disruption, and physical enablement. These are not independent; they are designed to reinforce one another in a continuous and evolving campaign.
The recent activity attributed to the group known as Handala clearly reflects this doctrine in action. The alleged compromising of former IDF Chief of Staff Lt.-Gen (ret.) Herzi Halevi marks a significant escalation in both targeting strategy and intended impact. It is not merely a technical incident; it is part of a broader influence and intelligence operation aimed at shaping perception, eroding confidence, and enabling future stages of conflict.
Israel’s Operation Rising Lion in June, which targeted Iran’s nuclear ambitions, led the region to witness a short but intense 12 Day War. While a ceasefire agreement was eventually reached, it quickly became evident that this pause applied only to kinetic operations. In cyberspace, the conflict continued uninterrupted. Iranian-linked threat actors, including Handala and Cyber Toufan, maintained persistent offensive activity against Israeli targets across multiple sectors.
These operations affected a wide range of industries, including recruitment agencies, defense-related entities, academic institutions such as the Weizmann Institute of Science, legal firms, and manufacturing companies.
However, the most strategically impactful shift was the deliberate targeting of high-profile individuals. Public figures such as former prime minister Naftali Bennett, former interior minister Ayelet Shaked, and other senior officials became central to these campaigns.
The logic behind this approach is clear. Targeting well-known individuals achieves immediate visibility and guarantees media amplification, thereby maximizing psychological impact. It also provides attackers with access to highly valuable intelligence, including personal networks, communications, and behavioral patterns. This intelligence can later support real world operations, whether directly or indirectly.
The alleged compromising of Halevi illustrates this dual-purpose strategy. According to the claims, personal identification documents, including ID cards and driver’s licenses belonging to Halevi and his spouse, were exposed. While such information may appear limited at first glance, its implications are far-reaching. Identity documents serve as foundational elements for authentication processes across numerous systems. They can be leveraged to reset passwords, bypass identity verification controls, and gain access to additional services and platforms.
More critically, access to a personal device, or even partial data extracted from it, can reveal an extensive digital footprint. Contact lists, communication histories, geolocation data, and images all provide insight into an individual’s close circle and daily routines. In some cases, images may include individuals whose identities are intentionally obscured in public contexts, creating further security risks. Technologies, such as Wi-Fi and Bluetooth usage, can also be used to map networks and identify additional targets for lateral movement.
From a psychological perspective, the impact is immediate and significant. The message conveyed is not just that a system has been breached, but that even the most senior figures are vulnerable. This perception alone can undermine public confidence and create a sense of persistent exposure. It reinforces the narrative that adversaries possess the capability and the reach to operate deep within what is assumed to be secure territory.
At a strategic level, these operations blur the line between cyber and traditional warfare. While no physical damage may be immediately visible, the groundwork is being laid for potential future actions. Intelligence gathered through cyber means can inform targeting decisions, enable surveillance, and support coordinated campaigns that extend beyond the digital domain.
It is also important to recognize that such campaigns often combine authentic data with exaggerated or unverified claims. Groups such as Handala operate not only as threat actors but also as influence operators. Their objective is to amplify uncertainty and pressure, regardless of the precise accuracy of each claim. This hybrid approach makes it more challenging to assess the true scope of compromise while still achieving the intended psychological effect.
Given this reality, the risks associated with these incidents cannot be dismissed. Even limited exposure can have cascading consequences, particularly when it involves individuals with access to sensitive environments or networks. The potential for secondary compromise, through password recovery mechanisms, social engineering, or indirect access paths, remains high. Furthermore, APT groups utilize network technologies to map new networks, lateral movement and reach new environments.
For the Defense Ministry, the IDF, and the broader defense establishment, this situation demands a comprehensive response.
Traditional security measures focused on organizational systems are no longer sufficient. There must be a deeper emphasis on securing personal devices, enforcing strict identity verification controls, and monitoring for abnormal access patterns across both official and private environments. Former officials should also be included in this security perimeter, as their residual access and knowledge continue to make them attractive targets.
Ultimately, the compromising of Halevi, whether fully validated or partially exaggerated, serves as a clear indicator of the evolving nature of modern conflict.
Cyber operations are no longer a supporting element; they are a central component of strategic competition. Even in periods of declared ceasefire, the digital battlefield remains active, shaping the conditions for whatever comes next.
The writer is CEO of CYGHT and an expert on nation-state cyber warfare.