Pro-Iranian Handala Group Claims Cyberattack on Israeli Satellite Operator Spacecom

Israeli satellite operator Spacecom, which manages the AMOS satellite fleet, has found itself in turmoil after the pro-Iranian group Handala claimed to have compromised its infrastructure. The hackers published a statement on their darknet blog, a platform they routinely use to release stolen data.

According to the attackers, they allegedly gained access to the company’s ground stations and exfiltrated hundreds of gigabytes of information. However, subsequent analysis casts doubt on whether the intruders obtained data that could endanger satellite control.

Spacecom, with revenues estimated at around 100 million dollars, provides telecommunications services for both civilian and military purposes across Europe, the Middle East, and other regions. The AMOS fleet underpins communications and broadcasting, including through AMOS-17, whose clients were referenced in the leaked documents.

The hackers claimed to have stolen 379 gigabytes of data, including files purportedly collected from ground stations in multiple countries. They also released what they described as personnel-related records. Among the published materials were screenshots of nondisclosure agreements between Spacecom and its clients.

Experts at Cybernews, who analyzed a demo archive of approximately 960 megabytes, identified navigational and observational files in RINEX format — essentially satellite operation logs. While such data can assist in tracking current processes, they do not in themselves permit interference with satellite functions.

Researchers noted that although the leak may contain material useful for phishing or other attacks targeting the company’s staff, there is no conclusive evidence of access to confidential systems governing satellite operations. Nevertheless, specialists advise Spacecom to promptly audit its infrastructure for vulnerabilities and close any potential security gaps.

The Handala group is notorious for targeting Israeli and Western organizations. Its tactics resemble those of ransomware gangs, releasing data on its darknet site as leverage. Earlier this year, it also struck at Iran International, one of the few independent media outlets in Iran.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy