The thin gray line: Handala, CyberAv3ngers and Iran’s proxy ops

FOE CSO Online April 21, 2026

Summary

US government agencies have warned private sector organizations about potential infrastructure cyberattacks from Iranian-affiliated APT actors, referencing past attacks on water facilities linked to the group CyberAv3ngers. Groups like Handala and CyberAv3ngers, though presenting as hacktivist collectives, are believed to be state-sponsored by Iran's Ministry of Intelligence and are used for 'influence cyber operations' such as critical infrastructure disruptions.

IFF Assessment

FOE

The article details sophisticated cyber threats from state-sponsored Iranian proxy groups targeting critical infrastructure, which poses a significant risk to defenders.

Defender Context

Defenders should be aware of increased threats from Iranian APTs and their proxy groups targeting critical infrastructure, particularly water and wastewater systems. This highlights the ongoing trend of nation-states using sophisticated proxy groups for plausible deniability in cyberattacks, emphasizing the need for robust network segmentation and threat intelligence monitoring.

Read Full Story →