by Michael Hollister
Published at apolut media on April 13, 2026

3.465 words * 18 minutes readingtime

Part 1 find here:
Iran: The Camel Hacks Back – Part 1
Iran’s Cyber War Hits Stryker, Lockheed Martin, and the FBI Director Personally

From Stuxnet to Handala – How the West Made Iran a Cyber Power

This article is Part 2 of a series. Part 1 – “The Camel Hacks Back: How the Hacker Group Handala Hit US Defense Contractors” – lays the operational groundwork for understanding this text. Readers who want the full account of the 2026 events will find their starting point there.

The West’s Most Expensive Mistake

The attack was meticulously planned, executed at the highest technical level, and unprecedented in its strategic audacity. When American and Israeli intelligence services jointly introduced the Stuxnet computer worm into the networks of Iranian nuclear facilities, they believed they had exploited a decisive weakness: Iran, so the assumption went, would be unable to strike back. The country was considered technologically backward, its population incapable of mastering the complexity of modern cyber operations.

It was a mistake. And it changed the world.

Sixteen years after Stuxnet, an Iranian-directed hacker group called Handala wiped the servers of an American defense contractor, stole 50 terabytes of data, and compromised the private Gmail account of the FBI director. The path from Natanz to Washington is not a story of the surprising rise of an unknown actor. It is the predictable consequence of a fundamental error: believing that you can teach a civilization more than three thousand years old, with 85 million people, how to wage war – without it learning.

Persia, Not Hollywood

Anyone who wants to understand the image the West has of Iran need only ask a German evening news viewer. What comes to mind? Desert. Camels. Men with beards and Kalashnikovs. Women behind black veils. A society frozen somewhere in the Middle Ages.

This image is not merely wrong. It is dangerously wrong – because it produces strategic miscalculations with real consequences.

Reality looks different. Iran’s urbanization rate stands at 77.26 percent according to World Bank data – roughly as urbanized as France or Germany. Tehran is a megacity with more than 15 million people in the greater metropolitan area, with chronic traffic jams, a developed subway network, university campuses, coffee houses, and a vibrant cultural scene. Isfahan, the city where five of Stuxnet’s initial entry points were located, is a metropolis of more than two million people, one of the country’s most significant engineering regions, and simultaneously one of the most remarkable testimonies to Persian architectural history – the mosques and palaces around Naqsh-e Jahan Square are a UNESCO World Heritage Site. (World Bank / Statista, Iran urbanization rate 2023, https://www.statista.com/statistics/455841/urbanization-in-iran/)

Iran has one of the highest university enrollment rates in the region. Engineering and mathematics are considered culturally prestigious fields; the pressure to excel in the sciences is comparable to the educational ethos of East Asian societies. Iranians are present in leading American technology companies, at Western European research institutions, and in international developer communities – often without their origin attracting notice, because it simply doesn’t. They are, as everywhere in the world, people who work for their families, pursue prosperity, and want a secure future. The image of the backward desert dweller is a Western projection, not a Persian reality.

Sharif University of Technology in Tehran ranks 375th in the QS World University Rankings 2026 and places among the top 200 universities worldwide in computer science and in electrical and electronic engineering. Eighty-five Iranian universities are represented in the Times Higher Education Rankings 2025. The University of Tehran ranks 22nd in the world in petroleum engineering – ahead of most German universities. Iranians study at Cambridge, MIT, and in Silicon Valley. They write algorithms, found startups, and develop chip architectures. Those who don’t know this cannot understand what actually happened in Natanz in 2010 – or what was bound to follow. (QS World University Rankings 2026 / Tehran Times, https://www.tehrantimes.com/news/514894/Nine-Iranian-universities-in-QSWUR-2026-ranking)

Persia is not a modern invention. It is one of the oldest civilizations in human history – older than the Roman Empire, older than most European nations as political entities at all. Awareness of that heritage is pervasive in Iran and shapes the national character: pride in origin, hunger for education, resilience under external pressure. Anyone who believes such a country can be strategically broken by a computer worm has not understood the fundamentals of power politics.

Stuxnet 2010 – The Lesson Nobody Intended to Give

On June 22, 2009, a computer program was compiled on a machine belonging to the Iranian engineering firm Foolad Technic Engineering Co. in Isfahan. Hours later it was active on its first target system. Stuxnet had begun its journey to Natanz.

What Stuxnet was is now well documented. Kaspersky researchers and Symantec analysts spent years dissecting the worm. The result: a masterwork of state-level cyber offense, developed jointly by the American NSA and Israeli military intelligence Unit 8200 under the codename “Olympic Games” – initiated under President George W. Bush, continued under Barack Obama. The target was Iran’s uranium enrichment program at Natanz, whose centrifuges were to be driven to overheat and self-destruct through precise manipulation of their control software – while the monitoring screens of Iranian technicians displayed normal operations.

Stuxnet was technically exceptional in every regard. It exploited four so-called zero-day vulnerabilities simultaneously – security flaws previously unknown, for which no patches existed. Kaspersky researcher Roel Schouwenberg called this “a fundamentally new number”: not only was it the first known state-sponsored cyberattack on physical infrastructure, it was also the first time anyone had combined four such exploits in a single operation. Stuxnet demonstrated that computer software can be a weapon capable of causing physical destruction – without a single bomb falling. (Kaspersky Securelist, Stuxnet Zero Victims, November 2014, https://securelist.com/stuxnet-zero-victims/67483/) (IEEE Spectrum, “The Real Story of Stuxnet,” David Kushner, February 2013, https://spectrum.ieee.org/the-real-story-of-stuxnet)

Kaspersky later identified five so-called “Patient Zero” organizations – the entry points through which Stuxnet made its way to the target facility. They were not intelligence agencies or military installations. They were Iranian engineering firms in Isfahan and Tehran: Foolad Technic Engineering Co., Behpajooh Co. Elec & Comp. Engineering, the Neda Industrial Group, Control-Gostar Jahed Company, and Kalaye Electric Company – regarded as the primary manufacturer of Iranian uranium enrichment centrifuges. The worm traveled via USB drives through a supply chain it had mapped step by step until it reached its target. Along the way it infected more than 200,000 computers, destroyed approximately 1,000 centrifuges, and set back the Iranian nuclear program by an estimated one to two years.

What came next was apparently not planned for by the architects of Olympic Games: Iran analyzed the weapon that had been used against it. And Iran learned.

That was no mysterious capability and no extraordinary feat. It was the predictable reaction of a state with sufficient human capital, sufficient political will, and a concrete motivation. Stuxnet had not merely destroyed centrifuges – it had provided Iran with a blueprint. The code was analyzed, the techniques were understood, the exploits were documented. Kaspersky researchers who spent years dissecting the worm recognized in Shamoon – Iran’s next major cyberattack – the same wiper logic, the same destruction-oriented approach, the same operational philosophy. Stuxnet was the best training course anyone has ever involuntarily conducted.

The state response to Stuxnet was not capitulation and not helplessness. It was a strategic decision: if cyber weapons are real weapons – and Stuxnet had proven that irrefutably – then Iran needs its own. The program built in the years that followed is today one of the most severely underestimated military capabilities in the world.

Shamoon 2012 – The Answer Comes From Isfahan

On August 15, 2012, the computer systems of Saudi Aramco, the world’s largest oil producer, were hit by malware that spread through the network at a speed that left even experienced security professionals stunned. Within ten hours, 35,000 computers were rendered inoperable. The hard drives were wiped and overwritten with a single image: a burning American flag.

Saudi Aramco had to revert operations to fax machines, physical mail, and typewriters. The company that controls ten percent of the world’s oil supply purchased large portions of the global hard drive market in the weeks that followed to rebuild its systems. The attack was named Shamoon.

Defense Secretary Leon Panetta publicly described it as “the most destructive cyberattack the private sector has ever seen” and warned of a looming “Cyber Pearl Harbor.” Attribution was not speculation: NSA documents made public through Edward Snowden indicate that American intelligence officials attributed the Shamoon attack to Iran and explicitly noted that Iran had “demonstrated a clear ability to learn in conducting an attack of this nature.” (CFR Cyber Operations, Compromise of Saudi Aramco and RasGas, https://www.cfr.org/cyber-operations/compromise-of-saudi-aramco-and-rasgas)

That sentence is the key. Two months before the Aramco attack, in April 2012, a still not fully attributed attack using malware called Wiper had struck the systems of Iran’s Oil Ministry and the National Iranian Oil Company. Iran had experienced firsthand how wiper malware works. Shamoon copied that technique, refined it, and directed it against Iran’s regional rival. The learning cycle had begun.

What Shamoon meant strategically was more than a single attack. It was the announcement of a doctrine: Iran destroys data rather than stealing it. That is not a technical limitation – intelligence services with sufficient resources can do both. It is a strategic choice. Maximum damage to the target is the objective, not intelligence yield. That doctrine, fourteen years later, is still recognizable in every Handala operation.

Sands Casino 2014 – When Words Have Consequences

In October 2013, Sheldon Adelson appeared on a panel at Yeshiva University in New York. Adelson was at that point the seventh-richest person in the world, the largest individual donor to the American Republican Party, and one of the most vocal supporters of Israel. Asked about the Iranian nuclear program, he proposed a message: the United States should detonate a nuclear bomb in the Iranian desert – as a warning. “If you’re going to be annihilated, keep acting the way you’re acting,” Adelson told the audience.

Two weeks later, Khamenei responded publicly: America should “shut this man’s mouth.”

Four months passed. In February 2014, one early morning, the computers in the offices above the casino floor of the Venetian in Las Vegas began going dark. Email was gone. Phones didn’t work. Within an hour, technicians had the diagnosis: Las Vegas Sands Corporation, the world’s largest gambling company, was under a devastating cyberattack.

The attackers had penetrated months earlier – through the weakest point in the chain, a development web server at the Sands Casino in Bethlehem, Pennsylvania. They had moved through the network at their leisure, collecting credentials, mapping the architecture. When they struck, it was precise: three-quarters of all Las Vegas servers were wiped. Total damage was estimated at a minimum of $40 million. On the destroyed systems, the attackers left messages addressed to Adelson personally: “Advocating for the use of weapons of mass destruction is a crime under any circumstances.” (Bloomberg Businessweek, “Iranian Hackers Hit Sheldon Adelson’s Sands Casino,” December 2014, https://www.bloomberg.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas)

More than a year after the attack, Director of National Intelligence James Clapper confirmed before the Senate: Iran was the perpetrator. It was the first major destructive cyberattack on an American company – and it had an unambiguous causal chain: public threat, state response, personal retribution. A new dimension of Iranian cyber doctrine had been established: those who publicly threaten Iran become individual targets – regardless of whether they are a state, a corporation, or a private individual. (Bloomberg, “Iran Behind Cyber-Attack on Adelson’s Sands Corp., Clapper Says,” February 2015, https://www.bloomberg.com/news/articles/2015-02-26/iran-behind-cyber-attack-on-adelson-s-sands-corp-clapper-says)

Building the Invisible Army – Proxy Infrastructure 2019 to 2023

Russia had invented the model. With groups like Fancy Bear – state-directed, officially deniable, with their own public profile – Moscow had demonstrated how to conduct cyber operations without having to accept direct responsibility: state objectives, independent identities, plausible deniability externally. Iran observed. Iran learned. Iran replicated it – and refined it.

Iran’s Ministry of Intelligence and Security, known by its Persian acronym MOIS, developed from approximately 2019 onward a system of fake hacktivist personas that in its operational sophistication exceeds the Russian model. The basic structure: a state unit – tracked by cybersecurity researchers under the name Void Manticore and internally assigned to the MOIS Counter-Terrorism division – operates several publicly visible personas simultaneously, each with its own name, its own logo, its own communications strategy. Homeland Justice was deployed from mid-2022 for attacks on Albanian government infrastructure – the backdrop being Albania’s decision to host the Iranian opposition group Mujahedeen e-Khalq (MEK) on its territory. Karma Below operated in parallel. Handala emerged in late 2023 and has since become the most prominent of the three. The US Department of Justice seized four domains attributable to these personas on March 19, 2026, and documented the operational playbook in court filings: destructive cyberattack, theft of sensitive data, publication under the persona, psychological warfare against dissidents and journalists – all from one source, all coordinated, all deniable. (US Department of Justice, “Justice Department Disrupts Iranian Cyber-Enabled Psychological Operations,” March 19, 2026, https://www.justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations) (Check Point Research, “Handala Hack – Unveiling Group’s Modus Operandi,” March 12, 2026, https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/)

According to Check Point Research, operational control over Void Manticore rested with the MOIS Counter-Terrorism division under the supervision of Seyed Yahya Hosseini Panjaki – who, according to the same source, was killed in the Israeli strikes on Iran in early March 2026. This attribution has not been independently confirmed.

The operational playbook that DOJ and Check Point document independently is standardized: intrusion via stolen VPN credentials, lateral movement via Remote Desktop Protocol, simultaneously deployed wiper tools, manual deletion of backups, followed by publication of stolen data under the relevant persona. The dual effect is intentional: real technical damage plus high-visibility psychological operation. What presents as hacktivism is state warfare with a professional cover identity.

2026 – The West Is the Target

On February 28, 2026, US and Israeli forces launch Operation Epic Fury. Within hours of the initial strikes, Iran activates a multidimensional response. Palo Alto Networks Unit 42 documents within days an ecosystem of more than 60 active hacktivist groups, coordinated through a newly established “Electronic Operations Room.” Pro-Iranian groups from Iraq, Lebanon, Yemen, and the regional diaspora – all synchronized, all active. (Palo Alto Networks Unit 42, “Threat Brief – March 2026 Escalation of Cyber Risk Related to Iran,” March 26, 2026, https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/)

Handala remains the most visible persona. On March 11, 2026, Handala claims responsibility for a destructive malware attack on Stryker Corporation, an American medical technology and defense supplier. 200,000 internal systems affected, 50 terabytes of data stolen – as documented in detail in Part 1 of this series. On March 27, 2026, CNN reports that the private Gmail account of FBI Director Kash Patel was compromised. Both attacks are confirmed as MOIS operations in the Director of National Intelligence’s Annual Threat Assessment 2026. (CNN, “Pro-Iran Hackers Claim Wiper Attack on Medical Device Maker Stryker,” March 11, 2026, https://www.cnn.com/2026/03/11/politics/pro-iran-hackers-cyberattack-medical-device-maker) (CNN, “Iran-Linked Hackers Compromised FBI Director Patel’s Gmail,” March 27, 2026, https://www.cnn.com/2026/03/27/politics/iran-linked-hackers-fbi-director-patel) (Office of the Director of National Intelligence, Annual Threat Assessment 2026, https://www.dni.gov/files/ODNI/documents/assessments/ATA-2026-Unclassified-Report.pdf)

Target selection is not arbitrary. Stryker supplies medical systems to US forces and is part of the American military ecosystem as a defense contractor. Patel, as FBI director, is the most prominent public face of American law enforcement. The targets are strategically chosen: maximum visibility, maximum symbolic value, maximum psychological pressure. It is the same logic as Adelson in 2014 – scaled to state level.

Check Point Research also observes during this period a deterioration in Handala’s operational security: direct connections from Iranian IP addresses that would previously have been concealed through commercial VPN services. The likely cause is the effective internet blockade that has been in place in Iran since February 28, 2026 – the country’s connectivity fell according to NetBlocks to between one and four percent. State cyber units were working under significantly degraded conditions. The attacks continued regardless.

What This Means Strategically

Anyone who reads the history from Stuxnet to Handala as a linear sequence sees not chaos but a learning program.

2010: Iran understands that cyber weapons can destroy real physical infrastructure. 2012: Iran demonstrates that it can replicate this capability and deploy it against third parties. 2014: Iran shows that individual public threats have individual consequences. 2019 to 2023: Iran builds a professional proxy infrastructure linking state objectives to deniable identities. 2026: Iran deploys that infrastructure against American targets – under active wartime conditions, with degraded internet infrastructure, and still effectively.

Each of these steps is a direct response to a Western action or provocation. That makes the finding analytically clean: this is not about defending or demonizing Iran. It is about describing a causal structure that exists regardless of whether one finds it convenient. The West taught Iran cyber warfare. Not intentionally. But systematically. Stuxnet was the first course. Shamoon was the first examination. Sands Casino was the completion of the foundational program. Handala is the certificate.

The structural blind spot behind this is well known but rarely named: cyberattacks produce no explosions. They appear in situation reports as incidents, in annual reports as risk positions, in press releases as “security breaches.” Strategic defeats become invisible in that language. But that is precisely what has happened: a middle power against which a highly advanced weapon was deployed took that weapon apart, understood it, and fired it back – with growing precision and growing ambition.

Physics, Not Punishment

It would be convenient to view Handala as an anomaly – a surprising outburst from an actor who was not supposed to be operating at this level. Convenient, but wrong.

Iran is not a surprising cyber power. Iran is a predictable cyber power. A society with more than three thousand years of civilization, millions of highly educated engineers, a state determination to compensate for strategic disadvantages through asymmetric means – and sixteen years of concrete experience in modern cyber warfare, beginning with the best training course anyone has ever offered: Stuxnet.

Build Stuxnet, get Handala. That is not punishment. That is physics.

The question that remains is not whether Iran can conduct cyber operations – that is answered. The question is what the next course will be. And whether the West understands this time what it is currently teaching.

Every escalation produces capabilities. Every attack teaches the attacked. Anyone who believes military superiority in the kinetic domain provides protection against asymmetric countermeasures in the digital one has learned nothing from the history since 2010. Iran has proven over sixteen years that resource scarcity, international isolation, and military imbalance are not obstacles to effective cyber operations – they are the engine driving them. Middle powers that cannot win on the conventional battlefield seek fields where they can. The cyber domain is one of them. Iran understood that earlier than most. The receipt is called Handala.

Michael Hollister
is a geopolitical analyst and investigative journalist. He served six years in the German military, including peacekeeping deployments in the Balkans (SFOR, KFOR), followed by 14 years in IT security management. His analysis draws on primary sources to examine European militarization, Western intervention policy, and shifting power dynamics across Asia. A particular focus of his work lies in Southeast Asia, where he investigates strategic dependencies, spheres of influence, and security architectures. Hollister combines operational insider perspective with uncompromising systemic critique—beyond opinion journalism. His work appears on his bilingual website (German/English) www.michael-hollister.com, at Substack and in investigative outlets across the German-speaking world and the Anglosphere.

Sources

1. Kaspersky Resource Center: What is Stuxnet? https://www.kaspersky.com/resource-center/definitions/what-is-stuxnet
2. IEEE Spectrum: “The Real Story of Stuxnet” (David Kushner, February 2013) https://spectrum.ieee.org/the-real-story-of-stuxnet
3. Kaspersky Securelist: Stuxnet Zero Victims (GReAT, November 2014) https://securelist.com/stuxnet-zero-victims/67483/
4. CCDCOE (NATO Cooperative Cyber Defence Centre): Stuxnet Facts Report https://ccdcoe.org/uploads/2018/10/Falco2012_StuxnetFactsReport.pdf
5. CFR Cyber Operations: Compromise of Saudi Aramco and RasGas https://www.cfr.org/cyber-operations/compromise-of-saudi-aramco-and-rasgas
6. CCDCOE Cyber Law Wiki: Shamoon (2012) https://cyberlaw.ccdcoe.org/wiki/Shamoon_(2012)
7. Kaspersky Securelist: From Shamoon to StoneDrill (March 2017) https://securelist.com/from-shamoon-to-stonedrill/77725/
8. Phys.org: Iran behind Shamoon – Panetta statement October 2012 https://phys.org/news/2012-10-iran-cyberattack-saudi-ex-official.html
9. Bloomberg Businessweek: “Iranian Hackers Hit Sheldon Adelson’s Sands Casino” (December 2014) https://www.bloomberg.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas
10. Bloomberg: “Iran Behind Cyber-Attack on Adelson’s Sands Corp., Clapper Says” (February 2015) https://www.bloomberg.com/news/articles/2015-02-26/iran-behind-cyber-attack-on-adelson-s-sands-corp-clapper-says
11. US Department of Justice: Justice Department Disrupts Iranian Cyber-Enabled Psychological Operations (March 19, 2026) https://www.justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations
12. Check Point Research: Handala Hack – Unveiling Group’s Modus Operandi (March 12, 2026) https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
13. Palo Alto Networks Unit 42: Threat Brief – March 2026 Escalation of Cyber Risk Related to Iran (March 26, 2026) https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
14. CNN: Pro-Iran Hackers Claim Wiper Attack on Medical Device Maker Stryker (March 11, 2026) https://www.cnn.com/2026/03/11/politics/pro-iran-hackers-cyberattack-medical-device-maker
15. CNN: Iran-Linked Hackers Compromised FBI Director Patel’s Gmail (March 27, 2026) https://www.cnn.com/2026/03/27/politics/iran-linked-hackers-fbi-director-patel
16. Office of the Director of National Intelligence: Annual Threat Assessment 2026 https://www.dni.gov/files/ODNI/documents/assessments/ATA-2026-Unclassified-Report.pdf
17. World Bank / Statista: Iran – Urbanization Rate 2023 https://www.statista.com/statistics/455841/urbanization-in-iran/
18. QS World University Rankings 2026 / Tehran Times: Nine Iranian Universities in QS WUR 2026 https://www.tehrantimes.com/news/514894/Nine-Iranian-universities-in-QSWUR-2026-ranking

© Michael Hollister – All rights reserved. Redistribution, publication or reuse of this text requires express written permission from the author. For licensing inquiries, please contact the author via www.michael-hollister.com.

---