Threat Intelligence Tarot
Vol. II · 141
Iran-aligned (suspected)
risk 3/5
The Watching Child
Handala
Handala Hack · Anti-Israel hacktivist cluster
Israeli organizationsIsraeli citizensCompanies operating in IsraelIsraeli government
Active since ~2023 · Ideological disruption, Anti-Israel messaging, Influence operations
The Watching Child takes its name from a cartoon — a barefoot figure forever turned away, witness and accusation in one. Where political grievance meets state-aligned capability, the child does not blink.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1190
Exploit Public-Facing Application
Initial Access
T1078
Valid Accounts
Persistence
T1567.002
Exfiltration to Cloud Storage
Exfiltration
T1491
Defacement
Impact
T1485
Data Destruction
Impact
Notable Operations
  • Post-October-2023 emergence with Israel-focused intrusions
  • Wiper deployment paired with ideological messaging
  • Claimed (disputed) Soreq Nuclear Research Center breach
  • Persistent SMS-based mass intimidation campaigns against Israeli citizens
Defenses
  • Independent verification of breach claims before public statements
    NIST CSF: RS.CO
  • SMS phishing awareness training tailored to Israeli citizens
    NIST CSF: PR.AT
  • Wiper-aware EDR detection with focus on Israeli-deployed payloads
    MITRE D3FEND
  • Critical infrastructure segmentation aligned to INCD guidance
    Israel National Cyber Directorate
Reversed: Their Weakness
Public disclosure of inflated or fabricated breach claims undercuts this operator's primary product, which is narrative rather than data. Skeptical Israeli media coverage has measurably blunted multiple campaigns.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe National BrownoutNext →The Pride Banner
Related Adversaries
The Painted Wall
KillSec
5 shared TTPs
The Pride Banner
SiegedSec
4 shared TTPs
The Void
BlackCat / ALPHV
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.