With extensive expertise in the intersection of emerging technologies and geopolitics, Dominic Jainy offers a unique perspective on the evolving landscape of cyber warfare. Today, we delve into a striking paradox: an Iranian state-affiliated hacking group, Handala, has been caught using Starlink satellite internet to launch attacks against Israel, all while the Iranian regime actively works to block that same service for its own citizens. Our conversation will explore the strategic contradictions behind this move, the significant intelligence vulnerabilities it creates, how analysts can trace such activities, and the broader implications for the future of satellite technology in global conflicts.
While Iran’s government reportedly disrupted satellite signals for its citizens, the ‘Handala Hack’ group was seen using Starlink IPs to attack Israeli targets. What does this reveal about the regime’s strategy, and what technical challenges would the hackers face to get their own connection working?
It reveals a deeply cynical and fractured strategy, frankly. On one hand, the Iranian government is clearly terrified of an informed and connected populace, deploying sophisticated Russian countermeasures like GPS spoofing to render Starlink almost useless for protesters. On the other hand, its own offensive cyber arms, like the Handala group, are not only using the technology but are seemingly given privileged access. To get their connection running, they would have had to overcome the very jamming their government deployed, suggesting they either have access to superior equipment, are operating from a location with a clear signal, or are being deliberately shielded from the nationwide disruption. It’s a classic case of the state reserving a powerful tool for its own aggressive purposes while denying it to its people.
Using a satellite dish can effectively broadcast a user’s physical location. How does this potential ‘OPSEC disaster’ for the Handala hackers create intelligence opportunities for the U.S. and Israel, and what specific steps could be taken to act on that intel?
It’s an almost unbelievable operational security blunder. By using a Starlink dish, these hackers are essentially planting a giant, blinking “we are here” sign on their rooftop for anyone with the right signals intelligence capabilities to see. For the U.S. and Israel, this is a goldmine. The first step is geolocation; they can pinpoint the physical building where these operations are originating. From there, they can deploy other intelligence assets—human intelligence, further signals monitoring, or satellite imagery—to identify the individuals involved, understand their command structure, and map out their entire network. This intelligence isn’t just for defense; it can be used to preempt future attacks, build sanction cases against specific officials, or even for direct kinetic action if the threat is deemed severe enough.
After a period of silence during Iran’s internet blackout, the ‘Handala Hack’ group reemerged using a specific Starlink IP range. Can you walk me through how analysts would trace this activity, and what does this sudden spike tell us about the group’s operational priorities?
The process begins with monitoring known threat actors. When Handala, a group consistently targeting Israeli government entities, went completely silent after January 8th, that in itself was a data point. Analysts would have noted the correlation with the near-total internet blackout, which lasted almost 300 hours. The moment the group’s activity resumed, the first thing they’d look at is the source. Seeing attacks originate from a specific Starlink IP block, 188.92.255.x, is the smoking gun. This sudden spike after a week of zero activity tells us their operations are considered high-priority by the regime. They were not just waiting for the regular internet to come back; they were actively provisioned with an alternative, powerful connection to resume their attacks against Israeli and other regional targets as quickly as possible.
Starlink was initially presented as a tool for protesters to bypass state censorship, yet state-affiliated hackers appear to be using it for offensive cyber operations. What are the broader implications of this dual-use scenario for satellite internet providers and Western policymakers?
This is a critical turning point that complicates the narrative of satellite internet being a purely liberating technology. For providers like Starlink, it means they are now unwillingly part of the infrastructure for state-sponsored cyber warfare, which carries immense geopolitical risk. They will face pressure to develop more robust “know your customer” protocols and mechanisms to identify and terminate service for malicious actors. For Western policymakers, it’s a wake-up call. They can no longer simply advocate for deploying these technologies in repressive states without considering how they can be co-opted. This will likely lead to calls for greater oversight, export controls on related hardware, and deeper collaboration between governments and private satellite companies to create policies that can support activists while mitigating the risks of misuse by hostile regimes.
What is your forecast for Iran’s state-sponsored cyber activities, especially concerning their use of unconventional technologies like satellite internet?
I foresee an escalation in both sophistication and audacity. The Handala group’s use of Starlink wasn’t a one-off; it was a test. Having seen the potential, Iranian state actors will likely seek to build more resilient and clandestine networks using a mix of technologies, including other satellite providers and encrypted communication platforms. They will learn from the OPSEC mistakes made here and work to better obscure their physical locations and digital footprints. We can expect them to continue exploiting any and all available technologies as asymmetric weapons to project power and destabilize rivals, forcing Western nations and private tech companies into a reactive, and increasingly difficult, defensive posture.