The pro-resistance hacker group Handala has disclosed the technical and operational details of a multi-year intrusion into the Institute for National Security Studies (INSS), a prominent Israeli think tank with deep ties to Israel's intelligence apparatus. According to a statement published on May 5, 2026, the group claims to have exfiltrated more than 400,000 classified files, intercepted Zoom-based executive meetings, harvested credentials for physical security infrastructure, and maintained covert access to the network for years before going public.

What Happened

Handala disclosed that it spent years building and maintaining persistent access to INSS systems before escalating the operation in 2025. The group identifies April 22, 2025 as a pivotal milestone, claiming that "the doors of INSS became wide open" and that two operatives gained access to floor -2 of the institute, the secure level where INSS stores its most sensitive material. The group framed the operation as the culmination of long-term planning rather than an opportunistic intrusion.

In parallel with the network compromise, the group leaked the email contents of six senior INSS figures during the period of the U.S. and Israeli military campaign against Iran. The named individuals include Raz Zimmt, Tamir Hayman, former Mossad research division head Sima Shine, deputy director for strategic partnerships Laura Gilinsky, former head of foreign affairs Deborah Oppenheimer, and chief finance and operations officer Dr. Ilan Steiner. Handala has branded INSS "the research and analytical arm of the Mossad."

What Was Taken

Handala claims to have obtained:

• Over 400,000 classified files held by the institute.
• Email archives of at least six senior INSS personnel, including former Mossad and intelligence-affiliated researchers.
• Passwords for the institute's CCTV camera infrastructure.
• Credentials for the corporate Wi-Fi network.
• Credentials for the Zoom account used to host high-level closed-door meetings.
• Recordings or transcripts of executive sessions held over Zoom for an extended period.
• Internal staff communications, including WhatsApp group messages referencing Shin Bet briefings on Iranian intelligence activity inside Israel.

The exposed material reportedly includes references to the movements of senior Mossad and Shin Bet officials, internal warnings about staff being placed under active surveillance, and operational data tied to the institute's research portfolio.

Why It Matters

INSS is not a peripheral target. It functions as one of the principal open-source and policy research nodes feeding Israeli national security decision-making, and its researcher roster includes former senior officials from Mossad, Aman, and Shin Bet. A multi-year compromise of such an organization carries strategic, not merely reputational, weight: adversaries gain insight into Israeli analytical priorities, internal threat assessments, and the personal communications of individuals with privileged historical access to classified programs.

The disclosure also illustrates the convergence of cyber and physical operations. Handala's claim that its access enabled tracking of high-ranking intelligence officials, combined with the October 2024 Shin Bet case involving a Lod-based couple charged with photographing the Mossad headquarters for Iranian intelligence, suggests an integrated collection effort in which network access supports human and physical surveillance activity.

The Attack Technique

Handala has not published a full technical chain, but the statement and supporting leaks point to several reinforcing access vectors:

• Zoom platform abuse. INSS reportedly conducted top-secret sessions over Zoom for years. Handala claims to have obtained the credentials to the institute's Zoom account, enabling either direct meeting interception or unauthorized recording of sessions over an extended window.
• Email account compromise. Mailboxes of at least six senior figures were accessed and exfiltrated. A September 2025 Google security alert sent to Ilan Steiner's personal Gmail account, automatically forwarded to his INSS mailbox, was later included in the leaked corpus, indicating the attackers had read access to executive inboxes and visibility into account-recovery signals.
• Credential harvesting against operational infrastructure. Passwords for CCTV systems, Wi-Fi, and Zoom suggest the attackers reached internal credential stores or successfully phished administrative accounts capable of viewing those secrets.
• Long-dwell persistence. Handala explicitly describes a multi-year operation, consistent with a quietly maintained foothold rather than a smash-and-grab intrusion. The April 2025 escalation appears to be the point at which the group began leveraging access more aggressively.
• Physical access claims. The group's reference to operatives reaching floor -2 of the building, if accurate, indicates that the operation extended beyond purely digital tradecraft into physical or insider-enabled access.

What Organizations Should Do

Defenders responsible for high-sensitivity research, policy, or intelligence-adjacent organizations should treat the Handala disclosure as a directly applicable case study and act accordingly:

1. Stop conducting classified or sensitive deliberations on consumer collaboration platforms. Move top-secret meetings to government-approved or accredited conferencing infrastructure with hardware-anchored identity, end-to-end encryption, and tightly scoped recording controls. Audit existing recordings for unauthorized retention.
2. Rotate all shared infrastructure credentials and eliminate password reuse across CCTV, Wi-Fi, and conferencing accounts. Move these systems behind a privileged access management platform, enforce per-administrator accounts, and disable any vendor default or shared service accounts.
3. Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all executive and administrator email accounts, and disable legacy auth and app passwords. Treat security alerts from consumer providers (Google, Microsoft) for staff personal accounts as potential indicators of targeting against the corporate environment when they cross-forward.
4. Hunt for long-dwell persistence. Review mailbox forwarding rules, OAuth app grants, Zoom API tokens, conditional access exceptions, and service principal credentials for anomalies dating back multiple years. Assume an intruder has already covered the last 90 days of logs.
5. Segment and monitor physical security systems. CCTV, badge readers, and building automation should sit on isolated VLANs with no direct path to staff workstations or the internet, and should be covered by the same SOC monitoring as IT systems.
6. Establish a cross-domain insider and surveillance threat program. Coordinate with national counterintelligence services, brief staff on physical and digital targeting indicators, and create a confidential channel for employees to report suspected surveillance, recruitment attempts, or anomalous account activity.

Sources: Handala hacktivists reveal how they penetrated Israeli think tank classified data