Iranian-linked hacktivist group Handala is claiming persistent access to GNS Cloud, described as Israel’s largest cloud provider, for a period of 18 months, alleging it extracted all client machine and virtual server passwords stored in plaintext and backdoored more than 112,000 machines and servers. The group published a defacement of the GNS international website as proof of continued access on April 16, 2026. GNS Cloud had not issued any public statement at time of publication.
What Handala Claims
According to the group’s Telegram post, Handala alleges it achieved complete access to every operational and management layer of GNS Cloud’s infrastructure during the 18-month intrusion period. The group claims every password for client machines and virtual servers — allegedly stored in plaintext on GNS servers — was extracted and archived. It further alleges the entire GNS supply chain is now compromised, with downstream exposure extending to banks, technology companies, and individual users among GNS’s client base.
Handala states the breach was first announced in December 2024 during what it called “Operation Martyr Reza Awada,” and that GNS management publicly denied any incident at that time. The group says it is now returning with defacement proof and states full evidence, documentation, and data will be released publicly in the near future. A Zone-H defacement mirror was referenced as proof of current access. The scale of the claims — 112,000 backdoored machines, complete credential exfiltration, full supply chain compromise — has not been independently verified and GNS Cloud has not confirmed any aspect of the intrusion.
Why the Claim Has Weight
Handala has an extensively documented track record of intrusions against Israeli infrastructure. Security researchers at Check Point Research note the group has consistently targeted IT and cloud service providers specifically to obtain credentials and pivot into downstream customer environments — precisely the attack pattern described in this claim. The group’s December 2024 GNS announcement, now referenced as the starting point of this campaign, establishes a prior claim against the same target.
Handala’s operational history includes confirmed breaches across Israeli healthcare, energy, defense, and government systems. The group previously claimed a 22TB data wipe across 14 Israeli businesses and a breach of Israeli defense contractor PSK Wind Technologies, demonstrating both the scale and sectoral breadth of its operations. The group was also responsible for the destructive wiper attack on Stryker Corporation in March 2026 — assessed by researchers as among the most significant wartime cyberattacks on a U.S.-based company.
For background on Handala’s operations, attribution, and tactics, see our Handala Hack threat actor profile. The group has also been linked to recent attacks on government systems including the St. Joseph County, Indiana incident and the IranWire breach.
Supply Chain Risk for GNS Customers
If Handala’s claims are accurate, the downstream implications for GNS Cloud customers are significant. A cloud provider with compromised management layer access and backdoored client machines represents a single point of failure across every organization that relies on GNS infrastructure. The group specifically names banks and technology companies among the affected customer base. The GNS claim mirrors a broader pattern of attackers targeting managed service providers and cloud infrastructure to reach downstream clients at scale — a tactic BreachNews has covered in incidents including the 485TB breach claimed against managed service provider Xtium and the Axios JavaScript supply chain attack that delivered a cross-platform RAT to downstream developers.
Organizations using GNS Cloud services should treat this claim as a prompt to audit their own environments for indicators of compromise regardless of whether GNS confirms the breach, given Handala’s established pattern of targeting providers specifically to reach their downstream clients.
