Full Report
St. Joseph County officials acknowledged a cyber attack by an Iranian-backed hacker group called Handala earlier this week. County officials and council members held a news conference Thursday afternoon after the group claimed responsibility for the cyber attack against the county on Wednesday. “We’re trying to emphasize over and over that no internal data was compromised,” Baxmeyer said. When asked about specific samples posted online — including documents that appear to include personal information — the county’s chief information officer said the review is still underway. “Again, we’re still investigating, so I don’t have answers for you right now,” said Richard Warfield, chief information officer for St. Joseph County. Some of the material posted appears to include death certificates, prescription information and legal documents. The authenticity of those files posted on the group’s website has not been verified. Warfield said the county received some of the leaked documents through a fax machine on March 31. That’s when the county started investigating the data breach.
Analysis Summary
# Incident Report: Handala Cyber Attack on St. Joseph County
## Executive Summary
St. Joseph County, Indiana, was targeted by the Iranian-backed hacker group "Handala," resulting in the potential compromise of sensitive documents via a third-party faxing service. While the threat actor claims to have exfiltrated over two terabytes of data, county officials maintain that internal systems remain uncompromised and the breach was limited to external faxing data. An investigation into the authenticity of leaked documents—which include death certificates and prescription information—is currently ongoing.
## Incident Details
- **Discovery Date:** March 31, 2026
- **Incident Date:** Circa March 31 – April 1, 2026
- **Affected Organization:** St. Joseph County
- **Sector:** Government / Public Sector
- **Geography:** South Bend, Indiana, USA
## Timeline of Events
### Initial Access
- **Date/Time:** March 31, 2026
- **Vector:** Third-party vulnerability
- **Details:** Attackers gained access to a third-party faxing service used by multiple county departments.
### Lateral Movement
- **Details:** According to county officials, there is currently no evidence of lateral movement from the third-party service into the county’s internal network.
### Data Exfiltration/Impact
- **Details:** The Handala group claims to have exfiltrated 2TB of data. Publicly posted samples allegedly include death certificates, legal documents, and prescription information. The county acknowledges these documents were likely routed through the compromised fax service.
### Detection & Response
- **Discovery:** On March 31, the county received copies of the leaked documents via its own fax machines, signaling the breach.
- **Official Claim:** On April 1, Handala officially claimed responsibility on their website.
- **Public Disclosure:** County officials held a news conference on April 2, 2026, to address the situation.
## Attack Methodology
- **Initial Access:** Exploitation of a third-party external fax service.
- **Persistence:** Not disclosed; likely maintained via the third-party provider's infrastructure.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Unknown.
- **Discovery:** Scanning and reconnaissance of public-facing county service providers.
- **Lateral Movement:** None confirmed; officials deny access to the internal county network.
- **Collection:** Gathering documents processed through the digital faxing gateway.
- **Exfiltration:** Transfer of data to the threat actor's command and control infrastructure.
- **Impact:** Data leak/Doxxing intended to cause public mistrust and operational concern.
## Impact Assessment
- **Financial:** Unknown; costs associated with forensic investigation and potential victim notification are expected.
- **Data Breach:** Potential leak of PII (Personally Identifiable Information) and PHI (Protected Health Information), including death certificates and medical prescriptions.
- **Operational:** Minimal disruption reported to core county services, though faxing operations were scrutinized.
- **Reputational:** High; the incident prompted a public press conference and involves a group known for high-profile targets (e.g., FBI Director).
## Indicators of Compromise
- **Network indicators:** None provided in the source article.
- **File indicators:** Samples posted to Handala’s onion site/leaks portal (URLs defanged: hxxps[://]handala[.]top or similar mirrors).
- **Behavioral indicators:** Unusual inbound fax activity containing proof-of-leak materials.
## Response Actions
- **Containment:** Verification of the isolation between the third-party fax service and the internal county network.
- **Eradication:** Investigation into the third-party vendor's security posture to close the entry point.
- **Recovery:** Ongoing forensic review of the "2TB" claim to verify the total volume of authentic data stolen.
- **Coordination:** Engaging with local, state, and federal law enforcement agencies.
## Lessons Learned
- **Supply Chain Risk:** Third-party services (like digital faxing) can serve as vectors for sensitive data leaks even if internal servers are secure.
- **Verification Latency:** There is a gap between the threat actor's claims (2TB) and the county's ability to verify the authenticity of leaked data.
- **Communication:** Immediate receipt of leaked data via fax served as a "canary in the coal mine," allowing for rapid discovery.
## Recommendations
- **Vendor Audit:** Conduct a comprehensive security audit of all third-party SaaS and communication providers handling PII/PHI.
- **Data Encryption:** Ensure that data in transit to and from third-party services is encrypted and, where possible, not stored on the provider's servers long-term.
- **Incident Response Planning:** Develop a specific playbook for "Third-Party Data Breaches" where internal infrastructure is not directly compromised but sensitive data is still lost.