According to the Haaretz, the leaked data was published by Handala, a hacker group that the United States confirmed last month is a cyber unit within Iran's Ministry of Intelligence (MOIS) (Benjakob, Haaretz, May 4, 2026). Though Handala publicly presents itself as a pro-Palestinian hacktivist collective, it specializes in so-called hack-and-leak operations — stealing material and weaponizing it for influence rather than traditional espionage.
INSS is led by former IDF Military Intelligence Directorate chief Maj. Gen. (res.) Tamir Hayman, who succeeded fellow former Aman chief Maj. Gen. (res.) Amos Yadlin. Although officially independent, the institute's staff maintains close ties with Israeli defense and intelligence bodies. "From Iran's point of view, this isn't a research body. It's an arm of Aman, the Shin Bet and the Mossad," a former senior Israeli security official told Haaretz.
The infection chain, reconstructed from the leaked material, began as early as 2019, when the institute's IT manager warned staff of ongoing cyberattacks. By late 2021, Iranian hackers had breached the personal Gmail account of then-director Yadlin and used it to attempt to lure former Foreign Minister Tzipi Livni abroad — a ruse she uncovered when she found the wording suspicious and called Yadlin directly (Benjakob, Haaretz, May 4, 2026). Cybersecurity firm Check Point subsequently determined the message was part of a broader Iranian operation that had compromised multiple senior Israeli accounts.
The threat escalated from digital to physical in 2024. On October 31 of that year, a Shin Bet statement disclosed that a couple from Lod had been charged with carrying out surveillance missions for Iranian intelligence, including monitoring an INSS staff member whom Iran had sought to assassinate (Benjakob, Haaretz, May 4, 2026). Senior researcher Sima Shine, a former head of the Mossad's research division, was later identified in the leaked internal communications as the assassination target.
The breadth of the stolen data is alarming. Among the leaked files are passwords for the institute's security cameras, its Wi-Fi network, and the Zoom account used in its main conference room. A calendar invitation sent to an outside guest even contained the building's door entry code. Other documents expose the names of IDF Unit 8200 personnel, senior NATO officials, and confidential donors — including an Iranian-American businessman working against Iran's nuclear program.
Cybersecurity experts told Haaretz that INSS email accounts were still being actively exploited as of 2026. "Functionally, their entire organizational email system is part of attack infrastructure still being used today against targets in Israel," one expert said. Boaz Dolev, CEO of ClearSky, which assisted the institute pro bono, stated bluntly: "The institute's information security is below any acceptable standard" (Benjakob, Haaretz, May 4, 2026).
INSS told Haaretz it holds no classified materials and is implementing a significant cybersecurity work plan, including deployment of a Security Operations Center. Israel's National Cyber Directorate said the case highlights the urgent need for a pending Cyber Defense Law to set binding standards for critical institutions.