The FBI seized and took down two websites linked to the pro-Iranian hacktivist group Handala. This group recently claimed responsibility for a destructive cyberattack against the U.S. medical technology giant Stryker.
As of Thursday, the contents of a website where Handala publicized its hacks, as well as another site used to dox individuals over their alleged ties to the Israeli military and defense contractors, were replaced by a banner announcing the law enforcement action. The seizure announcement did not specify the exact reasons for the takedown. However, the language indicated U.S. authorities believed the sites were operated by hackers linked to a foreign government.
The announcement stated that law enforcement determined the domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor. It noted the U.S. Government took control to disrupt ongoing operations and prevent further exploitation. The seizure was confirmed by examining the website’s nameserver records, which now point to servers controlled by the FBI.
In response, Handala posted announcements on its official Telegram channel acknowledging the takedown. The group called the seizures a desperate attempt to silence its voice and stated that the pursuit of justice cannot be stopped by removing a website. The group’s account on the social media platform X was also recently suspended.
Handala has been active since at least the October 7, 2023, attacks by Hamas and is believed to have ties with the Iranian regime. Last week, the group claimed the attack on Stryker, which employs over 56,000 people globally. The hackers said the hack was retaliation for a U.S. government missile strike that hit an Iranian school, killing at least 175 people, most of them children. Notably, last year Stryker signed a $450 million contract to supply medical devices to the U.S. Department of Defense.
According to reports, Handala broke into an internal Stryker administrator account, gaining extensive access to the company’s Windows network. The hackers allegedly took over Stryker’s Intune dashboards, a tool for managing employee devices remotely, which included the ability to delete data. This access reportedly allowed them to wipe devices owned by both the company and its employees.
On Tuesday, Stryker stated it is still restoring its computers and internal network following the hack.
A U.K.-based Iranian activist and independent cyber-espionage investigator, Nariman Gharib, told reporters that the website takedowns are good news. He said the group’s organizational structure is currently disrupted and its members could be targeted. However, he also cautioned that their activities may not stop, and future leaks could be published through media channels close to Iran’s military.