The U.S. Justice Department has accused the Iranian government of operating the hacktivist group known as Handala. This group recently claimed responsibility for a destructive cyberattack against the U.S. medical technology company Stryker. In a press release published on Thursday, the Justice Department stated that Iran’s Ministry of Intelligence and Security is behind the Handala persona, which it uses to conduct psychological operations against the regime’s enemies, claim responsibility for cyberattacks, and publish stolen information obtained from those hacks. According to the DOJ, the group has also called for the killing of journalists, regime dissidents, and Israeli persons.
This announcement followed the FBI’s seizure of two websites linked to Handala. The group used these sites to publicize its alleged cyberattacks and to publish the personal information of dozens of people who allegedly worked for the Israeli military and defense contractors. Handala had taken credit on its website for the March 11 cyberattack on Stryker, during which hackers remotely wiped tens of thousands of employee devices. The hackers claimed the breach was in retaliation for a U.S. air strike on an Iranian school that killed dozens of children.
FBI director Kash Patel stated in the DOJ’s press release that the FBI took down four of the operation’s pillars and that their work is not finished. In addition to the two Handala websites, the DOJ seized two other domains allegedly used by Iran’s Ministry of Intelligence and Security under another hacktivist persona called “Justice Homeland” or “Homeland Justice.” The DOJ accused Iranian government hackers of using those domains to claim responsibility for hacking the Albanian government in 2022, an attack that took government servers offline and resulted in the theft of sensitive data. Microsoft has also linked that attack on the Albanian government to the Iranian ministry.
In a court affidavit supporting the website seizures, the FBI said that Handala, Justice Homeland, and another persona called Karma Below are part of the same conspiracy because they are operated by the same individuals.
Handala responded to the DOJ’s announcement in a statement on its official Telegram channel, calling the U.S. government’s actions a desperate attempt to silence its voice. According to cybersecurity researcher Keith O’Neill of DomainTools, Handala has already set up new domains that have not yet been seized.
The hacking group did not respond to a request for comment sent to a public chat account and an email address identified by the Justice Department. A spokesperson for Iran’s Permanent Mission to the United Nations did not respond to a request for comment. Stryker also did not respond to a request for comment.
Alex Orleans, head of threat intelligence at Sublime Security, noted that the individuals behind the Handala persona may not be the same people conducting the actual hacking. Orleans stated that Handala does not necessarily equate one-to-one with the actors conducting the activities it takes credit for, suggesting there could be multiple teams within the larger ministry structure responsible for intrusions and maintaining the public persona separately. He described a level of opacity that can be difficult to penetrate.