The FBI has seized websites belonging to a pro-Iranian hacker group called Handala following a destructive cyberattack on Stryker Corporation, a Fortune 300 medical technology company based in Portage, Michigan. According to TechCrunch, the FBI took down two Handala-linked websites on Thursday (March 19) — one where the group published details of its hacks and another it used to publicly identify people with alleged ties to the Israeli military and defense contractors.
The U.S. Department of Justice (DOJ) formally announced the seizures Thursday evening (March 19), saying it had taken down four sites total — including a backup site and two others used to promote Iranian cyber campaigns. NBC News reported the DOJ described the sites as "psychological operations" run by Iran's Ministry of Intelligence and Security (MOIS).
"Law enforcement authorities determined this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor," read the seizure announcement.
The seized sites were replaced with a banner bearing the logos of the DOJ and FBI, announcing the law enforcement action. TechCrunch confirmed the seizure by checking the website's nameserver records, which now point to servers controlled by the FBI. The FBI and DOJ did not immediately respond to requests for comment.
Handala claimed responsibility for the Stryker hack on Wednesday (March 11), saying it was retaliation for a U.S. government missile strike that hit an Iranian school, killing at least 175 people — most of them children. The attack disrupted Stryker's "order processing, manufacturing and shipping," the company disclosed in a filing with the Securities and Exchange Commission (SEC).
Stryker said the hackers broke into an internal Microsoft administrator account and gained access to the company's Intune dashboards — a tool used to remotely manage employee laptops and mobile phones. With that access, the hackers were able to wipe data from thousands of company and employee devices. Stryker said its medical devices used in healthcare were not affected. As of Tuesday (March 17), the company said it was still working to restore its computers and internal network.
Handala has been active since at least the October 7, 2023, Hamas attacks on Israel and is widely believed by U.S. and Israeli cybersecurity experts to be linked to the MOIS. The group's account on X was also suspended. However, its Telegram channel remained active as of Thursday (March 19), where the group acknowledged losing control of the sites.
"This act of digital aggression only serves to highlight the fear and anxiety our actions have instilled in the hearts of those who oppress and deceive," the group wrote on Telegram, calling the seizures "a desperate attempt to silence our voice." The group also announced it planned to launch a new website soon.
Nariman Gharib, a United Kingdom-based Iranian activist and independent cyber-espionage investigator, told TechCrunch the takedowns were a positive development — but warned the group's activities may not stop entirely.
"It is possible that future leaks may be published by this group through media close to the IRGC," Gharib said, referring to Iran's Islamic Revolutionary Guard Corps.
Gil Messing, Chief of Staff at Israeli cybersecurity firm Check Point, said the seizures strike at a key strength of the group.
"It's an important step, as most of Handala's work was to publish their work and create the physiological effect of the damage, even if exaggerated," Messing told NBC News. "So taking out their websites and channels is hitting them where it matters."
Messing cautioned, however, that the move is likely part of an ongoing game of whack-a-mole. "In the past they've managed to bypass takedown by bringing up new channels instead," he said.
The acting director of the Cybersecurity and Infrastructure Security Agency (CISA), Nick Andersen, told reporters Wednesday (March 18) that U.S. agencies had not seen an overall uptick in cyber threats since hostilities with Iran began in February, according to The Record. CISA also issued an alert urging companies to tighten security around their Microsoft Intune accounts in response to the Stryker hack.
