FBI seizes websites of pro-Iran hacking group after devastating Stryker hack

The FBI has seized and shut down two websites linked to the pro-Iranian group Handala, which last week claimed responsibility for a devastating cyberattack against US medical technology giant Stryker.

As of Thursday, the contents of the site where Handala posted the hacks, as well as another site the group used to go after dozens of people for their alleged ties to the Israeli military and defense contractors, such as Elbit Systems and NSO Group, were replaced with a banner announcing the law enforcement action.

The seizure announcement did not say why the FBI and Department of Justice shut down the sites. But the language used seems to indicate that US authorities believe these sites are run by hackers linked to a foreign government.

“Law enforcement authorities have determined that this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of or in coordination with a foreign state actor,” the seizure announcement said. “The United States government has taken control of this domain to disrupt ongoing malicious cyber operations and prevent further exploitation.”

TechCrunch confirmed the site’s takeover by examining its nameserver logs, which now point to servers controlled by the FBI.

The FBI and Department of Justice did not immediately respond to TechCrunch’s request for comment.

In a series of announcements posted on the group’s official Telegram channel on Thursday, Handala admitted to blocking his websites, calling the seizures a “desperate attempt to silence our voice.”

“This act of digital aggression only highlights the fear and anxiety our actions have instilled in the hearts of those who oppress and deceive,” the hackers wrote. “Although they attempt to erase evidence and hide their crimes through censorship and intimidation, their actions only underscore the impact of our mission. The pursuit of justice cannot be stopped by shutting down a website. The movement for truth will continue and grow stronger.”

Handala X’s account was also recently suspended.

The group did not respond to the message sent to their official chat account.

Handala has been active at least since the October 7, 2023 attacks launched by Hamas, and is believed to have ties with the Iranian regime. Last week, the group claimed responsibility for the attack on the American pharmaceutical company Stryker, which has more than 56,000 employees in dozens of countries. The hackers said the hack came in response to the US government’s missile attack on an Iranian school, which killed at least 175 people, most of them children.

Last year, Stryker signed a $450 million contract to supply medical devices to the Department of Defense.

Handala reportedly hacked into an internal Stryker administrator account and gained nearly unlimited access to the company’s Windows network. At that point, hackers allegedly took over Stryker’s Intune dashboards, a tool designed to allow the company to manage employees’ laptops and mobile devices remotely, which included the ability to delete data.

By accessing these dashboards, the hackers were reportedly able to wipe down devices owned by both the company and its employees.

Stryker said Tuesday it was still working to restore its computers and internal network after the hack.

Nariman Gharib, a UK-based Iranian activist and independent cyberespionage investigator, told TechCrunch that the removals are good news.

“Their organizational and administrative structure is currently broken, and at any moment, members of this group may be targeted by missile strikes, just like other cyber forces of the regime,” Gharib told TechCrunch.

“But this does not mean that their activities may stop – no. It is possible that this group will publish future leaks through media outlets close to the Iranian Revolutionary Guard,” referring to the country’s military.