The United States accuses the Iranian government of running a hacking group that hacked Stryker

The US Department of Justice has accused the Iranian government of being behind the Handala Group, which last week claimed responsibility for the devastating cyberattack against US medical technology giant Stryker.

In a press release published on Thursday, the Justice Ministry said that Iran’s Ministry of Intelligence and Security is running Hanzala.

The Justice Department described the group as a fake activist persona that the Iranian ministry used to carry out “psychological operations” against enemies of the regime, claim responsibility for cyberattacks, and publish stolen information obtained during those hacks. The group also called for the killing of journalists, regime opponents, and Israelis, according to the Justice Department.

The announcement came hours after the FBI seized two websites linked to Hanzala, as TechCrunch first reported. The group used the sites to spread its alleged cyber attacks, as well as to publish the personal information of dozens of people who allegedly worked for the Israeli military and defense contractors.

On its website, Handala took credit for the March 11 cyberattack on Stryker, during which hackers remotely wiped tens of thousands of employee devices. The hackers said the hack was in response to a US airstrike on an Iranian school, which killed 168 children, according to Iranian officials.

FBI Director Kash Patel was quoted in the Justice Department press release as saying that the FBI “took down four pillars of their operation and we’re not done yet.”

Aside from the two websites used by Handala, the Justice Department also seized two other domains allegedly used by the Iranian Ministry of Intelligence via another hacktivist persona calling herself “Al-Adala Al-Watan” or “National Justice.” The Justice Department accused Iranian government hackers of using these two domains to claim responsibility for hacking the Albanian government in 2022, in a cyberattack that took off government servers and stole sensitive data. Microsoft also linked the attack against the Albanian government to the Ministry of Intelligence and Security.

In an affidavit filed with the court in support of the seizure of the Handala sites, the FBI said that Handala, Justice Homeland, and another hacktivist named Karma Below, are “part of the same conspiracy because they are operated by the same individuals.”

Handala responded to the Justice Department’s announcement in a statement posted on its official Telegram channel, with the hackers describing the US government’s actions as “nothing more than the latest desperate attempts by the United States and its allies to silence Handala’s voice.”

Keith O’Neill, a cybersecurity researcher at DomainTools, told TechCrunch that Handala has already created new domains that have not yet been hacked.

The hacking group did not respond to a request for comment sent to the chat account posted by the hackers, as well as the email address identified by the Justice Department in its affidavit.

A spokesperson for Iran’s Permanent Mission to the United Nations did not respond to TechCrunch’s request for comment. Stryker also did not respond to a request for comment.

Alex Orleans, head of threat intelligence at Sublime Security who has tracked Iranian hackers for years, told TechCrunch that it’s possible that the people behind Handala’s character are not the same individuals doing the actual hacking.

“Handala does not necessarily mean that individual actors perform the activities for which they are credited,” Orleans said. “It is possible to have multiple teams conducting actual intrusions while a distinct team is responsible for maintaining character – with all of these distinct elements coexisting within a larger unified element of the Ministry of Intelligence and Security.”

“There is a level of opacity that may be difficult to penetrate,” he said.