The FBI has executed a coordinated takedown of two websites operated by the pro-Iranian hacktivist group Handala. The federal operation, confirmed this Thursday, follows a devastating cyberattack orchestrated by the group against the U.S. medical technology giant Stryker.
Federal Intervention Against State-Linked Actors
Visitors to the sites—previously used by Handala to publicize cyberattacks and leak private information—were met with a banner confirming the domains were seized by law enforcement. The Justice Department stated the domains were utilized to “conduct, facilitate, or support malicious cyber activities” in coordination with a foreign state actor. Federal authorities emphasized that the move aims to disrupt ongoing operations and prevent further exploitation.
Technical verification via nameserver records confirms the domains are now under full control of FBI-linked servers. While the bureau has not provided further comment, the language used in the seizure notice signals a significant escalation in the U.S. response to state-sponsored hacktivism.
The Stryker Breach and Retaliation Claims
Handala, which has been active since the October 7, 2023, attacks, is widely believed to have ties to the Iranian regime. The group claimed responsibility for the breach of Stryker—a company currently under a $450 million contract with the U.S. Department of Defense—citing it as retaliation for a U.S. missile strike in Iran.
The technical impact on Stryker was severe. Reports indicate the hackers compromised an internal administrator account, granting them near-unlimited access to the firm’s Windows network. By seizing control of Microsoft Intune dashboards, the attackers were able to remotely wipe employee devices and company hardware. As of Tuesday, Stryker confirmed it remains in the process of restoring its internal network.
Group’s Response and Future Outlook
Despite the infrastructure loss and the recent suspension of their X account, Handala remains defiant. In a statement via their Telegram channel, the group dismissed the seizures as a “desperate attempt to silence” their mission, vowing that their activities would continue.
Independent cyber-espionage investigator Nariman Gharib suggests the takedowns represent a tactical blow to the group’s organizational structure. However, experts warn that the movement is unlikely to cease operations permanently. “Their organizational and management structure is currently disrupted,” Gharib noted, adding that future leaks may simply be migrated to media outlets aligned with the IRGC.