The U.S. Department of Justice has formally accused the Iranian government of operating the hacktivist entity known as “Handala,” the group responsible for a devastating cyberattack against medical technology giant Stryker last week.
State-Sponsored Psychological Warfare
In an official press release issued Thursday, the DOJ identified Handala as a front for Iran’s Ministry of Intelligence and Security (MOIS). Rather than an independent collective, authorities describe the group as a fabricated persona designed to execute psychological operations against the regime’s perceived enemies.
Beyond claiming responsibility for cyber intrusions and leaking stolen data, the group has actively incited violence, calling for the targeting of journalists, dissidents, and Israeli citizens.
FBI Disrupts Infrastructure
The DOJ’s revelation followed an FBI operation that seized two primary websites used by Handala. These platforms served as hubs for the group to publicize its activities and host sensitive information stolen from Israeli military and defense contractors.
FBI Director Kash Patel emphasized the scale of the operation, stating that the bureau has “taken down four of their operation’s pillars and we’re not done.”
The Stryker Breach and Broader Campaigns
Handala publicly claimed responsibility for the March 11 attack on Stryker, which resulted in the remote wiping of tens of thousands of employee devices. The hackers framed the destructive incident as retaliation for a U.S. air strike on an Iranian school, an event currently under investigation by the UN.
The DOJ’s investigation, supported by court-filed affidavits, links Handala to other Iranian-backed personas, including “Justice Homeland” and “Karma Below.” These groups are believed to be part of a single, unified conspiracy. Specifically, the DOJ seized two additional domains linked to “Justice Homeland,” which was previously identified by both the DOJ and Microsoft as the perpetrator behind the 2022 cyberattack that crippled the Albanian government’s infrastructure.
The Evolving Threat Landscape
Despite the government’s intervention, the threat remains active. Cybersecurity researcher Keith O’Neill of DomainTools confirmed that Handala has already launched replacement domains to circumvent the seizures.
Experts suggest that the Handala brand may be a tactical layer rather than a direct reflection of the technical operators. Alex Orleans, head of threat intelligence at Sublime Security, noted the likely separation between the persona maintainers and the actual intrusion teams.
“Handala does not necessarily equate, one-to-one, with the actors conducting the activities it’s taking credit for,” Orleans explained. “There could be multiple teams conducting actual intrusions while a distinct team is responsible for maintaining the persona—with all of these elements coexisting within a larger, unified MOIS element.”
The Iranian Permanent Mission to the United Nations and Stryker have both declined to comment on the ongoing situation.