Handala Websites Seized by FBI After Stryker Cyberattack
Published
Key Takeaways
- Infrastructure dismantled: Four Handala hacking group websites used for cyber extortion and doxing were taken down.
- Destructive network breach: The cybersecurity operation follows Handala's recent Stryker cyberattack, which led to the widespread remote wiping of corporate and employee endpoints.
- State-aligned cyber threats: Federal authorities linked the seized digital infrastructure to malicious cyber operations conducted in coordination with a foreign state actor.
Pro-Iranian Handala Hack (Void Manticore) group and its affiliates were targeted in a law enforcement website takedown that resulted in the seizure of four domains: Handala-hack[.]to, Handala-redwanted[.]to, Justicehomeland[.]org, and Karmabelow80[.]org. The takedown was executed by the Federal Bureau of Investigation (FBI) in conjunction with the Department of Justice (DOJ).
Handala Infrastructure Takedown
The Handala domains were used to publicize data breaches, dox individuals, incite violence, and claim responsibility for destructive hacks, including the cyberattack on the US medical giant Stryker. The seizure notices indicate the websites operated as part of an Iranian Ministry of Intelligence and Security (MOIS) network.
The network leveraged these websites for:
- Attempted psychological operations targeting adversaries of the regime,
- Leaking sensitive information allegedly from targeted adversaries, such as Albanian government organizations, the Sanzer Hasidic Jewish community, and the Israeli Defense Force (IDF) and/or Israeli government,
- Calling for the killing of journalists, regime dissidents, and Israeli persons.
“Iran, the leading state sponsor of terrorism worldwide, used the seized domains to dox and harass dissidents and journalists, incite violence against Jewish communities, and spread Tehran’s anti-American propaganda,” said Assistant Attorney General for National Security John A. Eisenberg.
Escalating Enterprise Cybersecurity Implications
The Handala seizure directly follows the Stryker cyberattack, which Handala claimed responsibility for last week. A breach of an internal administrator account granted unauthorized access to Microsoft Intune dashboards, enabling the remote execution of data-wipe commands across tens of thousands of corporate networks and personal employee devices. Soon after, CISA urged organizations to harden endpoint management systems following the Stryker cyberattack.
MOIS-affiliated group MuddyWater reportedly compromised the network infrastructure of several critical organizations across the United States, Canada, and Israel earlier this month. The European Union (EU) this week sanctioned three Chinese and Iranian entities and two individuals in response to cyberattacks on European networks.
In early March, Palo Alto Unit 42 estimated that 60 individual threat groups were active following the U.S. Cyber Command’s disruption of Iranian communications and sensors. These included pro-Russian groups Cardinal, Russian Legion, and NoName057(16), and Iranian state-aligned personas such as Handala, 313 Team, and DieNet.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular