The FBI recently seized four internet domains connected to cyber operations by Iran’s Ministry of Intelligence and Security. Federal prosecutors stated the domains hosted stolen data from multiple governments and private companies starting in 2022. This action follows a significant cyberattack attributed to the group known as Handala targeting the medical technology firm Stryker.
The seized websites included Justicehomeland[.]org and Handala-Hack[.]to among others used to distribute illicit data. Court documents reveal these sites facilitated digital campaigns that compromised sensitive information from various international entities. Officials identified the domains as critical infrastructure for the Iranian intelligence agency's espionage activities over the past year.
Investigators linked the Handala group to a devastating attack on Stryker that wiped data from more than 200,000 employee devices globally. Hackers utilized a specific feature within Microsoft Intune to remotely destroy corporate data across the United States and other nations. This incident disrupted operations for a major manufacturer of hospital equipment used globally in critical emergency care settings.
Prosecutors noted that the cyberattack directly impacted emergency medical services and hospitals within Maryland specifically during the incident. Some facilities temporarily suspended connections to the company due to fears regarding the wiper incident affecting patient safety and workflow. Clinicians were forced to rely on radio consultation and verbal descriptions after their communication devices failed completely.
Beyond the medical sector, the websites hosted stolen information regarding Israeli government officials and Defense Force employees. Following the onset of kinetic hostilities, the group began posting addresses of military personnel to facilitate threatening communications. Authorities believe these actions were part of a broader strategy to intimidate adversaries during regional conflicts.
The investigation also uncovered cyberattacks against the Albanian government dating back to 2022 prior to a major conference. These intrusions compromised passport systems and allowed actors to access email correspondence between the United States and Albania. The Cybersecurity and Infrastructure Security Agency confirmed that Iranian hackers remained inside networks for over a year.
FBI Director Kash Patel stated the agency is not done uncovering Iranian cyber operations in the digital realm. The State Department issued a $10 million reward for information on anyone who participated in creating the websites or attacks. This financial incentive aims to assist investigators in identifying individuals involved in the malicious activities.
In response to the takedowns, a group claiming to be Handala created a new website to threaten further cyberattacks. Israeli officials claimed several leaders behind the operation were recently killed in airstrikes during recent tensions. These developments suggest the threat landscape remains volatile despite the successful seizure of the domains.
Stryker recently sent urgent notices to customers assuring them that their technology is safe to use. The company clarified that the cyberattack targeted internal corporate Microsoft systems rather than the devices themselves. Technical teams are working to restore full functionality and prevent similar exploitation of cloud management tools.
Experts warn that state-sponsored actors continue to exploit enterprise management tools for destructive purposes against corporate networks. Organizations must review their remote device management policies to prevent unauthorized wipes of critical infrastructure systems. The takedown serves as a reminder of the ongoing risks posed by foreign intelligence agencies to global businesses worldwide.
