In a significant law enforcement action, the Federal Bureau of Investigation (FBI) has seized two clearnet domains operated by the Iranian-linked hacktivist group Handala. This seizure follows a destructive cyberattack launched by the group against the global medical technology corporation Stryker, which reportedly resulted in the wiping of data from approximately 80,000 devices. The seized domains, `handala-redwanted[.]to` and `handala-hack[.]to`, now display an official seizure notice, indicating they were taken offline pursuant to a warrant issued by the United States District Court for the District of Maryland.
The notice states that the FBI determined the domains were used "to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor." It explicitly cites activities such as unauthorized network intrusions and infrastructure targeting. By taking control of these platforms, which were used to leak stolen data and claim responsibility for attacks, U.S. authorities aim to disrupt ongoing operations and prevent further exploitation of compromised systems. This action highlights the increasing focus on dismantling the digital infrastructure used by threat actors, even those operating under hacktivist banners.
The Handala group, also known as Handala Hack Team, Hatef, or Hamsa, is a pro-Palestinian collective first observed in December 2023 and is assessed by cybersecurity researchers to have ties to Iran. The group's attack on Stryker represents a serious escalation, moving from common data theft and leak campaigns to destructive, wiper-style attacks that can cripple operational technology in critical sectors. Targeting a major medical device manufacturer underscores the group's willingness to impact healthcare infrastructure, aligning with a broader trend of geopolitical conflicts spilling over into disruptive cyber operations.
This seizure occurs amidst a busy cybersecurity landscape. Recent developments include ConnectWise patching a critical flaw in its ScreenConnect software, the emergence of a new iOS exploit dubbed "DarkSword" used in infostealer attacks, and Apple's rollout of a new type of security update. Furthermore, the Lazarus group, linked to North Korea, was blamed for an attack on cryptocurrency service Bitrefill, while Russian state-sponsored actors were reported exploiting a Zimbra flaw in attacks against Ukrainian government entities. The FBI's takedown of the Handala sites serves as a reminder of the continuous, multi-front battle against cyber threats emanating from various state-aligned groups.
