The FBI appears to have seized the website of an Iran-linked hacker group that claimed responsibility for the only known significant cyberattack on a U.S. company since war between the countries started in February.
The site, which previously chronicled the group’s alleged exploits and hosted hacked files for download, on Tuesday was replaced with a boilerplate image with the logos of the Justice Department and FBI. The agencies didn’t reply to a request for comment.
“Law enforcement authorities determined this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor,” the site says.
The group, called Handala, is widely believed by American and Israeli cybersecurity experts who track it to be an operation by Iran’s Ministry of Intelligence and Security. The U.S. government has not publicly tied it to a particular Iranian agency.
Last week, Handala took credit for hacking Stryker, a Michigan-based, Fortune 300 medical tech company with offices around the world.
Handala’s X account was also suspended. But its Telegram channel was still active as of Thursday morning. On it, the group acknowledged they had lost control of the site.
“To all truth-seekers and defenders of justice, We inform you that the Handala RedWanted website, which was dedicated to exposing Zionist crimes and raising global awareness, has also been seized and taken offline by order of the FBI. This aggressive action reveals the extent to which the enemies of truth will go to silence voices that unveil their atrocities,” it said.
The Telegram post also announced a new website that it said would be live soon.
While there is no indication the Stryker cyberattack was technologically sophisticated, it still disrupted the company’s “order processing, manufacturing and shipping,” the company said in a filing with the Securities and Exchange Commission.
In its public statements, Stryker said the hackers were only able to access the company’s Microsoft accounts. The hackers appear to have accessed a Microsoft program called Intune, used to remotely manage corporate phones and laptops, and simply chosen to delete all data on devices en masse, cybersecurity experts and a company employee told NBC News.
Historically, some of Iran’s most significant cyberattacks have been “wipers,” which delete victims’ computer networks en masse.
It’s unclear how big of a threat Iranian hackers remain to the U.S., however. Handala has not announced any significant operations since the Stryker hack more than a week ago. The only other major company it has claimed to hack recently is Israeli company Verifone, which told NBC News it had not experienced any attacks on its systems. Both Israel and the U.S. military are still engaged in ongoing strikes against Iranian military and other government targets.
The acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, told reporters at a conference Wednesday that there had not been an uptick in cyber threats since the war with Iran started, the cybersecurity news site The Record reported.
CISA also finally publicly acknowledged the hack Wednesday evening, with an announcement that companies should take care to secure access to their Microsoft Intune accounts.
Gil Messing, the Chief of Staff of Check Point, an Israeli cybersecurity company, said the FBI seizing the Handala site would help combat the perception of Iran’s cyber ability.
“It’s an important step, as most of Handala’s work was to publish their work and create the physiological effect of the damage, even if exaggerated. So taking out their websites and channels is hitting them where it matters,” he said.
However, it’s likely part of an ongoing game of whack-a-mole, Messing said.
“In the past they’ve managed to bypass takedown by bringing up new channels instead.”
Leave a Reply