The U.S. Justice Department has accused Iran’s government of operating the hacktivist group Handala, which recently claimed responsibility for a destructive cyberattack on medical technology company Stryker.
In a press release issued Thursday, the U.S. Department of Justice said Iran’s Ministry of Intelligence and Security is behind Handala. Officials described the group as a fabricated activist persona used to conduct psychological operations, claim responsibility for cyberattacks, and publish stolen data obtained during those intrusions. The department also said the group had called for violence against journalists, dissidents, and Israeli individuals.
FBI Seizes Domains Linked To Handala
The announcement followed actions by the Federal Bureau of Investigation, which seized two websites associated with Handala. The sites were used to publicize alleged cyberattacks and release personal information of individuals said to be linked to the Israeli military and defense contractors.
FBI Director Kash Patel said in the Justice Department statement that the bureau had “took down four of their operation’s pillars and we’re not done.”
Details Of The Stryker Cyberattack
Handala had claimed responsibility for a March 11 cyberattack on Stryker, stating that it remotely wiped tens of thousands of employee devices. The group said the operation was retaliation for a U.S. airstrike on an Iranian school that Iranian officials said killed 168 children.
Broader Network Of Hacktivist Personas
The Justice Department also seized two additional domains tied to another persona, “Justice Homeland” or “Homeland Justice,” which it linked to Iran’s intelligence services. Authorities said these domains were used to claim responsibility for a 2022 cyberattack on the Albanian government that disrupted servers and led to the theft of sensitive data. Microsoft has previously attributed that incident to the Iranian ministry.
In a court affidavit supporting the seizures, the FBI stated that Handala, Justice Homeland, and another persona called Karma Below are part of the same operation, describing them as being run by the same individuals.
Responses And Ongoing Activity
Handala responded through its Telegram channel, calling the U.S. actions an attempt to silence the group. Cybersecurity researcher Keith O’Neill of DomainTools told TechCrunch that the group has already set up new domains that have not been seized.
The group did not respond to requests for comment sent via its public communication channels, including an email address identified in the Justice Department’s affidavit. A spokesperson for Iran’s Permanent Mission to the United Nations also did not respond, and Stryker declined to comment.
Expert Views On Attribution And Structure
Alex Orleans of Sublime Security told TechCrunch that the individuals managing the Handala persona may differ from those conducting the intrusions.
“Handala does not necessarily equate, one-to-one, with the actors conducting the activities it’s taking credit for,” Orleans said. He added that multiple teams could carry out attacks while a separate group maintains the public persona, all operating within a broader structure tied to Iran’s intelligence apparatus.
“There’s a level of opacity there that can be difficult to penetrate,” he said.
Featured image credits: Reith & Associates
For more stories like it, click the +Follow button at the top of this page to follow us.