The U.S. Justice Department has accused Iran’s government of directly operating Handala, the hacktivist group that claimed responsibility for a destructive cyberattack against medical technology company Stryker on March 11.
According to the announcement, Iran’s Ministry of Intelligence and Security (MOIS) created and runs Handala as a fabricated activist persona to conduct psychological operations against the regime’s enemies, publish stolen data, and claim credit for cyberattacks. The group also allegedly called for the killing of journalists, dissidents, and Israeli individuals.
In the Stryker attack, hackers remotely wiped tens of thousands of employee devices. Handala said the breach was retaliation for a U.S. air strike on an Iranian school that, according to Iranian officials, killed 168 children.
Seizures and Scope
Hours before the Justice Department’s press release, the FBI seized two websites Handala used to publicize attacks and post personal information of people allegedly linked to the Israeli military and defense contractors. Two additional domains tied to a separate MOIS persona — called “Justice Homeland” or “Homeland Justice” — were also seized. Those domains were connected to the 2022 hacking of the Albanian government, an attack that knocked government servers offline and resulted in sensitive data theft. Microsoft had previously attributed that Albanian intrusion to the same Iranian ministry.
FBI Director Kash Patel was quoted in the release saying the bureau “took down four of their operation’s pillars and we’re not done.”
A court affidavit submitted by the FBI states that Handala, Justice Homeland, and a third persona called Karma Below “are part of the same conspiracy because they are operated by the same individuals.”
Handala dismissed the actions in a Telegram post, calling them “nothing more than the latest desperate attempts by the United States and its allies to silence the voice of Handala.” DomainTools researcher Keith O’Neill noted the group had already registered new domains not yet seized by authorities.
Structural Uncertainty
Alex Orleans, head of threat intelligence at Sublime Security and a longtime tracker of Iranian hacking operations, said the public attribution may not capture the full operational picture. “Handala does not necessarily equate, one-to-one, with the actors conducting the activities it’s taking credit for,” he said. “There could be multiple teams conducting actual intrusions while a distinct team is responsible for maintaining the persona — with all of these distinct elements coexisting within a larger unified MOIS element.” He added: “There’s a level of opacity there that can be difficult to penetrate.”
Stryker, Iran’s Permanent Mission to the United Nations, and Handala itself did not respond to requests for comment.
This article is a curated summary based on third-party sources. Source: Read the original article
