A website operated by a hacking group linked to the Iranian government that claimed to have carried out a March 11 cyber attack on US medical device company Stryker was back online a day after the Federal Bureau of Investigation (FBI) and the Justice Department seized its domains.
The Department of Justice said on Thursday that it had taken control of four domains linked to the “Handala Hack Team”. It also said that Handala is one of many publicly available identities used by a hacking unit linked to Iran’s Ministry of Intelligence and Security as part of its psychological operations.
In a post on its website on Friday, Handala said the seizures were “desperate attempts by the United States and its allies to silence Handala’s voice”, Reuters reported.
According to a partially redacted FBI affidavit filed in support of the seizure, the domains used to first claim responsibility for the attack on the Michigan-based Stryker were removed.
What did the DoJ say?
The Department of Justice said it had seized four domains as part of an ongoing effort to disrupt hacking and transnational repression operations allegedly carried out by Iran’s Ministry of Intelligence and Security.
Read also | US Iran War News March 21 LIVE: US-Israeli strikes hit Natanz nuclear facility
“The seized domains – Justicehomeland(.Jorg, Handala-Hack(.Jto, Karmabelow80|.Jorg, and Handala-Redwanted(.Jto –) were used by MOIS to support attempted psychological operations targeting regime opponents by taking credit for hacking activities, publishing sensitive data stolen during these hacks, and Israeli journalists being killed by individuals and Israeli regimes), the DoJ mentioned.
The FBI affidavit “states that there is probable cause to believe that the operators of the ‘Handaly’ persona are members of a conspiracy that carried out a destructive malware attack against a US multinational health technology firm,” a Justice Department spokesman told Reuters on Friday.
Read also | US-Israel, Iran conflict: Pezeshkian seeks to mend relations with Arab neighbors
Although the company’s name was blacked out in the document, the affidavit referred to the March 11 cyberattack on a major U.S. multinational medical technology company and cited a Handal report announcing the attack on Stryker.
Stryker thanks the US government
In a March 19 statement on its website, Stryker said it was restoring systems that directly support customers, ordering and shipping, but that its products were safe.
“We are grateful to the government for its efforts to seize domains associated with the alleged threats,” the company said.
Meanwhile, Ari Ben Am, adjunct fellow at the Center for Cyber and Technological Innovation at the Foundation for Defense of Democracies, said the rapid return underscores the resilience of public-facing identities used by Iran-linked hacking groups.
Read also | What does Donald Trump’s hint to end the US-Iran war mean for Dalal Street?
“Iranian threat actors, especially MOIS, are no strangers to takedowns. Handala alone has had dozens of Telegram channels, X accounts and domains taken down, and the takedown has never significantly slowed them down. It will be trivial for Handala and its MOIS operators to get this content back on another domain very, very soon,” Reuters quoted Ben Am as saying.
The development comes amid a US-Israeli-Iranian conflict that has escalated sharply since February 28, when the US and Israel launched strikes on Iran. Since then, Iran has retaliated against Israeli, American and some Gulf-linked targets, while the fighting has spread to energy infrastructure across the region.
The conflict has also disrupted the Strait of Hormuz, a vital route for global oil and gas supplies, contributing to a major global energy shock. Meanwhile, the US has reportedly sent more troops and warships to the region, although President Donald Trump has said Washington may consider “winding down” operations.
(With inputs from Reuters)
