The US Department of Justice has accused the Iranian government of being behind the Handala hacktivist group, which last week claimed responsibility for the devastating cyberattack against US medical technology giant Stryker.
In one press release Published on Thursday, the justice ministry said Iran’s Ministry of Intelligence and Security (MOIS) operates Handala.
The Justice Department called the group a fake activist figure that the Iranian ministry used to conduct “psychological operations” against regime enemies, claim responsibility for cyber attacks and publish stolen information obtained during those hacks. The group also called for the killing of journalists, dissidents and Israeli individuals, according to the Justice Department.
The announcement came hours after the FBI seized two websites linked to Handala, as first reported by TechCrunch. The group used the websites to publicize its alleged cyberattacks, as well as to publish the personal information of dozens of people who allegedly worked for the Israeli military and defense contractors.
Handala took credit on its website for the March 11 cyberattack on Stryker, in which hackers remotely wiped tens of thousands of employee devices. The hackers said the breach was in retaliation for a US airstrike on an Iranian school that killed 168 children. according to Iranian officials.
FBI Director Kash Patel was quoted in the DOJ press release as saying that the FBI “took down four of the pillars of the operation, and we’re not done.”
In addition to the two websites used by Handala, the Justice Department also seized two other domains allegedly used by Iran’s MOIS through another hacktivist persona calling themselves “Justice Homeland” or “Homeland Justice.” The Justice Department has accused Iranian government hackers of using those two domains to claim responsibility for hacking the Albanian government in 2022, in a cyberattack that resulted in government servers being taken offline and sensitive data stolen. Microsoft too connected the attack against the Albanian government in MOIS.
In an affidavit filed in court to support the seizure of Handala’s websites, the FBI said Handala, Justice Homeland and another hacktivist persona called Karma Below, “are part of the same conspiracy because they are operated by the same people.”
Contact us
Do you have more information about Handala or other hacking activities linked to Iran? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
Handala responded to the DOJ’s announcement in a statement posted on its official Telegram channel, where the hackers called the US government’s actions “nothing more than the last desperate efforts of the United States and its allies to silence Handala’s voice.”
DomainTools cybersecurity researcher Keith O’Neill told TechCrunch that Handala has already created new domains that have yet to be seized.
The hacking group did not respond to a request for comment sent to a chat account made public by the hackers, as well as to an email address identified by the Justice Department in its affidavit.
A spokesman for Iran’s Permanent Mission to the United Nations did not respond to TechCrunch’s request for comment. Stryker also did not respond to a request for comment.
Alex Orleans, head of threat intelligence at Sublime Security, who has been tracking Iranian hackers for years, told TechCrunch that it’s possible the people behind the Handala persona aren’t the same people doing the actual hacking.
“Handala does not necessarily equate, one-to-one, with the actors who conduct the activities for which it takes credit,” Orléani said. “There could be multiple teams doing actual intrusions, while a separate team is responsible for maintaining the persona — with all of these separate elements co-existing in a larger unified MOIS element.”
“There’s a level of opacity there that can be hard to penetrate,” he said.
