FBI seizes Handala hacktivist websites following destructive cyberattack on Stryker

The FBI has seized two websites operated by the Handala hacktivist group after a destructive cyberattack targeting U.S.-based medical technology company Stryker resulted in the wiping of approximately 80,000 devices.

The domains handala-redwanted[.]to and handala-hack[.]to now display a federal seizure notice indicating they were taken under a warrant issued by the U.S. District Court for the District of Maryland. The notice states that the domains were used to conduct or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor.

The message further indicates that authorities determined the infrastructure was involved in unauthorized network intrusions, infrastructure targeting, or other violations of U.S. law. Control of the domains has been transferred to the U.S. government to disrupt ongoing operations and prevent further exploitation.

Handala, also known as Handala Hack Team, Hatef, and Hamsa, is an Iranian-linked, pro-Palestinian hacktivist group that emerged in December 2023. The group has been associated with cyber operations aligned with Iran’s Ministry of Intelligence and Security and has previously targeted Israeli organizations using destructive malware designed to wipe both Windows and Linux systems.

Technical indicators show that the seized domains are now using name servers commonly associated with FBI takedowns, including ns1.fbi.seized.gov and ns2.fbi.seized.gov. It remains unclear whether authorities have also obtained access to backend systems, including site data or server logs.

The enforcement action follows a large-scale cyberattack attributed to Handala against Stryker, a U.S.-based medical technology manufacturer specializing in medical devices and equipment. In that incident, attackers gained access to a Windows domain administrator account and established a new Global Administrator account to expand control within the environment.

Using Microsoft Intune, the attackers issued remote “wipe” commands that triggered factory resets across an estimated 80,000 devices, including corporate computers and mobile devices. Devices enrolled under company management, including some personally owned by employees, were also affected.

Handala has acknowledged the disruption of its online infrastructure and indicated plans to rebuild. In a message posted on Telegram, the group stated that it is working to establish new digital platforms and intends to continue its operations.

Following the attack, Microsoft and the Cybersecurity and Infrastructure Security Agency released guidance aimed at strengthening Windows domain security and improving protections around Intune deployments to mitigate the risk of similar incidents.

The FBI has not issued a separate public statement beyond the seizure notice, and the full scope of the law enforcement action remains under investigation.