US says Iran-linked hacktivist group behind cyberattack on Stryker

The U.S. Justice Department has accused the Iranian government of being behind the hacktivist group Handala, which recently claimed responsibility for a disruptive cyberattack targeting the U.S. medical technology company Stryker.

In a press release issued on Thursday, the Justice Department stated that Iran’s Ministry of Intelligence and Security (MOIS) is responsible for operating the Handala group. Officials described the group as a fabricated activist persona used by the Iranian government to conduct psychological operations, publicly claim responsibility for cyberattacks, and release stolen data obtained through those operations. According to the department, the group has also issued threats, including calls for violence against journalists, political dissidents, and individuals connected to Israel.

The announcement followed closely after the FBI took control of two websites associated with Handala. These sites were used by the group to publicise its cyber activities and to disclose personal details of individuals allegedly linked to the Israeli military and defence sector.

Handala had previously taken responsibility for the March 11 cyberattack on Stryker. During that incident, attackers reportedly gained access to internal systems and remotely erased data from tens of thousands of employee devices. The group claimed the attack was carried out in response to a U.S. airstrike on a school in Iran, which Iranian authorities said resulted in the deaths of 168 children.

FBI Director Kash Patel was quoted in the Justice Department’s statement, noting that authorities had disrupted several key components of the group’s operations and indicating that further actions could follow.

In addition to the two Handala-related websites, the Justice Department also seized two other domains allegedly linked to Iran’s intelligence operations under a separate online identity known as “Justice Homeland” or “Homeland Justice.” U.S. officials claim these domains were used to claim responsibility for a 2022 cyberattack against the Albanian government, which caused significant disruption by taking government servers offline and exposing sensitive information. Microsoft had previously attributed that incident to Iran’s intelligence services.

Court filings submitted by the FBI suggest that Handala, Justice Homeland, and another online persona known as Karma Below are connected and form part of a broader coordinated effort. Investigators believe these identities are operated by the same network of individuals working within or on behalf of Iran’s intelligence apparatus.

Following the announcement, Handala issued a response through its official Telegram channel, describing the actions taken by U.S. authorities as an attempt to suppress its activities. The group characterised the seizures as part of a broader effort by the United States and its allies to silence its messaging.

Despite the takedowns, cybersecurity researchers say the group remains active. Keith O’Neill of DomainTools noted that new domains associated with Handala have already been registered and remain operational.

Attempts to contact the group for comment through its publicly listed communication channels were unsuccessful.

Alex Orleans, head of threat intelligence at Sublime Security, suggested that the individuals maintaining the Handala persona may not be directly responsible for carrying out the cyber intrusions themselves. He explained that multiple teams may be involved, with some handling technical operations. In contrast, others manage the public-facing identity, all of whom operate under a coordinated structure connected to Iran’s intelligence services.