The website operated by an Iranian government-linked hacking group that claimed it carried out a March 11 cyberattack on a US medical device company Stryker was back online a day after the Federal Bureau of Investigation (FBI) and the Department of Justice seized its domains.
The Department of Justice said on Thursday that it had taken control of four domains linked to the “Handala Hack Team.” It also said Handala was one of many public-facing identities used by a hacking unit tied to Iran’s Ministry of Intelligence and Security as part of its psychological operations.
Handala, in a post on its website, on Friday, said that the seizures were “desperate attempts by the United States and its allies to silence the voice of Handala”, reported Reuters.
According to a partially redacted FBI affidavit filed to support the seizure, the domains that were taken down included those used to first claim responsibility for the attack on Michigan-based Stryker.
What did DoJ say? The Justice Department said it had seized four domains as part of an ongoing effort to disrupt hacking and transnational repression operations allegedly carried out by Iran’s Ministry of Intelligence and Security.
“The seized domains - Justicehomeland[.Jorg, Handala-Hack[.Jto, Karmabelow80|.Jorg, and Handala-Redwanted[.Jto - were used by the MOIS in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents and Israeli persons," the DoJ mentioned.
The FBI affidavit “asserts that there is probable cause to believe that the operators of the 'Handala' persona are members of a conspiracy that carried out a destructive malware attack against a U.S.-based multinational medical technologies firm," a DOJ spokesperson told Reuters on Friday.
Although the company’s name was blacked out in the document, the affidavit referred to a March 11, cyberattack on a major American multinational medical technology company and cited the Handala message announcing the attack on Stryker.
Stryker thanks US govt Stryker said in a March 19 statement on its website that it was restoring systems that directly support customers, ordering, and shipping but that its products were safe.
"We're grateful to the government for their efforts to seize domains linked to the purported threat actors," the company mentioned.
Meanwhile, Ari Ben Am, an adjunct fellow at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, said the swift return underscored the resilience of the public-facing identities used by Iranian-linked hacking groups.
“Iranian threat actors, MOIS in particular, are no strangers to takedowns. Handala alone has had tens of Telegram channels, X accounts and domains taken down, and these takedowns have never slowed them down significantly. It will be trivial for Handala and its MOIS operators to get that content back up on another domain very, very soon,” Reuters quoted Ben Am as saying.
The developments come amid the US-Israel-Iran conflict, which has sharply escalated since February 28, when the US and Israel launched strikes on Iran. Since then, Iran has retaliated against Israeli, US, and some Gulf-linked targets, while the fighting has spilled into energy infrastructure across the region.
The conflict has also disrupted the Strait of Hormuz, a vital route for global oil and gas supplies, contributing to a major energy shock worldwide. The US has meanwhile reportedly sent additional troops and warships to the region, even as President Donald Trump has said Washington may consider "winding down" operations.