The U.S. Department of Justice has accused the Iranian government of being behind the hacktivist group Handara, which last week claimed responsibility for a devastating cyberattack on U.S. medical technology giant Stryker.
Iran's Ministry of Intelligence and Security (MOIS) operates Handara, the Ministry of Justice said in a press release issued Thursday.
The Justice Department claimed the group was a fake activist group used by the Iranian ministry to conduct “psychological operations” against the regime's enemies, claim responsibility for cyberattacks, and publish stolen information obtained in hacks. The group also called for the killing of journalists, dissidents and Israelis, according to the Justice Department.
As first reported by TechCrunch, the announcement came hours after the FBI seized two websites linked to Handala. The group used these websites to publicize its alleged cyberattacks, as well as the personal information of dozens of people who allegedly worked for the Israeli military and defense contractors.
Handala claimed responsibility on its website for the March 11 cyberattack on Stryker in which hackers remotely wiped tens of thousands of employee devices. The hackers claimed the intrusion was in retaliation for U.S. airstrikes on schools in Iran that killed dozens of children.
FBI Director Kash Patel reportedly said in a Justice Department press release that the FBI “has defeated the four pillars of the operation, but we are not done yet.”
Apart from the two websites used by Handala, the Department of Justice also seized two other domains allegedly used by Iran's MOIS through another hacktivist figure calling itself “Justice Homeland” or “Homeland Justice.” The Justice Department accused Iranian government hackers of using these two domains to hack the Albanian government in 2022, claiming responsibility for a cyberattack that took government servers offline and stole sensitive data. Microsoft also linked attacks against the Albanian government to MOIS.
In an affidavit filed in court in support of the seizure of Handara's website, the FBI said Handara, Judge Homeland, and another hacktivist figure called Karma Below “are part of the same conspiracy because they are run by the same individuals.”
Contact Us Do you have more information about Handara or other Iran-related hacking activity? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
Mr. Handara responded to the Justice Department's announcement in a statement posted on his official Telegram channel, in which the hackers criticized the U.S. government's actions as “nothing more than the latest desperate attempt by the United States and its allies to silence Mr. Handara's voice.”
Keith O'Neill, a cybersecurity researcher at DomainTools, told TechCrunch that Handala has already set up new domains, but they haven't been seized yet.
The hacker group did not respond to requests for comment sent to chat accounts published by the hackers or to email addresses identified by the Justice Department in the affidavit.
A spokesperson for Iran's mission to the United Nations did not respond to TechCrunch's request for comment. Striker also did not respond to requests for comment.
Alex Orlins, director of threat intelligence at Sublime Security, who has been tracking Iranian hackers for years, told TechCrunch that the people behind the Handara persona may not be the same people actually doing the hacking.
“Handala does not necessarily work one-on-one with the actors whose work we celebrate,” Orléans said. “While there may be multiple teams performing the actual intrusion, separate teams are responsible for maintaining the personas. All of these separate elements coexist within a larger, unified MOIS element.”
“There is a level of opacity there that is difficult to penetrate,” he said.