Disrupting Cyber Operations
The Justice Department seized four internet domains linked to Iran, including one used by a hacker group that claimed responsibility for a cyberattack on a U.S. medical tech company. The domains, "Justicehomeland.org," "Handala-Hack.to," "Karmabelow80.org," and "Handala-Redwanted.to," were also used by the Iranian Intelligence and Security Ministry to claim credit for hacking and to post sensitive data, the Justice Department said Thursday.
Handala Team's Activities
Handala Team, which cybersecurity companies say has ties to the Iranian Intelligence Ministry, claimed responsibility for hacking Stryker, a Michigan-based, Fortune 300 medical tech company. According to the Justice Department, the group used the domain Handala-hack.to claim credit for the malware attack. The group also posted photos, details of roughly 190 people affiliated with the Israel Defense Forces or government.
Impact on Stryker
The Stryker cyberattack disrupted the company's "order processing, manufacturing and shipping," according to a filing with the Securities and Exchange Commission. The hackers appear to have accessed a Microsoft program called Intune, used to remotely manage corporate phones and laptops, and simply chose to delete all data on devices en masse, cybersecurity experts and a company employee told NBC News. In its public statements, Stryker said the hackers were only able to access the company's Microsoft accounts.
Iranian Regime's Use of Cyberspace
Jimmy Paul, FBI Baltimore's special agent in charge, said the "Iranian regime exploits cyberspace to advance authoritarian objectives, suppress democratic institutions, and undermine our national and economic security." The group also harassed and sent death threats to Iranian dissidents and journalists, both in the U.S. and abroad. The other two domains were used to make claims that sensitive documents and data were stolen from the Albanian government.
Ongoing Cyber Threat
Handala has not announced any significant operations since the Stryker hack more than a week ago. The only other major company it has claimed to hack recently is Israeli company Verifone, which denied experiencing any attacks on its systems. The acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, told reporters at a conference Wednesday that there had not been an uptick in cyber threats since the war with Iran started, The Record reported. CISA also publicly acknowledged the hack Wednesday evening, with an announcement that companies should take care to secure access to their Microsoft Intune accounts.
Combating the Perception of Iranian Cyber Ability
Gil Messing, the Chief of Staff of Check Point, an Israeli cybersecurity company, said the FBI seizing the Handala site would help combat the perception of Iran's cyber ability. Handala's X account was also suspended, but its Telegram channel was still active as of Thursday morning. The Telegram post also announced a new website that it said would be live soon. Jimmy Paul, FBI Baltimore's special agent in charge, said the FBI will "act swiftly, deliberately, and proactively to disable cyber threats to America."
