The FBI appears to be seizing a website tied to an Iranian cyberattack on Stryker
The FBI appears to have seized the website of an Iran-linked hacking group that said it was responsible for the most significant known cyber attack on a US company since the war between the countries began in February.
The site, which previously reported on the group’s alleged exploits and hosted stolen files for download, was replaced on Tuesday with an image featuring the Justice Department and FBI logos. The agencies did not respond to a request for comment.
“Law enforcement authorities have determined that this site is being used to conduct, direct, or support malicious cyber activities on behalf of, or in collaboration with, a foreign national actor,” the site said.
The group, called Handala, is widely believed by American and Israeli cyber security experts to be the work of Iran’s Ministry of Intelligence and Security. The U.S. government has yet to publicly arrest any Iranian agency.
Last week, Handala gained notoriety for hacking Stryker, a Michigan-based, Fortune 300 medical technology company with offices around the world.
X’s Merchant account has also been suspended. But its Telegram channel was still active as of Thursday morning. In it, the group admitted that it had lost control of the area.
“To all truth seekers and defenders of justice, We inform you that the Handala RedWanted website, which was dedicated to exposing Zionist crimes and raising awareness around the world, has also been taken down and taken offline by order of the FBI. This brutal act shows the extent to which the enemies of truth will go to silence voices expressing their cruelty,” it said.
The Telegram post also announced a new website saying it would be live soon.
While there is no indication that the Stryker cyberattack was technically sophisticated, it still disrupted the company’s “order processing, manufacturing and shipping,” the company said in a filing with the Securities and Exchange Commission.
In its public statements, Stryker said the hackers were only able to access the company’s Microsoft accounts. Hackers appear to have gained access to a Microsoft system called Intune, which is used to remotely manage corporate phones and laptops, and simply chose to delete all data from the devices en masse, cybersecurity experts and a company employee told NBC News.
Historically, some of Iran’s most significant cyber attacks have been “wipers,” which wipe out victims’ computer networks en masse.
It’s unclear how much of a threat Iranian hackers pose to the US, however. Handala has not announced any significant jobs since the Stryker hack more than a week ago. The only major company to say it has been hacked recently is Israeli company Verifone, which told NBC News that it has not experienced any attacks on its systems. Both the Israeli military and the US military are still involved in ongoing strikes against Iranian forces and other government targets.
The acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, told reporters at a briefing on Wednesday that there had been no disruption in cyber threats since the war with Iran began, cybersecurity website The Record reported.
CISA also finally publicly acknowledged the hack on Wednesday evening, with an announcement that companies should take extra care to protect access to their Microsoft Intune accounts.
Gil Messing, Chief of Staff of Check Point, an Israeli cyber security firm, said the FBI’s replacement of Handala will help counter the perception of Iran’s cyber capabilities.
“It is an important step, since most of Handala’s work was to publish their work and create the effect of physical harm, even if it is exaggerated. Therefore, removing their websites and channels hits them where it is important,” he said.
However, it may be part of an ongoing game of whack-a-mole, Messing said.
“In the past they have been able to bypass the downgrade by bringing in new channels.”
