The FBI has seized two sites belonging to the pro-Iranian hacking group behind the data-wiping cyberattack on US medical equipment provider Stryker.
The two sites for the hacking group Handala have been spotted displaying seizure notices that say the FBI received a court warrant to take over the domains.
“This seizure is part of a continuing FBI operation to identify, disrupt, and hold accountable those responsible for hostile cyber activities directed against the United States, its institutions, and its partners,” the notices add.
The FBI didn’t immediately respond to a request for comment. But domain lookups confirm the two Handala sites now redirect to FBI servers.
This Tweet is currently unavailable. It might be loading or has been removed.
The seizures occur when Handala has been bragging about last week’s attack on Stryker; although no medical devices were affected, the breach allowed the group to wipe data over the company IT systems, along with employee phones.
“During this operation, over 200,000 critical systems of this company were targeted and 12 petabytes of data (equivalent to 12,000 terabytes) were permanently wiped,” the group claimed in a post on one of seized sites on Monday. The same post included screenshots, indicating the hacking group was able to gain access to Stryker’s internal systems and possibly steal files.
The FBI’s seizure of the two sites might help federal investigators uncover details about the hacking group, which was previously involved in pro-Palestinian hacktivism. But according to a message posted on Telegram, Handala is already preparing to launch a new site to replace the seized domains.
Tammy Harper, a security researcher at Flare, also wrote: So while the domains are down for now, this looks more like a disruption of their distribution layer than anything else. And based on how they’ve operated so far, it’s unlikely to slow them down for long.”
Recommended by Our Editors
Handala pulled off the data-wiping operation by targeting Stryker’s Microsoft software environments, including InTune, which lets companies remotely control and manage devices, including Android and iOS phones. However, BleepingComputer reports that the hacker-initiated wipe command through InTune only affected nearly 88,000 devices, rather than 200,000, and that there’s no evidence that Handala exfiltrated data.
For now, Stryker has only said in an update posted on Sunday: “The event only affected Stryker’s internal Microsoft corporate environment. This was not a ransomware attack, and there is no evidence of malware deployed to our systems. The incident has been contained, and we are now in the restoration process, which is progressing steadily.”
The attack “did not affect any of our products—connected or otherwise,” the company added. “We are prioritizing restoration of systems that directly support customers, ordering and shipping. Our core transactional systems are already on a clear path to full recovery, and we will continue to provide updates as progress is made.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
