The FBI this week seized the two websites belong to pro-Iranian hacktivist organization that claimed responsibility for the data-wiping attack on U.S. medical tech company Stryker and is among the most actives of the myriad threat groups that mobilized when the U.S. and Israeli air strikes on Iran began more than two weeks ago.

The two domains – one Handala used as a data leak site and another to target people with possible links to Israeli defense contractors – now feature seizure announcements from the FBI about the seizures. Neither the agency nor the Justice Department (DOJ) has released statements about the move.

That said, announcements themselves say the sites were seized pursuant to a U.S. Federal Court warrant, adding that “law enforcement authorities determined this site was used to conduct, facilitate, or support malicious cyber activities on behalf, of or in coordination with, a foreign state actor. These activities may include unauthorized network intrusions, infrastructure targeting, or other violations of United States law.”

According to reports, the Handala group on its official Telegram channel confirmed that websites were seized and taken offline, adding that the action was a “desperate attempt to silence our voice.”

“This act of digital aggression only serves to highlight the fear and anxiety our actions have instilled in the hearts of those who oppress and deceive,” the hackers wrote, according to TechCrunch. “Although they attempt to erase the evidence and hide their crimes through censorship and intimidation, their actions only confirm the impact of our mission. The pursuit of justice cannot be stopped by taking down a website, the movement for truth will persist and grow stronger.”

The news site also noted that Handala’s X site also was suspended.

A Widening Cyberthreat Surface

This comes amid a surge of cyberthreats in retaliation for the bombings of Tehran and other places in the country, and as Iran – through kinetic warfare and through cyberspace – also targeted other countries in the Middle East deemed to be aligned with the United States.

CloudSEK security intelligence analysts said that within hours of the start of the bombing by the United States and Israel, more than 60 pro-Iranian hacktivists gangs mobilized to join nation-state threat groups run by Iran’s Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS).

Akamai researchers wrote that in the first two weeks of the war, they saw a 245% jump in attempts by threat actors to attack critical institutions and businesses around the world.

Multiple Targets

Handala, which has been active since 2023 and has targeted Israeli organizations with data-wiping and other attacks, has become among the most active of the threat actors. Flashpoint, which has been tracking the activity in both the kinetic fighting and the battle in cyberspace, noted the group has taken credit for attacks, such as a data-wipe and exfiltration operation against the Hebrew University of Jerusalem – saying it erased more than 48 TB of data and exfiltrated 23 TB of confidential information – and claiming to have leaked 100,000 personal emails from the former head of Mossad’s research organization.

However, it was last week’s attack on Stryker – which has headquarters in Portage, Michigan, but about 56,000 employees around that world and generated more than $25 billion in net sales last year – that stands out. Handala said it was able to erase the data from about 80,000 corporate and personal devices – including computers, servers, and mobile devices – in which the attackers were able to get into the network by compromising a Windows domain administrator account and using a command in Microsoft Intune to force a factory reset on them. No malware was needed

Since the attack, Microsoft and CISA has published steps organizations should take strengthen Intune management controls. In addition, Stryker has been giving updates about its efforts to restore and better protect its devices.

Pressure Is On Defenders

Brian Bell, CEO of FusionAuth, which makes authentication and user management software, said that the attack on Stryker showed that authentication and authorization are not the same thing and that companies going forward will need to make adjustments to protect themselves.

“Attackers didn’t need to break in,” Bell said about the Stryker incident. “They walked through the front door with compromised credentials. The missing safeguard is contextual: organizations need systems that can recognize when a privileged action is anomalous and require additional verification at that moment, not just at login. … The FBI’s seizure of Handala’s infrastructure is welcome, but the next group will find a new front door. The architectural fix has to happen on the defender’s side.”