The U.S. Justice Department accused Iran’s government of being behind the hacktivist group Handala, which last week claimed responsibility for the destructive cyberattack against the U.S. medical tech giant Stryker. 

In a press release published on Thursday, the Justice Department said Iran’s Ministry of Intelligence and Security (MOIS) is operating Handala. 

The Justice Department called the group a fake activist persona that the Iranian ministry used to carry out “psychological operations” against the regime’s enemies, to claim responsibility for cyberattacks, and to publish stolen information obtained during those hacks. The group also called for the killing of journalists, regime dissidents, and Israeli persons, per the DOJ. 

The announcement came hours after the FBI seized two websites linked to Handala, as first reported by TechCrunch. The group used the websites to publicize its alleged cyberattacks, as well as to publish the personal information of dozens of people who allegedly worked for the Israeli military and defense contractors. 

Handala took credit on its website for the March 11 cyberattack on Stryker, during which the hackers remotely wiped tens of thousands of employee devices. The hackers said the breach was in retaliation for a U.S. air strike on an Iranian school, which killed 168 children, according to Iranian officials.

FBI director Kash Patel was quoted in the DOJ’s press release as saying that the FBI “took down four of their operation’s pillars and we’re not done.”

Apart from the two websites used by Handala, the DOJ also seized two other domains allegedly used by Iran’s MOIS via another hacktivist persona calling themselves “Justice Homeland” or “Homeland Justice.” The DOJ accused Iranian government hackers of using those two domains to claim responsibility for hacking the Albanian government in 2022, in a cyberattack that resulted in government servers being taken offline and the theft of sensitive data. Microsoft also linked the attack against the Albanian government to the MOIS.

In an affidavit submitted in court to support the seizure of Handala’s websites, the FBI said that Handala, Justice Homeland, and another hacktivist persona called Karma Below, “are part of the same conspiracy because they are operated by the same individuals.”

Handala responded to the DOJ’s announcement in a statement posted on its official Telegram channel, where the hackers called the U.S. government actions “nothing more than the latest desperate attempts by the United States and its allies to silence the voice of Handala.”

DomainTools’ cybersecurity researcher Keith O’Neill told TechCrunch that Handala has already set up new domains that have not yet been seized.

The hacking group did not respond to a request for comment sent to a chat account publicized by the hackers, as well as an email address identified by the Justice Department in its affidavit. 

A spokesperson for Iran’s Permanent Mission to the United Nations did not respond to TechCrunch’s request for comment. Stryker also did not respond to a request for comment.

Alex Orleans, the head of threat intelligence at Sublime Security who has tracked Iranian hackers for years, told TechCrunch that it is possible that the people behind the Handala persona are not the same individuals doing the actual hacking. 

“Handala does not necessarily equate, one-to-one, with the actors conducting the activities it’s taking credit for,” said Orleans. “There could be multiple teams conducting actual intrusions while a distinct team is responsible for maintaining the persona — with all of these distinct elements coexisting within a larger unified MOIS element.”

“There’s a level of opacity there that can be difficult to penetrate,” he said.

View Bio