FBI takes down leak sites tied to Iran’s Ministry of Intelligence and Security

The FBI accused the Iranian government of using four domains to host information stolen from the government of Albania, Iranian dissidents, Israeli government officials and U.S. companies.

In a 40-page seizure warrant, the FBI outlined multiple digital campaigns launched by Iran’s Ministry of Intelligence and Security (MOIS) through a variety of online monikers, most recently going by the name “Handala.”

The Justice Department seized four domains — Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to — allegedly used by Iran’s MOIS in operations dating back to 2022. 

Last week, Handala took credit for an attack on Michigan-based medical tech company Stryker. The group used one of the sites to post information stolen from the company and boast of how it wiped thousands of the company’s devices. 

In court documents, the Justice Department provided more detailed descriptions of the impact of the attack on Stryker, which produces critical technology used in hospitals around the world.  

Prosecutors said the Stryker attack "had a direct impact on emergency medical services and hospitals within Maryland” and “prompted some hospitals to temporarily suspend connections” to the company out of fear of being affected by the wiper incident.

One Stryker employee stationed at a hospital in Maryland struggled to continue working after their device had been wiped following the cyberattack. 

Stryker produces a variety of hospital technology including bed sensors and hands-free communication devices that allow nurses and doctors to contact each other. 

Court documents said that "as a result of the disruption to [Stryker] systems… clinicians were instructed to rely on radio consultation and verbal description."

“The disruption to required clinical communication systems demonstrates that the cyberattack on [Stryker] in some cases interfered with the delivery of emergency medical care in Maryland hospitals,” prosecutors wrote. 

Stryker recently sent out urgent notices to customers assuring them that their technology is safe to use and is not connected to the cyberattack — which was targeted at internal corporate Microsoft systems. 

Yesterday, the FBI released guidance to Microsoft Intune users, which allows IT departments to remotely manage company devices. The hackers used a native functionality within Intune – the device wipe feature — to destroy all company data on more than 200,000 devices across Stryker’s employee base in the U.S., Ireland, India and other countries. 

Prosecutors said Handala also used its websites to post stolen information on a range of Israeli government officials and Israeli Defense Force employees. Following the onset of kinetic hostilities between the U.S., Israel and Iran, Handala began posting the addresses of IDF officials and sending them threatening emails. 

The websites also hosted 851 GB of information allegedly stolen from members of the Sanzer Hasidic Jewish community.

Albania and Mexican cartels

The FBI said the Handala website was linked to other domains used by Iran’s MOIS in operations dating back to 2022. 

One of the websites was used to host information stolen from Albania during two cyberattacks on the country’s government in 2022. 

The first hack occurred in July 2022, prior to a conference in Albania slated to be attended by members of the Mujahideen-e Khalq, also known as MEK, an Iranian group that Tehran considers a terrorist organization. The incident knocked some government services offline, causing officials to scramble to recover.

In September 2022, Albania’s Prime Minister Edi Rama announced a second cyberattack that hit the country’s Total Information Management System, which helps automate things like passport checks and cross-referencing people on fugitive databases.

The Cybersecurity and Infrastructure Security Agency (CISA) later said the Iranian hackers had been inside Albania's networks for over a year. The cyberattack granted Iranian actors access to Albanian government email systems and they stole information that included correspondence between the U.S. and Albania. 

FBI Director Kash Patel said in a statement that the agency is “not done” uncovering Iranian cyber operations. The State Department issued a $10 million reward for information on anyone who participated in the creation of the websites or was involved in the cyberattacks. 

A group claiming to be Handala created a new website where they responded to the takedowns and threatened further cyberattacks. 

Israeli officials claimed this week that several of the Iranian leaders behind Handala were recently killed in airstrikes.