By AJ Vicens
March 20 (Reuters) – The website used by an Iranian government-linked hacking unit that claimed responsibility for a March 11 cyberattack on a U.S. medical device maker is back up and running a day after the FBI and Department of Justice seized its internet domains.
Four domains associated with “Handala Hack Team” had been seized, the Department of Justice said on Thursday. Handala is one of several public personas used by a hacking unit operating under Iran’s Ministry of Intelligence and Security (MOIS) as part of the agency’s psychological operations, the DOJ said.
On Friday, Handala said in a post on its website that the seizures were “desperate attempts by the United States and its allies to silence the voice of Handala.”
The quick rebound highlights the resilience of Iranian-linked hacking units’ public personas, said Ari Ben Am, an adjunct fellow at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation.
“Iranian threat actors, MOIS in particular, are no strangers to takedowns,” Ben Am said. “Handala alone has had tens of Telegram channels, X accounts and domains taken down, and these takedowns have never slowed them down significantly. It will be trivial for Handala and its MOIS operators to get that content back up on another domain very, very soon.”
The domains seized included those used to originally make the claim of the attack on Michigan-based Stryker, according to a partially redacted FBI affidavit filed in support of the seizure.
Specific references to the company are blacked out, but the affidavit refers to a March 11, 2026, cyberattack on a major American multinational medical technologies firm, and quotes the Handala message posted announcing the Stryker attack.
A DOJ spokesperson told Reuters on Friday the FBI affidavit “asserts that there is probable cause to believe that the operators of the ‘Handala’ persona are members of a conspiracy that carried out a destructive malware attack against a U.S.-based multinational medical technologies firm.”
Stryker said in a March 19 statement on its website that it was restoring systems that directly support customers, ordering, and shipping but that its products were safe.
“We’re grateful to the government for their efforts to seize domains linked to the purported threat actors,” the company said.
(Reporting by AJ Vicens in Detroit, Editing by Rosalba O’Brien)
