Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

DOJ confirms seizure of domains linked to Iran-backed threat actor

A group connected to Iranian intelligence used the same infrastructure to claim credit for the hack of medical technology firm Stryker.

Published March 20, 2026
David Jones's headshot
Reporter
antitrust enforcement
The Department of Justice announced the seizure of domains linked to Iran-sponsored threat groups. Getty Images

The Department of Justice on Thursday said four domains used for Iranian-backed hacking and intimidation of political opponents have been taken down in a court-ordered operation. 

Two of the domains were connected to Handala, the state-linked threat group that authorities confirmed was behind the hack of Stryker, a Michigan-based medical technology giant. 

A partially redacted FBI affidavit did not specifically identify Stryker by name, but the details of the attack match with the circumstances of the same incident. 

Handala used at least one of the sites to claim credit for the attack, which briefly disrupted Stryker’s manufacturing, ordering and shipping operations and wiped data from thousands of company devices. 

As previously reported, the hackers were able to weaponize Microsoft Intune to gain administrator-level access to the device management platform and then wipe data from company laptops, phones and other devices.

Researchers from Flashpoint confirmed to Cybersecurity Dive that a website linked to Handala was disrupted on Thursday after still being operational as late as 7:27 p.m. ET on Wednesday. Flashpoint researchers have been collecting data from Handala infrastructure since May 2024.

According to court records, numerous hospitals in Maryland temporarily disconnected their systems over concerns regarding potentially being impacted by the attack. 

The sites were part of a larger effort by Iran’s Ministry of Intelligence and Security (MOIS) to intimidate dissidents, conduct malicious attacks, target Israelis and conduct violent attacks against journalists, according to court records. 

Federal authorities obtained a seizure warrant Thursday, according to the FBI affidavit filed Thursday at U.S. District Court in Maryland.

The FBI seizure is not expected to have a major impact on Handala’s ability to conduct attacks, said the Foundation for the Defense of Democracies (FDD). 

“The value of the domains themselves is minimal,” said Ari Ben Am, adjunct fellow at the Center on Cyber and Technology Innovation at FDD. “They serve as repositories for hacked content for Iranian influence operations, but the content from them can be ported easily to a new domain within quite literally a matter of minutes or hours.”

FDD analysts noted that MOIS and other Islamic Revolutionary Guard Corps have a recent history of being able to quickly restore online infrastructure, which is used to target political dissidents and others. 

Michael Vatis, a partner at the law firm Benesch and the founding head of the National Infrastructure Protection Center at the FBI, agreed the seizure will have limited impact on Handala’s ability to continue operations. 

“It does nothing to end or impede Handala’s destructive attacks on companies’ computer systems and data,” Vatis told Cybersecurity Dive. “And it won’t even do much to reduce Handala’s ability to publicize its exploits, since Handala can easily create new websites or post its messages on the websites of victim companies.”

Editors' picks

Company Announcements

View all | Post a press release
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
AI Is Fueling Secrets Sprawl. GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secr…
From GitGuardian
March 17, 2026
GitGuardian logo
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
Editors' picks
Latest in Cyberattacks
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell