Back to News
News

Iran-Linked Handala Hack Breaches FBI Director Email and Wipes Stryker Systems

CyberSecurityWaala 2 weeks ago Mar 30, 2026
Iran-Linked Handala Hack Breaches FBI Director Email and Wipes Stryker Systems

Threat actors tied to Iran broke into the personal email of Kash Patel, the director of the FBI, and publicly leaked old messages and photos. The group behind the intrusion calls itself Handala Hack. The FBI confirmed the emails were targeted and said steps were taken to “mitigate potential risks associated with this activity,” according to the agency.

Who is Handala Hack and how they operate

Security firms track Handala Hack as a pro-Iranian, pro-Palestinian persona linked to Iran’s Ministry of Intelligence and Security, the DOJ said. Check Point reported the group uses layered infrastructure that includes surface web domains, Tor services, and third-party hosting like MEGA to publish stolen data. StealthMole also found evidence of the group’s public footprint outside closed forums.

Check Point said Handala often targets IT and service providers to steal credentials. The company added that the group relies heavily on compromised VPN accounts for initial access and has carried out hundreds of login and brute-force attempts against organizational VPNs.

Tactics and destructive tools

Researchers at Palo Alto Networks Unit 42 said recent destructive operations likely exploited identity through phishing and abused Microsoft Intune for administrative access. Hudson Rock found compromised Microsoft credentials that may have been harvested with infostealer malware and used in attacks.

Once inside, Handala-linked operators have used remote desktop protocol for lateral movement. They deploy wiper malware families, including variants labeled Handala Wiper and a PowerShell wiper, Check Point and other firms reported. The operators also used legitimate disk encryption tools such as VeraCrypt to hinder recovery.

Flashpoint described the group’s objective as disruption and psychological impact rather than financial gain. “Operations attributed to the persona frequently align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value,” Flashpoint said.

Impact on a Fortune 500 company

Handala claimed responsibility for a destructive strike on medical devices and services provider Stryker. The attackers deleted large volumes of company data and wiped thousands of employee devices. Stryker said the “incident is contained” and that the company “reacted quickly to not only regain access but to remove the unauthorized party from our environment” by dismantling persistence mechanisms.

Stryker also said the breach was confined to its internal Microsoft environment and that the malicious file used to conceal actions did not have self-propagation capabilities.

Flashpoint warned the attack marks a worrying shift. Targeting critical suppliers and service providers in the healthcare supply chain can ripple across patient care and logistics, the firm said.

What authorities are doing

The U.S. Department of Justice announced it seized multiple domains associated with MOIS-linked operations and said those domains were used for psychological operations that included posting stolen data and even calls for violence. The DOJ also said the U.S. government is offering up to a $10 million reward for information on group members.

The FBI issued guidance noting Handala and related MOIS actors have used social engineering to deliver Windows malware disguised as common apps. The bureau said the malware used Telegram bots for command-and-control and enabled persistent remote access. “MOIS cyber actors are responsible for using Telegram as a command-and-control infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world,” the FBI said.

Defenses and practical steps

Microsoft and the Cybersecurity and Infrastructure Security Agency released hardening guidance for Windows domains and Intune. Both agencies recommended enforcing phishing-resistant multi-factor authentication, applying least privilege, and enabling multi-admin approvals in Intune for sensitive changes. Palo Alto Networks Unit 42 echoed those steps and highlighted the need to monitor administrative channels for anomalous changes.

Resecurity and other trackers also warned that new groups such as Nasir Security are targeting energy and supply chain vendors in the region. “The cyber activity tied to this conflict is becoming increasingly decentralized and destructive,” Kathryn Raines, lead of Flashpoint’s cyber threat intelligence team, said. “Groups like Handala and Fatimion are targeting private-sector organizations with attacks designed to erase data, disrupt services, and introduce uncertainty.”

The big takeaway is simple. Protect identity and admin tools first. Use strong, phishing-resistant MFA. Limit admin privileges. Monitor for unusual use of legitimate management tools. Those steps can blunt many of the techniques now being used by state-linked operators, security firms said.

#HandalaHack #IranCyberOps #StrykerBreach #FBIEmailBreach #Cybersecurity #ThreatIntel