FBI Seizes Hacktivist Websites Following Cyberattack on Stryker

The group reportedly used compromised credentials on March 11 to gain control of Microsoft Intune, wiping devices and delaying shipments of some patient-specific implants.

The FBI on Thursday seized two websites operated by the Iranian Ministry of Intelligence and Security (MOIS)-linked hacktivist group Handala, following a cyberattack on Stryker, a global medical device supplier.

The group reportedly used compromised credentials on March 11 to gain control of Microsoft Intune, wiping devices and delaying shipments of some patient-specific implants.

Handala, also known as Void Manticore, COBALT MYSTIQUE, Banished Kitten, Storm-1084/0842, and Doom, first appeared in December 2023 and has targeted critical sectors using phishing and administrative access exploits. The group acknowledged the seizure and stated it is working to rebuild its online presence.

The U.S. Department of Justice announced multiple court-authorized domain seizures as part of ongoing efforts to disrupt hacking and transnational schemes by the MOIS. Seized domains included Handala-Hack[.]to, Handala-Redwanted[.]to, Justicehomeland[.]org, and Karmabelow80[.]org. According to the DOJ, these sites were used to claim credit for hacks, post stolen data, and target journalists, regime dissidents, and Israeli citizens.

In response, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance urging organizations to secure endpoint systems. Recommendations include implementing phishing-resistant multi-factor authentication (MFA), enforcing minimum privilege principles, and requiring multi-admin approvals for high-impact actions such as device wipes. Stryker and Microsoft contributed to the alert and suggested mitigation measures.

Stryker, based in Kalamazoo, Michigan, reported in a Securities and Exchange Commission filing that the incident did not involve ransomware or malware and was contained. The company confirmed ongoing restoration of its systems but noted disruptions in the shipping of personalized implants for patients, affecting some procedures scheduled for the week of March 16.

While patient safety was not compromised, the attack underscores the growing cyber threats facing healthcare organizations. Industry data indicates that medical device compromises can result in several hours of operational downtime, highlighting the importance of enhanced cybersecurity measures.

Stryker said it is actively coordinating with federal agencies, including the White House National Cyber Director, FBI, CISA, the Defense Health Agency, U.S. Health and Human Services, and Health-ISAC, to mitigate risks and strengthen defenses against similar attacks.

Stay tuned for more such updates on Digital Health News