Iranian state-sponsored hackers have breached FBI Director Kash Patel's personal email and launched a destructive wiper attack against Stryker, marking the first confirmed wiper operation against a U.S. Fortune 500 company amid escalating U.S.-Iran tensions.
Iranian state-sponsored hackers have breached FBI Director Kash Patel's personal email and launched a destructive wiper attack against Stryker, marking the first confirmed wiper operation against a U.S. Fortune 500 company amid escalating U.S.-Iran tensions.
FBI Director's Personal Email Compromised
Threat actors with ties to Iran successfully broke into the personal email account of Kash Patel, the director of the U.S. Federal Bureau of Investigation (FBI), and leaked a cache of photos and other documents to the internet. The breach was carried out by Handala Hack Team, which claimed responsibility on its website, stating that Patel "will now find his name among the list of successfully hacked victims."
The FBI confirmed Patel's emails had been targeted and noted that necessary steps have been taken to "mitigate potential risks associated with this activity." The agency also said the published data was "historical in nature and involves no government information." The leaked emails date back to 2010 and 2019.
Who Is Handala Hack Team?
Handala Hack is assessed to be a pro-Iranian, pro-Palestinian hacktivist persona adopted by Iran's Ministry of Intelligence and Security (MOIS). The group operates under multiple monikers including Banished Kitten, Cobalt Mystique, Red Sandstorm, and Void Manticore. It also operates another persona called Homeland Justice targeting Albanian entities since mid-2022.
Data gathered by StealthMole reveals that Handala's online presence extends beyond messaging platforms and cybercrime forums like BreachForums. The group maintains a layered infrastructure including surface web domains, Tor-hosted services, and external file-hosting platforms such as MEGA.
"Handala has consistently targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access," Check Point said in a recent report. "Throughout the last months, we identified hundreds of logon and brute-force attempts against organizational VPN infrastructure linked to Handala-associated infrastructure."
Stryker Wiper Attack: A New Era of Destructive Cyber Operations
The attack on Stryker represents a significant escalation in Iran's cyber operations against Western targets. Handala Hack claimed credit for crippling the networks of medical devices and services provider Stryker by deleting a huge trove of company data and wiping thousands of employee devices.
In an update on its website, Stryker stated that "the incident is contained" and that it "reacted quickly to not only regain access but to remove the unauthorized party from our environment" by dismantling the persistence mechanisms installed. The breach was confined to Stryker's internal Microsoft environment.
The threat actors used a malicious file to run commands that allowed them to conceal their actions. However, Stryker noted that the file does not possess any capabilities to spread across the network.
Palo Alto Networks Unit 42 said the primary vector for recent destructive operations from Handala Hack likely involves "exploitation of identity through phishing and administrative access through Microsoft Intune."
Hudson Rock has found evidence that compromised credentials associated with Microsoft infrastructure obtained via infostealer malware may have been used to pull off the hack.
Technical Analysis of the Attack
Attacks mounted by the proxy group are known to leverage RDP for lateral movement and initiate destructive operations by dropping wiper malware families such as Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts. The group also uses legitimate disk encryption utilities like VeraCrypt to complicate recovery efforts.
"Unlike financially motivated cybercriminal groups, Handala-associated activity has historically emphasized disruption, psychological impact, and geopolitical signaling," Flashpoint said. "Operations attributed to the persona frequently align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value."
The attack on Stryker is the first confirmed destructive wiper operation targeting a U.S. Fortune 500 company, marking a dangerous shift in supply chain threats. State-linked cyber activity targeting critical suppliers and logistics providers can have cascading impacts across the entire healthcare ecosystem.
U.S. Government Response and Domain Seizures
The development comes against the backdrop of the U.S.-Israel-Iran conflict, prompting Iran to go on a retaliatory cyber offensive against Western targets. In response to the escalating threat, the U.S. government carried out a court-authorized operation that led to the seizure of four domains operated by MOIS since 2022.
The seized domains include:
- justicehomeland[.]org
- handala-hack[.]to
- karmabelow80[.]org
- handala-redwanted[.]to
"The seized domains [...] were used by the MOIS in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents, and Israeli persons," the U.S. Department of Justice (DoJ) said.
The seized infrastructure included the names and sensitive information of about 190 individuals associated with or employed by the Israeli Defense Force (IDF) and/or Israeli government, and 851 GB of confidential data from members of the Sanzer Hasidic Jewish community.
Ongoing Threats and Defensive Measures
In a separate advisory, the FBI revealed that Handala Hack and other MOIS cyber actors have employed social engineering tactics to engage with prospective victims on social messaging applications to deliver Windows malware capable of enabling persistent remote access using a Telegram bot.
The malware masquerades as commonly used programs like Pictory, KeePass, Telegram, or WhatsApp. Using Telegram (or other legitimate services) as command-and-control infrastructure is a common tactic by threat actors to hide malicious activity among normal network traffic and significantly reduce the likelihood of detection.
Related malware artifacts found on compromised devices have revealed added capabilities to record audio and screen while a Zoom session was active. The attacks have targeted dissidents, opposition groups, and journalists.
"MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world," the FBI said. "This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties."
In the wake of the breach, both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidance on hardening Windows domains and fortifying Intune to defend against similar attacks. This includes using the principle of least privilege, enforcing phishing-resistant multi-factor authentication (MFA), and enabling multi-admin approval in Intune for sensitive changes.
The Evolving Threat Landscape
Handala Hack has since resurfaced on a different clearnet domain, "handala-team[.]to," where it described the domain seizures as "desperate attempts by the United States and its allies to silence the voice of Handala."
The ongoing conflict has also prompted fresh warnings that it risks turning critical infrastructure sector operators into lucrative targets, even as it has triggered a surge in DDoS attacks, website defacements, and hack-and-leak operations against Israel and Western organizations.
Hacktivist entities have also engaged in psychological and influence operations with an aim to sow fear and confusion among the targeted populations.
In recent weeks, a relatively new cybercriminal group called Nasir Security has been observed targeting the energy sector in the Middle East. "The group is attacking supply chain vendors involved in engineering, safety, and construction," Resecurity said. "The supply chain attacks attributed to Nasir Security are likely carried out by cyber-mercenaries or individuals hired or sponsored by Iran or its proxies."
"The cyber activity tied to this conflict is becoming increasingly decentralized and destructive," Kathryn Raines, cyber threat intelligence team lead for the National Security Solutions at Flashpoint, said in a statement. "Groups like Handala and Fatimion are targeting private-sector organizations with attacks designed to erase data, disrupt services, and introduce uncertainty for both businesses and the public. At the same time, we're seeing a greater use of legitimate administrative tools in these cyber operations, making it significantly harder for traditional security controls to detect."
MOIS's Cybercrime Ecosystem Integration
MOIS-linked actors have been increasingly engaging with the cybercrime ecosystem to support its objectives and provide a cover for its malicious activity. This includes Handala's integration of Rhadamanthys stealer into its operations and MuddyWater's use of the Tsundere botnet (aka Dindoor) and Fakeset, the latter of which is a downloader used to deliver CastleLoader.
"Such engagement offers a dual advantage: it enhances operational capabilities through access to mature criminal tooling and resilient infrastructure, while complicating attribution and contributing to recurring confusion around Iranian threat activity," Check Point said. "The use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related. This demonstrates that the use of criminal software can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters."
The U.S. government is offering a $10 million reward for information on members of the group, underscoring the seriousness with which these threats are being treated.
The escalating cyber conflict between Iran and Western nations represents a new frontier in geopolitical warfare, where state-sponsored actors leverage both sophisticated technical capabilities and the criminal underground to achieve strategic objectives. Organizations across critical sectors must now contend with threats that combine the precision of state intelligence operations with the destructive potential of criminal malware, all while operating under the cover of legitimate administrative tools and services.
Comments
Please log in or register to join the discussion