Both of the hacktivist's handala-redwanted[.]to and handala-hack[.]to clearnet domains now display a seizure notice. The notice states that the websites were seized under a seizure warrant issued by the District Court for the District of Maryland. "This domain has been seized by the **Federal Bureau of Investigation** ("FBI") pursuant to a seizure warrant issued by a United States District Court for the District of Maryland as apart of a law enforcement action by the FBI. Law enforcement authorities determined this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor," the seizure message reads. "These activities may include unauthorized network intrusions, infrastructure targeting, or other violations of United States law." "Pursuant to the court-authorized warrant, the United States Government has taken control of this domain to disrupt ongoing malicious cyber operations and prevent further exploitation."  ### Handala's Background and Alleged Iranian Ties **Handala** (also known as Handala Hack Team, Hatef, Hamsa) is a pro-Palestinian hacktivist group that emerged in December 2023. Reports suggest links to Iran's Ministry of Intelligence and Security (MOIS). The group has reportedly targeted Israeli organizations with destructive malware designed to wipe Windows and Linux devices. ### Domain Seizure Details While there has been no official announcement by law enforcement regarding the seizures, the domain name servers have been switched to those commonly used by the FBI when seizing domains: Name Server: ns1.fbi.seized.gov Name Server: ns2.fbi.seized.gov The extent of the FBI's access to website content and server logs remains unknown. ### The Stryker Attack: A Devastating Blow This action follows **Handala**'s recent cyberattack on **Stryker**, where they compromised a Windows domain administrator account and created a new Global Administrator account. The attackers then used **Microsoft Intune** to issue the "wipe" command, factory resetting approximately 80,000 devices, including computers and mobile devices. Even employees' personal devices managed by the company were affected. ### Hacktivist Response and Future Plans **Handala** has acknowledged the website seizures and the need for more "resilient infrastructure." They stated they are in the process of creating new websites to announce their attacks. "In light of recent events and the need to establish secure and resilient infrastructure, we inform you that building a new digital base is a complex and time-consuming process," reads a Telegram post from the group. "However, we remain committed to continuing our mission without interruption." ### Industry Response and Security Recommendations Following the attack, **Microsoft** and **CISA** released guidance on hardening Windows domains and securing Intune to prevent similar attacks at other companies. This highlights the importance of robust security measures and proactive threat detection in today's threat landscape.