Cyber threat actors with suspected ties to Iran have compromised the personal email account of FBI Director Kash Patel and carried out a destructive wiper attack against U.S. medical technology firm Stryker, marking a significant escalation in state-linked cyber operations.
FBI Director’s Email Compromised
The breach was claimed by the hacktivist persona Handala Hack Team, assessed by cybersecurity experts as a front for Iran’s Ministry of Intelligence and Security (MOIS). The group posted documents and personal photos allegedly from Patel’s emails, dating from 2010 to 2019.
The FBI confirmed the targeting of Patel’s account, emphasizing that the exposed data was historical and contained no sensitive government information. “Necessary steps have been taken to mitigate potential risks associated with this activity,” the agency said.
Handala Hack operates alongside other MOIS-linked personas, including Homeland Justice and previously Karma, and is known for leveraging compromised VPN credentials, phishing, and administrative tools like Microsoft Intune to gain access to targets.
Stryker Hit With Destructive Wiper Malware
In a parallel attack, Handala Hack claimed responsibility for deleting large volumes of data and wiping employee devices at Stryker, a Fortune 500 medical devices provider. The firm confirmed the incident was contained and that unauthorized access was promptly removed from its internal Microsoft environment.
Security analysts note that Handala Hack employs wiper malware, such as Handala Wiper and Handala PowerShell Wiper, often distributed through Group Policy scripts or encrypted tools like VeraCrypt, to maximize disruption. The group’s operations are typically politically motivated, focusing on symbolic or strategic targets rather than financial gain.
Escalating Threat Landscape
Recent activity indicates a shift in Iranian cyber operations, with state-linked actors increasingly targeting critical infrastructure, healthcare, and supply chain networks. Analysts warn these attacks can have cascading effects across sectors, especially healthcare.
Handala Hack also exploits social engineering through messaging platforms and malware disguised as common applications like Telegram, KeePass, or Zoom. Compromised devices have been observed recording audio and screens during active sessions, illustrating a high level of sophistication in espionage and disruption tactics.
The U.S. Department of Justice recently seized multiple domains used by MOIS-linked actors, including justicehomeland[.]org and handala-hack[.]to, and is offering a $10 million reward for information on individuals involved. Despite these measures, Handala Hack has resurfaced on new domains, continuing its operations.
Guidance for Organizations
In response to these attacks, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) released guidance for securing Windows domains and Intune environments. Recommended measures include enforcing multi-factor authentication (MFA), applying least-privilege principles, and requiring multi-admin approvals for sensitive changes.
Cybersecurity experts warn that the ongoing conflict between Iran, Israel, and Western targets could drive more destructive campaigns. “Groups like Handala are targeting organizations to erase data, disrupt services, and sow uncertainty,” said Kathryn Raines, Flashpoint’s cyber threat intelligence lead.
