FBI Seizes Handala Domains After Destructive Stryker Attack Wipes 80,000 Devices
What Happened — The FBI seized two clearnet domains (handala‑redwanted.to and handala‑hack.to) used by the Iranian‑linked Handala hacktivist group after they compromised a Windows domain administrator account at medical‑technology giant Stryker and issued a Microsoft Intune “wipe” command that factory‑reset roughly 80 000 corporate and employee‑owned devices.
Why It Matters for TPRM —
- A credential‑based supply‑chain compromise can cascade into massive operational disruption for a critical‑care vendor.
- Law‑enforcement seizure of attacker infrastructure signals ongoing threat activity that may target other third‑party partners.
- The incident underscores the need for hardened privileged‑access management and strict MDM controls across the vendor ecosystem.
Who Is Affected — Healthcare‑technology manufacturers, medical‑device suppliers, and any organizations that rely on Stryker’s devices or services.
Recommended Actions —
- Review Stryker’s privileged‑access and endpoint‑management controls.
- Verify that your own Intune/MDM policies require multi‑factor authentication and retain audit logs for global‑admin actions.
- Add Handala‑related domains and IPs to threat‑intel feeds and monitor for lateral movement attempts.
Technical Notes — Handala leveraged stolen domain‑admin credentials to create a new Global Administrator account, then abused Microsoft Intune’s remote‑wipe capability to erase Windows and Linux endpoints. No public CVE was cited; the vector was credential compromise and misuse of legitimate MDM functionality. Source: BleepingComputer