my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

You Can't Seize the Internet: Iran's Handala Hackers Were Back Online Hours After the FBI Acted

John Z Black Mar 22, 2026 Threat Intelligence #iran #handala #doj #mois #stryker #mdm #microsoft-intune #cyber-deterrence #state-sponsored

The DOJ seized four domains linked to Handala, an Iran-linked hacking group, and issued a press release calling it a disruption of Iranian cyber operations. Within hours, the group had new infrastructure up. They published a statement calling the FBI’s action “trivial.” Operations continued.

The more interesting question is why anyone expected a different outcome.

What the FBI Affidavit Actually Says

The affidavit doesn’t just connect Handala to hacktivists with sympathetic politics – it directly ties the group to Iran’s MOIS, the Ministry of Intelligence and Security. This is a state proxy with state backing, state resources, and presumably state permission.

That framing changes everything. When you seize an independent criminal group’s domain, you’ve cut off something real. Infrastructure costs money. Rebuilding takes time. None of that applies here. An actor with MOIS backing doesn’t need to scramble for hosting. New infrastructure is hours away, not weeks. The four seized domains were overhead Iran can absorb without blinking.

The Attack Was More Sophisticated Than It Looked

The breach widely attributed to Handala targeted Stryker, a surgical robotics and medical device company. The result: more than 80,000 corporate devices wiped. But here’s the notable part – they didn’t deploy malware to each device individually.

They got into Microsoft Intune.

Intune is the enterprise mobile device management platform IT teams use to configure and wipe devices at scale. Once you’re in the management plane, you don’t need to compromise 80,000 machines. You issue factory-reset commands and the platform does the work. That’s patience and real knowledge of enterprise environments, not a smash-and-grab.

The Pattern

The FBI affidavit also connects Handala’s operators to “Homeland Justice,” the persona that hacked the Albanian government in 2022. Albania expelled Iran’s ambassador. The infrastructure got disrupted. Homeland Justice went quiet. Then a version of the operation resurfaced under a different name with new targets.

The group runs under a persona, that persona gets too much heat, it shifts, and operations continue. From Iran’s perspective, this has worked.

What Would Deterrence Actually Look Like?

Seizing domains generates a press release and a few days of coverage. It tells Iran’s MOIS that the U.S. is watching. They already knew that.

The DOJ’s public attribution of the MOIS connection does have real value – for allies, for the record, and for companies trying to understand who’s actually behind attacks like the Stryker breach. But “disruption” that’s undone in hours isn’t disruption. It’s a speed bump.

Domain seizures aren’t nothing. They’re just not deterrence.

Why the Handala case reveals the limits of U.S. cyber enforcement against state-backed actors.