Tehran-Linked Handala Hackers Disrupt Medtech Giant Stryker, Claim Verifone Breach
In a recent cybersecurity incident, a self-identified hacktivist group named Handala, which is widely regarded as a front for Iranian intelligence activities, claims to have successfully hacked into the payment device manufacturer Verifone, headquartered in New York City. The group asserted that it infiltrated Verifone’s Israeli office and compromised data, causing disruptions to operations. However, Verifone has denied these allegations, stating in a formal statement that no evidence supports the claim of any incident, emphasizing there has been no service interruption for their clients.
This claim arises amid escalating tensions between Iran and the West. Handala, identified by cybersecurity experts as a group operating under the auspices of Iran’s Ministry of Intelligence, is believed to engage in psychological operations that support pro-Iran narratives. Notably, the group has previously claimed credit for a significant cyberattack against Stryker, a prominent medical technology company, which affected approximately 200,000 systems across 79 countries. Stryker has confirmed the attack and is in the process of restoring its systems.
Handala has publicly framed the alleged Verifone breach as a direct retaliation against airstrikes targeting Iranian banking infrastructure. The context of this assertion is significant: two major state-owned banks in Iran recently suspended services, preventing customers from accessing their funds or contacting customer support. Speculations arose about the cause of this outage, with some attributing it to a Western cyberattack, while others suggested it was due to a missile strike on a data center located in Tehran.
Moreover, the Islamic Revolutionary Guard Corps (IRGC) issued a stark warning stating that any banking infrastructure in the Middle East linked to the U.S. or Israel would be considered fair game for missile or drone attacks. The IRGC also specified that facilities associated with several American technology giants, including Amazon, Google, and Microsoft, have become potential military targets. This declaration comes after the launch of “Operation Epic Fury” by the U.S. and Israel, which involved aerial bombardments aimed at Iran, initiated on February 28.
A report published by researchers at Check Point Security indicates that Handala falls under a cohort of hacktivist identities linked to Iranian intelligence, being tracked by cybersecurity experts under the alias Void Manticore. This moniker includes various personas, including "Homeland Justice," which has targeted Albania. The group is particularly notorious for conducting “hack and leak” operations alongside disruptive attacks, including those involving wiper malware.
Handala has claimed the breach into Stryker was a reaction to a U.S. missile strike that killed at least 175 individuals, including many children, during the onset of the Israeli air campaigns on February 28. This context underscores the perceived escalation of cyber operations in parallel with military actions.
The timeline regarding how long Handala may have had access to either Stryker or Verifone systems remains unclear. Some cybersecurity analysts suggest that the group typically employs a methodologies: infiltrate systems, maintain a low profile for several months, exfiltrate sensitive data, and then eliminate all traces, including organizational backups. British cybersecurity expert Kevin Beaumont pointedly observed this modus operandi in a social media post, highlighting their tactical approach of obtaining domain administrative privileges early in operations, enabling them to exploit IT documentation.
As for the ramifications of these cyber activities, the implications of disrupting critical infrastructure, such as Verifone’s payment systems, could trigger severe retaliatory measures from U.S. authorities. According to Ian Thornton-Trump, Chief Information Security Officer at Inversion6, the absence of major disruptive actions against Verifone could be a strategic decision made by Iranian proxies. They appear to be focused on creating embarrassment and operational challenges for affected companies without drawing substantial military repercussions.
Stryker remains actively engaged in recovering from the cyberattack, reporting that the disruption has impacted its global network and rendered its ordering system temporarily offline. The company has assured stakeholders that the problem is confined to its internal Microsoft environment and there is no indication of malware or ransomware involvement.
In the broader context of this conflict, various hacktivist groups have intensified their activities, claiming cyberattacks and targeting entities affiliated with the opposing side. Groups like DieNet and Keymous+ have emerged alongside Russia-linked actors, indicating a multi-faceted cyber landscape. However, cybersecurity experts warn that many of these claims, particularly those circulated by hacktivists, may be exaggerated or fabricated, aimed primarily at generating publicity and spreading fear. Rapid7 reported that some threats involve recycling old datasets or overstating access levels as part of psychological operations designed to inflict reputational damage.
Nonetheless, the involvement of state-directed actors in this landscape warrants caution, as the potential for legitimate data theft and subsequent weaponization of stolen material represents a genuine threat. With Handala’s recent actions, it highlights a continuously evolving cyber warfare landscape, where motives intersect with geopolitical tensions, and the implications remain vast and unpredictable.