Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack

•March 28, 2026

The Hacker News•Mar 28, 2026

Why It Matters

The incidents demonstrate a strategic shift by state‑aligned Iranian groups toward disruptive, high‑visibility attacks that threaten critical infrastructure and erode confidence in U.S. institutions. They underscore urgent supply‑chain and credential‑security risks for enterprises across sectors.

Key Takeaways

•Handala Hack breached FBI director's personal email
•Wiper attack crippled Stryker's internal network
•Group uses VPN credential theft and Intune abuse
•U.S. seized four MOIS‑linked domains, offered $10M reward
•Attack signals shift from espionage to disruptive warfare

Pulse Analysis

The Handala Hack collective, widely believed to be an operational front for Iran’s Ministry of Intelligence and Security, has escalated its campaign from covert espionage to overt disruption. By targeting the personal email of FBI Director Kash Patel, the group sent a clear geopolitical message, leveraging the leak of decades‑old correspondence to sow distrust in U.S. law‑enforcement integrity. Simultaneously, its wiper assault on Stryker—an essential supplier of medical devices—marks a watershed moment: a state‑linked actor directly attacking a Fortune 500 company, demonstrating that strategic supply‑chain actors are now on the front lines of cyber warfare.

Technically, Handala Hack’s playbook blends classic credential‑theft tactics with sophisticated abuse of legitimate administration tools. The group harvests VPN and Microsoft Intune credentials through phishing and infostealer malware, then pivots laterally via RDP and Group Policy logon scripts. Custom PowerShell wipers—Handala Wiper and Handala PowerShell Wiper—are dropped alongside legitimate encryption utilities like VeraCrypt, complicating forensic recovery. This hybrid approach blurs the line between criminal ransomware and state‑sponsored sabotage, rendering traditional detection mechanisms less effective and demanding deeper telemetry on privileged‑account activity.

For U.S. enterprises, the fallout underscores a pressing need to harden identity and access management. Recommendations from Microsoft and CISA include enforcing least‑privilege principles, deploying phishing‑resistant multi‑factor authentication, and requiring multi‑admin approval for critical Intune changes. The government’s seizure of four MOIS‑operated domains and the $10 million bounty illustrate a coordinated response, yet the broader lesson is clear: organizations must treat state‑aligned threat actors as a supply‑chain risk, integrating continuous credential monitoring, zero‑trust networking, and rapid incident‑response playbooks to mitigate the growing tide of destructive cyber operations.