FBI Takes Down Handala’s Digital Platforms

Two websites operated by the pro-Iranian hacktivist group Handala have been seized by the FBI. The action came just days after the group publicly claimed responsibility for a destructive cyberattack targeting the American medical technology corporation Stryker.

Visitors to the sites, which Handala used to publicize its hacks and dox individuals, were met with a stark law enforcement banner. The notice stated the domain was used to support malicious cyber activities coordinated with a foreign state actor. TechCrunch verified the seizure by checking the sites’ nameserver records, which now point to FBI-controlled servers.

The Department of Justice and FBI did not immediately comment on the specific reasons for the takedown. The language on the seizure notice, however, leaves little doubt about the U.S. government’s assessment.

Handala’s Response and Ongoing Campaign

How did the group react? In posts on its official Telegram channel, Handala acknowledged the website seizures. The group framed the move as a “desperate attempt to silence our voice” and a sign that its actions were causing fear among its targets.

“The pursuit of justice cannot be stopped by taking down a website,” the hackers wrote, vowing that their movement would persist. The group’s account on the social media platform X was also recently suspended.

Handala’s activities surged following the October 7, 2023, Hamas attacks. The group is widely believed to have ties to the Iranian regime. Its attack on Stryker, a company with over 56,000 employees, was claimed as retaliation for a U.S. missile strike on an Iranian school.

The Destructive Stryker Hack

What made the Stryker attack so severe? Handala reportedly breached an internal administrator account, gaining extensive access to the company’s Windows network. This access included Stryker’s Intune dashboards—tools designed for remotely managing employee laptops and mobile devices.

With control of these dashboards, the hackers possessed a dangerous capability: the power to remotely wipe data from company and employee devices. They allegedly used this access to carry out destructive actions, forcing Stryker into a major recovery effort.

As of this week, Stryker confirmed it is still working to restore its computers and internal network in the wake of the intrusion. The company had signed a $450 million contract with the U.S. Department of Defense last year to supply medical devices.

Disruption and Future Threats

While the website takedown represents a clear setback for Handala, experts caution it is unlikely to be a permanent solution. Nariman Gharib, a U.K.-based Iranian activist and cyber-espionage investigator, called the seizures good news but warned of continued activity.

“Their organizational and management structure is currently disrupted,” Gharib told TechCrunch. He suggested group members could now face greater physical risk, similar to other Iranian cyber operatives.

However, he noted that future leaks from the group could simply be published through media outlets aligned with Iran’s Islamic Revolutionary Guard Corps (IRGC). The digital conflict, it seems, has merely entered a new phase.

A New Kind of Apple Update

Apple has quietly rolled out a new type of software patch. Dubbed a “background security improvement,” this lightweight update targets a specific vulnerability in the Safari web browser across iPhones, iPads, and Macs. It represents a shift in how Apple delivers critical fixes, offering a middle ground between major OS releases.

The update addresses a bug in WebKit, the engine that powers Safari. A security researcher discovered the flaw, which could allow a malicious website to access data from another site open in the same browser session. This kind of cross-site data leakage is a serious privacy concern.

How Background Security Updates Work

Think of these updates as a surgical strike. Instead of waiting for a full-scale iOS or macOS update, Apple can now push targeted fixes for specific components like Safari or system libraries. The company describes them as “lightweight” and designed for vulnerabilities that need prompt attention.

The process is remarkably quick. Installing this first background update required only a simple device restart, not the lengthy reboot associated with traditional software updates. This minimizes disruption for users while still closing security gaps.

Why This Approach Matters

Speed is the key advantage. In the past, a fix for a Safari bug might have been bundled into the next scheduled iOS point release, potentially leaving a window of exposure. Now, Apple can deploy a patch directly, much faster. It’s a more agile response to the ever-evolving threat landscape.

This system debuted with devices running iOS, iPadOS, and macOS version 26.1 or higher. Apple had been testing the feature with software testers prior to this public launch. The company has not commented on why this particular WebKit bug warranted the inaugural background patch, but its potential for data access likely made it a priority.

For users, it’s a welcome evolution. Security shouldn’t have to wait on a calendar. This new method allows Apple to shore up defenses between its major software milestones, keeping your browsing more secure with less fuss.

The LeakyLooker Vulnerabilities in Google’s Analytics Platform

Imagine a business intelligence tool designed to visualize data becoming a backdoor to the cloud itself. That was the startling reality uncovered by Tenable Research, which identified a cluster of nine security flaws in Google Looker Studio. Dubbed ‘LeakyLooker,’ these cross-tenant vulnerabilities resided in the platform formerly known as Google Data Studio.

Looker Studio is a popular service for creating dashboards and reports. It pulls data from sources like Google BigQuery, Sheets, and other SQL databases. This deep integration with Google’s cloud infrastructure, however, painted an unexpectedly large target for attackers. The platform’s architecture inadvertently created a broad attack surface where a single compromised report could have far-reaching consequences.

Two Paths to Exploitation: Zero-Click and One-Click Attacks

Tenable’s investigation pinpointed weaknesses in the platform’s authentication and data connector systems. The core issue? Looker Studio can run queries using either the report creator’s credentials or the viewer’s credentials. This design flaw opened up two distinct avenues for malicious activity.

The first path required no user interaction. In a ‘0-click’ attack, a threat actor could craft server-side requests that triggered SQL queries executed with the report owner’s high-level permissions. No button click needed; the damage could be done remotely.

The second method was a ‘1-click’ attack. Here, a victim only needed to open a manipulated report or a malicious link. Upon viewing it, malicious SQL queries would run using the viewer’s own database credentials, potentially compromising their data.

Underlying Flaws That Enabled the Attacks

These attack techniques were powered by several critical underlying issues. Researchers found SQL injection flaws in the platform’s database connectors. Sensitive data could also leak through seemingly benign report elements like hyperlinks or embedded images. A particularly concerning flaw, dubbed a ‘denial-of-wallet’ issue, could have allowed attackers to run up massive bills on a victim’s BigQuery resources.

Potential Impact and the Path to Remediation

The scope was significant. Connectors for BigQuery, Cloud Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage were all affected. An attacker could have scoured the web for publicly shared Looker reports. These reports could then serve as a launchpad to steal data, insert false records, or even delete entire tables in connected databases.

One subtle but dangerous feature was the report copy function. When a viewer duplicated a report, it sometimes preserved the original database credentials. The new owner of the copied report could then run custom SQL queries against the original database, all without ever knowing the password.

Tenable responsibly disclosed all nine vulnerabilities to Google. The tech giant collaborated with the researchers to investigate and roll out fixes. Since Looker Studio is a fully managed service, Google deployed the patches globally. Customers did not need to take any action to be protected.

Securing Your Business Intelligence Front

This episode serves as a crucial reminder. Analytics and business intelligence platforms are often overlooked in security assessments. They are powerful tools that connect directly to crown-jewel data stores, making them attractive targets.

Organizations should proactively manage this risk. Regularly audit report-sharing settings and ensure only necessary individuals have access. Limit or remove unused data connectors to shrink the attack surface. Most importantly, treat BI and analytics integrations as a core component of your cloud security strategy, not an afterthought. The line between data visualization and data vulnerability can be thinner than it appears.