FBI Seizes Iran-Linked Handala Leak Site After Stryker Intune Wipe Attack: Cybersecurity Today
Mar 20, 2026
A takedown of an Iran-linked leak site tied to a major Stryker attack and mass device wipes. Guidance from CISA and Microsoft on hardening Intune, identity controls, and requiring multi-admin approval. Apple pushes urgent iPhone patches for actively exploited flaws. New research reveals North Korean operatives posing as remote IT workers to infiltrate Western firms.
09:26
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
Hacktivist Blends Wiping With Data Leak Extortion
Handala paired mass device wiping with data theft, using a leak site as both extortion tool and messaging platform.
The FBI takedown required months of cross-jurisdictional infrastructure tracking and coordination to seize the leak site.
question_answer ANECDOTE
Stryker Breach Caused 80,000 Device Resets
The Stryker breach used a compromised Windows domain admin to create a global admin and then issue mass Intune wipes.
That single pathway enabled factory resetting roughly 80,000 managed devices in hours.
volunteer_activism ADVICE
Harden Intune With Least Privilege And Multi‑Admin Approval
Do enforce least privilege, role-based access, and multi-factor authentication for Intune and admin accounts.
Require multi-admin approval for sensitive actions like device wipes to prevent a single compromised account causing mass resets.
Get the Snipd Podcast app to discover more snips from this episode
FBI Seizes Iran-Linked Handala Leak Site After Stryker Intune Wipe Attack; Apple iPhone Exploit Patch; North Korean Fake IT Workers Grow
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst
The episode reports that the FBI has seized the data leak site used by the Iran-linked hacktivist group Handala, which has been widely linked to the Stryker attack where attackers compromised admin accounts, stole data, and used Microsoft Intune to remotely wipe and factory reset roughly 80,000 managed devices. CISA and Microsoft warn organizations to harden Intune and identity controls with least privilege, role-based access, MFA, conditional access, and requiring multi-admin approval for sensitive actions like device wipes. Apple urges iPhone users to update after fixing actively exploited flaws used in targeted, sophisticated campaigns, noting risks even for those who think Apple devices aren't targeted. The show also highlights new FLAIR research showing North Korean operatives continue infiltrating Western firms as remote IT workers using stolen or fabricated identities, exploiting weak hiring verification and broad access.
00:00 Sponsor Message Meter 00:19 Headlines And Intro 00:46 FBI Seizes Handala Leak Site 02:31 CISA And Microsoft Intune Guidance 04:37 Apple iPhone Update Warning 06:10 North Korean Fake IT Workers 07:56 Links Sharing And Wrap Up 08:29 Sponsor Thanks And Sign Off
Cybersecurity Today