* Website up and running a day after domain seized

* Fast restoration shows hacker resilience, expert says

* Handala linked to Iran's Ministry of Intelligence and

Security, DOJ says

By AJ Vicens

March 20 (Reuters) - The website used by an Iranian

government-linked hacking unit that claimed responsibility for a

March 11 cyberattack on a U.S. medical device maker is back up

and running a day after the FBI and Department of Justice seized

its internet domains.

Four domains associated with "Handala Hack Team" had been

seized, the Department of Justice said on Thursday. Handala is

one of several public personas used by a hacking unit operating

under Iran's Ministry of Intelligence and Security (MOIS) as

part of the agency's psychological operations, the DOJ said.

On Friday, Handala said in a post on its website that the

seizures were "desperate attempts by the United States and its

allies to silence the voice of Handala."

The quick rebound highlights the resilience of

Iranian-linked hacking units' public personas, said Ari Ben Am,

an adjunct fellow at the Foundation for Defense of Democracies

Center on Cyber and Technology Innovation.

"Iranian threat actors, MOIS in particular, are no strangers

to takedowns," Ben Am said. "Handala alone has had tens of

Telegram channels, X accounts and domains taken down, and these

takedowns have never slowed them down significantly. It will be

trivial for Handala and its MOIS operators to get that content

back up on another domain very, very soon."

The domains seized included those used to originally make

the claim of the attack on Michigan-based Stryker,

according to a partially redacted FBI affidavit filed in support

of the seizure.

Specific references to the company are blacked out, but the

affidavit refers to a March 11, 2026, cyberattack on a major

American multinational medical technologies firm, and quotes the

Handala message posted announcing the Stryker attack.

A DOJ spokesperson told Reuters on Friday the FBI affidavit

"asserts that there is probable cause to believe that the

operators of the 'Handala' persona are members of a conspiracy

that carried out a destructive malware attack against a

U.S.-based multinational medical technologies firm."

Stryker said in a March 19 statement on its website that it

was restoring systems that directly support customers, ordering,

and shipping but that its products were safe.

"We're grateful to the government for their efforts to seize

domains linked to the purported threat actors," the company

said.