Handala Wipes 200,000 Stryker Devices Using Microsoft Intune

Iranian-linked hacktivist group Handala claimed responsibility for a devastating wiper attack against Stryker, the global medical technology giant, wiping data from over 200,000 devices and forcing offices in 79 countries offline. The attackers weaponized Microsoft Intune, the company's own device management platform, to issue mass remote wipe commands.

TL;DR

• What happened: Handala compromised Stryker and used Intune to remotely wipe 200,000+ devices
• Who's affected: Stryker operations globally; healthcare supply chain disruptions reported
• Attribution: Handala (Void Manticore persona), MOIS-affiliated
• Action required: Audit MDM admin access; implement break-glass procedures for cloud management

The Attack

On March 11, 2026, Stryker employees worldwide lost access to their devices. Login screens displayed Handala's logo. Systems across manufacturing, distribution, and corporate functions went dark simultaneously.

Rather than deploying traditional wiper malware, the attackers found a more elegant approach. They compromised administrative access to Stryker's Microsoft Intune environment and used the platform's legitimate "remote wipe" functionality against the company's own devices.

Intune, Microsoft's cloud-based endpoint management solution, is designed to let IT teams manage and secure devices remotely. That same capability becomes catastrophic when an attacker gains control. One command can erase thousands of devices across the globe in minutes.

According to reports from Krebs on Security, more than 5,000 workers were sent home from Stryker's Cork, Ireland facility alone. The company's Michigan headquarters issued a voicemail stating they were "experiencing a building emergency."

Healthcare Supply Chain Impact

Stryker manufactures surgical equipment, orthopedic implants, and medical devices used in hospitals worldwide. With systems offline, the healthcare supply chain faced immediate disruption.

The American Hospital Association noted they were monitoring the situation but hadn't confirmed direct disruptions to member hospitals as of the initial reports. Still, hospitals rely on just-in-time ordering for surgical supplies. Extended outages could force procedure delays.

This kind of cascading impact is exactly why healthcare has become a prime target. We saw similar dynamics in the TrizZeto healthcare breach last week, where backend systems supporting insurance claims processing affected downstream providers. Third-party service dependencies create expanding blast radiuses, as demonstrated by the Flickr breach via an email provider earlier this year.

Who is Handala?

Handala presents itself as a pro-Palestinian hacktivist collective, but security researchers tie it directly to Iranian state interests. Palo Alto Networks' Unit 42 assesses Handala as "one of several online personas maintained by Void Manticore," a threat actor affiliated with Iran's Ministry of Intelligence and Security.

The group emerged in late 2023 and has claimed responsibility for attacks on Israeli energy companies, critical infrastructure, and now American corporations. In their statement claiming the Stryker attack, Handala framed it as retaliation for a February 28 US missile strike that hit an Iranian school.

Handala also labeled Stryker a "Zionist-rooted corporation," likely referencing the company's 2019 acquisition of Israeli medical device firm OrthoSpace.

The MDM Threat Vector

This attack highlights a risk that security teams have long worried about: cloud management platforms as single points of failure. Modern enterprises rely on Mobile Device Management (MDM) and Unified Endpoint Management (UEM) solutions to secure their fleets. But administrative access to these platforms grants god-mode control over every enrolled device.

Attack scenarios include:

1. Mass remote wipe - As seen in the Stryker attack
2. Malware deployment - Push malicious configurations or applications to all devices
3. Policy manipulation - Disable security controls across the organization
4. Data exfiltration - Access device inventories, user data, and compliance information

Protection requires treating MDM admin accounts as Tier Zero assets, equivalent to domain controllers. That means:

• Privileged access workstations for all MDM administration
• Phishing-resistant MFA on every admin account
• Just-in-time access with time-limited elevation
• Offline break-glass procedures for recovery scenarios
• Segmented backup infrastructure that attackers can't reach from the same credentials

Broader Iranian Cyber Escalation

The Stryker attack fits a pattern. Since US and Israeli military operations against Iran on February 28, Iranian cyber actors have dramatically increased their activity. Unit 42 documented over 60 hacktivist groups conducting operations ranging from DDoS attacks to data destruction.

While some groups like MuddyWater focus on quiet espionage, others like Handala pursue maximum visibility and disruption. Both serve Iranian strategic objectives: intelligence collection from quiet operations, deterrence messaging from loud ones.

Organizations with any perceived connection to US or Israeli interests should assume elevated threat levels for the foreseeable future. Review your incident response plans, test backup restoration procedures, and ensure you can operate if cloud management platforms become unavailable or compromised.