Stryker Handala wiper attack (Iran-linked, 2026)
The Iranian state-linked group Handala compromised Stryker's Microsoft Intune administrator account and used the endpoint-management tool to wipe more than 200,000 servers, mobile devices, and corporate endpoints across 79 countries — bringing operations at one of the world's largest medical-device makers to a halt.
- Victim
- Stryker
On 11 March 2026, the medical-device maker Stryker suffered one of the most destructive corporate cyber incidents on public record. The attackers — Handala, an Iran-linked group that presents itself as hacktivism but has been linked to Iran's Ministry of Intelligence and Security (MOIS) — compromised Stryker's Microsoft Intune administrator account and used it to remotely wipe more than 200,000 systems across 79 countries.
What happened
Handala did not deploy ransomware. They did not deploy a stealer. They used the legitimate enterprise-mobility tool — Microsoft Intune, which exists precisely to let IT push commands to fleets of devices — to issue remote-wipe commands against more than 200,000 of Stryker's servers, mobile devices, and corporate endpoints, including employee BYOD devices.
Employees reportedly watched as the wipes happened in real time. The attack chain, as reconstructed by Kevin Beaumont, ran through Stryker's Active Directory to the Intune administrative role; from there the wipe instructions were trivial.
In a public statement, Handala framed the attack as retaliation "for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure" of Iran and its allies — placing it firmly inside the broader Iran-Israel-US shadow conflict that has been spilling into civilian-target cyber operations since 2024.
Impact
- 200,000+ devices wiped across 79 countries — one of the largest destructive cyber incidents to hit a private-sector company.
- Manufacturing, ordering, and distribution systems disrupted; Q1 2026 earnings affected.
- Full operational recovery announced later in 2026 after extensive endpoint re-imaging and re-onboarding.
- No ransomware payload, no stealer payload — the attackers were not interested in money.
Why it matters
Stryker shows what state-backed destructive operations look like when they intersect with enterprise mobility management: an attacker who controls Intune doesn't need malware to wipe a global fleet. The defenders' toolset is the weapon. The Iran-linked attribution — masking nation-state operations behind a hacktivist persona — is also the template for how plausible deniability is now manufactured around state cyber operations.
Timeline
Handala compromises Stryker's Microsoft Intune administrator account and remotely wipes more than 200,000 servers, mobile devices, and corporate endpoints across 79 countries. Employees report watching their machines erase in real time. The group claims responsibility, framing the attack as retaliation 'for the brutal attack on the Minab school' and ongoing cyber assaults against Iran's infrastructure.
Researcher Kevin Beaumont reports the attack chain: Active Directory compromise leading to Intune abuse for mass remote wipe. No evidence of ransomware or stealer malware is found — the attack is destructive only.
First-quarter earnings affected by manufacturing, ordering, and distribution disruption.
Stryker confirms full operational recovery of its manufacturing network and resumes peak production capacity.
Sources
- techcrunch.comhttps://techcrunch.com/2026/03/11/stryker-hack-pro-iran-hacktivist-group-handala-says-it-is-behind-attack/
- krebsonsecurity.comhttps://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
- hipaajournal.comhttps://www.hipaajournal.com/stryker-cyberattack-iran/
- industrialcyber.cohttps://industrialcyber.co/medical/suspected-iran-linked-cyberattack-hits-medical-technology-giant-stryker-amid-middle-east-tensions/
- lumos.comhttps://www.lumos.com/blog/stryker-hack