Medtech giant Stryker confirmed a global cyberattack on March 11, 2026. The Iran-linked hacktivist group Handala (also known as Handala Hack Team, Hatef, Hamsa) claimed to have wiped more than 200,000 servers, systems, and mobile devices and exfiltrated 50 terabytes of data. Stryker filed a Form 8-K with the SEC. The Fortune 500 company employs 56,000 people across 61 countries and reported $25.1 billion in revenue for 2025.
The attackers did not deploy traditional wiper malware. According to KrebsOnSecurity, citing a source with direct knowledge of the attack, Handala gained access to Stryker's Microsoft Intune console, a cloud-based device management platform, and issued remote wipe commands against all connected devices. Windows laptops, corporate phones, and personal devices enrolled with a corporate profile were reset to factory settings. Login pages on Microsoft Entra displayed the Handala logo.
They seem to have obtained access to the Microsoft Intune management console. This is a solution for managing corporate devices.
— Rafe Pilling, director of threat intelligence at Sophos
Employees across five countries reported losing data overnight. Staff in the United States, Ireland, Australia, Costa Rica, and India were told to uninstall Intune Company Portal, Microsoft Teams, and VPN clients from personal phones. Some lost two-factor authentication access and could not log into any corporate account. Stryker's Cork, Ireland, headquarters, its largest hub outside the U.S. with 4,000 employees, shut down entirely.
The company said it found "no indication of ransomware or malware." Stryker called the incident "contained" but provided no timeline for full restoration.
If confirmed, this would be the first time Handala attacked a major American company. Disrupting critical medical infrastructure means not just data loss, but threats to patient safety.
— Sergey Shykevich, threat intelligence group manager at Check Point Research, told SecurityWeek
Handala surfaced in late 2023 after the October 7 Hamas attack on Israel. Palo Alto Networks Unit 42 links the group to Iran's Ministry of Intelligence and Security (MOIS). SecurityWeek, citing multiple analysts, identifies Handala as a front for Void Manticore, an Iranian state-sponsored actor. The group called Stryker a "Zionist-rooted corporation," possibly referencing the company's 2019 acquisition of Israeli firm OrthoSpace, according to KrebsOnSecurity. Handala said the attack was retaliation for a February 28 U.S. missile strike on an Iranian school in Minab that killed at least 175 people.
Iran has a long history of destructive wiper operations. The 2012 Shamoon attack erased data from more than 30,000 Saudi Aramco systems. The 2014 attack on the Sands Casino was attributed to Iran by U.S. intelligence. The Stryker incident, however, stands out because attackers turned the company's own device management infrastructure against it, avoiding traditional malware entirely.
Handala has been highly active since the U.S.-Israel military campaign against Iran began on February 28, 2026. Palo Alto researchers described recent operations as "opportunistic and quick and dirty" with a focus on supply-chain footholds through IT and service providers. The group claimed a simultaneous attack on payment terminal manufacturer Verifone, but Verifone denied any breach in a statement to The Register. Symantec and Carbon Black researchers reported that Seedworm (MuddyWater), another MOIS-linked group, had been planting backdoors in U.S. corporate networks since early February.
Stryker's products treat more than 150 million patients annually. Organizations using Microsoft Intune or similar MDM (mobile device management) platforms should review conditional access policies, restrict remote wipe permissions to break-glass accounts, and enable alerting on mass device management commands.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
