Stryker Cyberattack 2026: How Handala Wiped 200,000 Devices via Microsoft Intune

What Happened During the Stryker Cyberattack?

On March 11, 2026, at approximately 3:30 AM EDT, Stryker Corporation experienced a catastrophic cyberattack that wiped over 200,000 devices across 79 countries [1]. The attacker, Handala (also known as Handala Hack Team), gained access to Stryker's Microsoft Intune mobile device management console and executed a coordinated remote wipe operation that paralyzed the medical device manufacturer's global operations [2].​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Stryke

r Corporation, a $25 billion revenue medical technology company employing 56,000 people worldwide, saw its entire digital infrastructure collapse within hours [3]. The attack disrupted order processing, manufacturing operations, and shipping logistics across every market the company serves [1]. In Ireland alone, approximately 5,000 employees were sent home as corporate systems became inaccessible [2].

Before executing the wipe, Handala defaced Stryker's Microsoft Entra login page with their signature logo—a barefoot Palestinian child holding a slingshot, based on cartoonist Naji al-Ali's iconic character [4]. This psychological warfare tactic is consistent with Void Manticore's operational playbook, the Iran Ministry of Intelligence and Security (MOIS)-linked parent group behind Handala [5].​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

How Did Handala Compromise Microsoft Intune?

The attack vector exploited Stryker's reliance on Microsoft Intune for enterprise device management [2]. According to cybersecurity researchers at Palo Alto Networks Unit 42, Void Manticore groups typically gain initial access through unpatched web servers, vulnerable VPN gateways, or compromised remote access solutions [6]. Once inside the network, attackers use PowerShell scripts, scheduled tasks, and living-off-the-land techniques to achieve lateral movement and establish persistence [6].

In Stryker's case, the attackers likely maintained quiet access for weeks or months before executing the destructive payload [5]. This pattern matches Void Manticore's standard operational timeline: establish foothold, conduct reconnaissance, exfiltrate data, then deploy wiper malware at maximum impact timing [6]. Handala claimed to have exfiltrated 50 terabytes of data, though this remains unverified as of March 13, 2026 [2].

The Microsoft Intune compromise represents a particularly dangerous attack surface. Intune consoles have administrative control over every enrolled device, allowing remote wipe, policy enforcement, and application deployment [7]. When attackers compromise these management platforms, they inherit god-mode access to an organization's entire device fleet—corporate laptops, phones, tablets, and in Stryker's case, personal devices enrolled through BYOD policies [1].

Why Did Handala Target Stryker Corporation?

Handala explicitly stated their motivation: retaliation for a February 28, 2026 U.S. Tomahawk missile strike on a school in Minab, Iran, that killed over 175 people, primarily children [2]. The group positioned the Stryker attack as punishment for perceived American aggression against Iranian civilians [4].

Stryker became a target due to two specific business relationships that connected the company to U.S. military and Israeli interests [3]. First, Stryker holds a $450 million military medical equipment contract with the U.S. Department of Defense signed in 2025 [2]. Second, Stryker acquired OrthoSpace, an Israeli orthopedic device company, in 2019, creating a business connection to Israel that Iran-linked threat actors frequently cite as justification for targeting [8].

According to Check Point Research, Handala and its parent organization Void Manticore have consistently targeted entities with perceived connections to Israel or U.S. military operations since the group's emergence in December 2023 [4]. Previous Handala operations include compromising Israeli military servers, breaching Jerusalem municipal security camera feeds, doxxing Israeli military officers, and disrupting fuel distribution systems in Jordan [5].

What Is the Healthcare Impact of This Attack?

The Stryker attack created immediate disruptions to hospital supply chains across the United States and globally [1]. Stryker manufactures surgical equipment, orthopedic implants, Mako surgical robots, Vocera communication systems, and LIFEPAK defibrillators—products used in nearly every hospital that performs surgical procedures in the United States [2].

Healthcare providers reported inability to order replacement surgical supplies through normal procurement channels during the outage [1]. The American Hospital Association issued a monitoring statement acknowledging the disruption: "That may change as the duration of the attack extends," indicating concern about prolonged supply chain impact [9].

In Maryland, emergency medical services faced a critical operational challenge when hospitals suspended LifeNet EKG transmission connections [2]. LifeNet enables paramedics to transmit electrocardiogram readings from ambulances directly to hospital emergency departments, allowing cardiologists to diagnose heart attacks in transit and prepare intervention teams before patient arrival [10]. With LifeNet connections severed, Maryland EMS agencies issued emergency protocol changes requiring manual EKG interpretation by paramedics and delayed cardiac care coordination [2].

Stryker filed an SEC 8-K disclosure documenting the incident as required for publicly traded companies experiencing material cybersecurity events [3]. As of March 13, 2026, the company had not provided a timeline for full restoration of systems or quantified the financial impact of the attack [1].

Who Is Handala and What Are Their Capabilities?

Handala first appeared in December 2023 and operates as a sub-group within Void Manticore, an Iran Ministry of Intelligence and Security (MOIS)-linked cyber operation focused on psychological warfare and reputational damage [4]. Cybersecurity researchers at Cyble Research and Intelligence Labs identified infrastructure and tooling overlaps between Handala and MuddyWater, another established MOIS-affiliated threat group [5].

The group operates custom wiper malware variants named "Hatef" and "Hamsa" capable of destroying data on both Windows and Linux systems [4]. According to Sophos researcher Rafe Pilling, Handala's phishing campaigns combine Rhadamanthys infostealer malware with their custom wipers, allowing simultaneous data exfiltration and system destruction [11].

Handala demonstrates sophisticated operational security by routing reconnaissance traffic through Starlink IP addresses, frustrating network defenders attempting to implement geographic IP blocks against Iranian infrastructure [5]. This technique leverages the distributed, satellite-based nature of Starlink to obscure true attack origin and complicate attribution efforts [12].

The group's naming references Handala, a barefoot Palestinian refugee child character created by political cartoonist Naji al-Ali in the 1960s [4]. The character symbolizes Palestinian resistance and appears in all Handala group defacements, representing the group's framing of cyberattacks as political resistance against Western and Israeli interests [8].

What Does This Mean for Enterprise Device Management Security?

The Stryker incident exposes systemic vulnerabilities in enterprise mobile device management architecture [7]. Organizations implementing BYOD (Bring Your Own Device) policies through platforms like Microsoft Intune create a concentrated attack surface where single administrative account compromise grants access to thousands of endpoints [2].

Stryker employees who enrolled personal devices in Company Portal to access corporate email experienced complete device wipes that destroyed personal photos, contacts, and even eSIM cellular configurations [1]. This collateral damage highlights the privacy and security tradeoffs inherent in MDM enrollment that many users do not fully understand when accepting BYOD policies [13].

According to Microsoft's own security guidance, Intune administrative accounts require multi-factor authentication, Conditional Access policies, and Privileged Identity Management with just-in-time elevation [7]. Organizations should implement administrative tier separation where Intune admins cannot access production workloads and vice versa, preventing lateral movement from compromised endpoints to management consoles [14].

The attack demonstrates the importance of backup device management infrastructure and disaster recovery planning for MDM platforms [7]. Organizations relying solely on cloud-based device management without offline recovery procedures face total operational paralysis when attackers compromise those systems [2].

How Can Organizations Protect Against Wiper Attacks?

Defense against wiper attacks requires layered security controls focused on preventing initial access, detecting lateral movement, and maintaining offline recovery capabilities [6]. The CISA Cross-Sector Cybersecurity Performance Goals recommend implementing phishing-resistant multi-factor authentication, network segmentation, and comprehensive audit logging as foundational controls [15].

Organizations should implement privileged access workstations (PAWs) for administrative accounts managing critical infrastructure like MDM platforms [14]. PAWs are hardened, internet-isolated systems used exclusively for administrative tasks, preventing credential theft from phishing or malware on standard corporate endpoints [16].

Network segmentation limits attacker lateral movement by restricting communication between network zones [6]. Administrative networks hosting management consoles should have strict firewall rules allowing only necessary connections from jump servers or PAWs, not general corporate networks where initial compromise typically occurs [14].

Offline, immutable backups stored outside the production network provide recovery capability after destructive attacks [15]. Organizations should test restore procedures quarterly and maintain offline copies of critical configuration data, including device enrollment records and management platform settings [16].

Security teams should monitor for anomalous administrative activity in MDM platforms, including bulk device wipes, policy changes affecting large device populations, or administrative logins from unusual locations or times [7]. SIEM correlation rules detecting these patterns enable rapid response before attackers execute destructive payloads [16].

FAQ

References

[1] B. Krebs, "Medical Device Giant Stryker Hit by Destructive Cyberattack," Krebs on Security, Mar. 12, 2026. [Online]. Available: https://krebsonsecurity.com

[2] NBC News, "Stryker Corporation Cyberattack Disrupts Hospital Supply Chains Across 79 Countries," NBC News, Mar. 13, 2026. [Online]. Available: https://nbcnews.com

[3] Stryker Corporation, "Form 8-K Current Report: Cybersecurity Incident Disclosure," U.S. Securities and Exchange Commission, Mar. 11, 2026. [Online]. Available: https://sec.gov

[4] Check Point Research, "Handala Hack Team: Iran-Linked Threat Actor Profile," Check Point Research Blog, 2026. [Online]. Available: https://research.checkpoint.com

[5] Cyble Research and Intelligence Labs, "Void Manticore: Profiling Iran's Destructive Cyber Operations," Cyble, 2026. [Online]. Available: https://cyble.com

[6] Palo Alto Networks Unit 42, "Void Manticore Tactics, Techniques, and Procedures," Unit 42 Threat Intelligence, 2026. [Online]. Available: https://unit42.paloaltonetworks.com

[7] Microsoft, "Security Baseline for Microsoft Intune," Microsoft Learn, 2026. [Online]. Available: https://learn.microsoft.com/en-us/mem/intune/protect/security-baselines

[8] The Guardian, "Iran-Linked Hackers Claim Responsibility for Stryker Attack," The Guardian, Mar. 12, 2026. [Online]. Available: https://theguardian.com

[9] American Hospital Association, "Stryker Cyberattack: Supply Chain Impact Monitoring," AHA Advisory, Mar. 12, 2026. [Online]. Available: https://aha.org

[10] The Cyber Express, "Handala Cyberattack Forces Maryland EMS to Suspend EKG Transmission," The Cyber Express, Mar. 13, 2026. [Online]. Available: https://thecyberexpress.com

[11] R. Pilling, "Rhadamanthys and Custom Wipers: Handala's Phishing Arsenal," Sophos News, 2026. [Online]. Available: https://news.sophos.com

[12] TechCrunch, "Stryker Hack Highlights Vulnerabilities in Enterprise Device Management," TechCrunch, Mar. 11, 2026. [Online]. Available: https://techcrunch.com

[13] NIST, "Mobile Device Security: Cloud and Hybrid Builds," NIST Special Publication 1800-4, 2024. [Online]. Available: https://nist.gov/sp1800-4

[14] Microsoft, "Privileged Access Workstations Security Overview," Microsoft Security, 2025. [Online]. Available: https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview

[15] CISA, "Cross-Sector Cybersecurity Performance Goals," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://cisa.gov/cpg

[16] Australian Cyber Security Centre, "Strategies to Mitigate Cyber Security Incidents," Essential Eight Maturity Model, 2025. [Online]. Available: https://cyber.gov.au/essential-eight

---

Worried about your organization's device management security? lil.business specializes in enterprise security architecture reviews, including MDM hardening, privileged access controls, and incident response planning. Get a free security consultation to understand your exposure and build resilience against destructive attacks.