On the morning of March 11, 2026, employees at Stryker Corporation—one of the world's largest medical technology manufacturers—arrived at their desks to find their devices dark. Login screens across the company's global footprint had been replaced by a single image: the logo of Handala, an Iran-linked hacktivist group with documented ties to Tehran's intelligence apparatus. What followed was a cascading, multi-continent shutdown that cybersecurity researchers are calling one of the most operationally disruptive attacks ever leveled at a U.S. corporation.
The attack exposed a critical blind spot in enterprise device management: a legitimate, widely-trusted MDM platform used as a weapon of mass destruction against the very organization that deployed it.
This was not a conventional wiper attack. According to a source with direct knowledge of the incident who spoke to KrebsOnSecurity on condition of anonymity, Handala does not appear to have deployed custom malware in the traditional sense. Instead, the attackers gained access to Stryker's Microsoft Intune management console and issued legitimate remote-wipe commands—the same functionality that IT administrators use when a corporate device is lost or stolen.
The technique is notable precisely because it required no novel exploit. Intune is a cloud-based endpoint management platform built for enterprise IT to enforce security and compliance policies across devices regardless of location. By obtaining administrative access to that console, Handala was able to push factory resets at scale—turning a tool designed for security into a mechanism for destruction.
The Intune vector is corroborated by multiple employee accounts. A BleepingComputer source described the incident beginning early Wednesday morning as devices enrolled in the company's MDM system were remotely wiped. Staff were instructed to immediately remove corporate management profiles from their devices—including the Intune Company Portal, Microsoft Teams, and VPN clients. Critically, employees who had enrolled personal phones for work access also lost their personal data when their devices were reset.
A Reddit thread in the r/cybersecurity community, cited by KrebsOnSecurity, included several users identifying themselves as Stryker employees who reported being told to uninstall Intune urgently as the attack unfolded.
Stryker's own public statement framed the attack in terms consistent with the Intune hypothesis, describing it specifically as a disruption to its "Microsoft environment"—unusual phrasing that security practitioners noted aligns more with a cloud management platform compromise than a conventional network intrusion.
Handala's claims, which remain partially unverified, describe an attack of unprecedented scale against a single corporate target. In a manifesto posted to Telegram, the group stated: "In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted. Stryker's offices in 79 countries have been forced to shut down."
While independent verification of those numbers is not yet possible, the operational impact is not in dispute. News reports from Ireland—home to Stryker's largest hub outside the United States—confirmed that more than 5,000 workers were sent home from the Cork facility. The Irish Examiner reported that staff reverted to communicating via WhatsApp after corporate systems went dark, and that anything connected to Stryker's network was unreachable. Ireland's National Cyber Security Centre confirmed it had been notified and was assisting with the response.
Reports emerged from employees in the United States, Ireland, Costa Rica, and Australia describing the same pattern: managed Windows devices and mobile phones wiped to factory settings, with login screens replaced by the Handala logo. Some locations reverted to pen-and-paper workflows as internal applications became unavailable. A voicemail message at Stryker's Michigan headquarters stated the company was experiencing a "building emergency."
Beyond internal operations, the attack disrupted at least one patient-facing system. CNN reported that Stryker's Lifenet electrocardiogram transmission platform—used by emergency medical services to relay patient data to receiving hospitals—was knocked offline. Maryland's Institute for Emergency Medical Services Systems notified hospitals statewide that Lifenet was "non-functional in most parts of the state," instructing EMS clinicians to fall back to radio consultation.
Stryker disclosed the incident to the U.S. SEC via an 8-K filing, confirming that the cyberattack impacted its "entire Microsoft environment" and that it had activated its cybersecurity response plan with the support of external advisors. The company's stock fell approximately 3.6% on the day, closing at $345.78 before recovering slightly in after-hours trading.
Handala, also known as Handala Hack Team or Hatef — first surfaced in December 2023, emerging in the wake of the Gaza conflict as a hacktivist persona targeting Israeli organizations with destructive malware. Multiple cybersecurity firms have since linked the group to Iran's Ministry of Intelligence and Security (MOIS).
Palo Alto Networks Unit 42, which recently published a detailed profile of Iranian cyber actors, assesses Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated threat actor. The group's toolkit, as documented by IBM X-Force and Flashpoint, spans phishing, custom wiper malware, ransomware-style extortion, data theft, hack-and-leak operations, and psychological warfare.
Prior to the Stryker attack, Handala's activity was primarily concentrated on Israeli targets. The group has claimed attacks on Israeli military weather servers, fuel systems in Jordan, the login infrastructure of various Israeli companies, and an Israeli oil and gas exploration firm.
Palo Alto researchers characterized recent Handala operations as: "Opportunistic and 'quick and dirty,' with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by 'proof' posts to amplify credibility and intimidate targets."
The Stryker attack represents a significant geographic and target-type expansion. Alexander Leslie, a senior adviser at Recorded Future, told the Associated Press that the attack "is exactly the kind of pressure point that creates outsized strategic and political ripple effects."
Handala framed the attack as direct retaliation for a February 28, 2026, U.S. missile strike on the Shajareh Tayyebeh girls' elementary school in Minab, in southern Iran, which Iranian state media reported killed 175 people, the majority of them children. The New York Times reported on March 11 that a U.S. military investigation had determined the United States was responsible for the Tomahawk missile strike.
The group's Telegram manifesto also cited "ongoing cyber assaults against the infrastructure of the Axis of Resistance" as a secondary justification. Handala additionally referred to Stryker as a "Zionist-rooted corporation," a characterization that may reference Stryker's 2019 acquisition of the Israeli medical device company OrthoSpace.
U.S. intelligence officials had previously warned that Iranian-linked hackers were likely to retaliate for U.S. and Israeli military operations against Iran. The Stryker attack appears to mark the first significant destructive cyber operation attributed to Iran-aligned actors against a U.S. corporate target since hostilities began.
[RELATED: Silicon Shields and Shadow Wars: Navigating the Middle East Cyber War]
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) confirmed it had launched an investigation and was providing technical assistance to Stryker. DHS acting director Nick Andersen said the agency was "working shoulder-to-shoulder with our public- and private-sector partners" to assess the impact and defend critical infrastructure.
The U.S. Department of Health and Human Services was also working to assess potential downstream impacts on patient care, according to CNN. A briefing call was convened by the Healthcare and Public Health Sector Coordinating Council, an industry group that works with the government on sector-wide security coordination.
Handala also claimed a simultaneous attack on payments company Verifone, which denied any disruption to its services.
The Stryker attack is a significant indicator event for enterprise security practitioners for several reasons.
MDM platforms as attack surface: The Intune vector, if confirmed, illustrates how attackers can achieve mass destruction by compromising the administrative layer of endpoint management—without needing to deploy malware to individual machines. Organizations should audit privileged access to MDM consoles with the same rigor applied to domain controllers and identity providers.
Wiper attacks without malware: Traditional wiper detection strategies focus on anomalous disk writes or known malware signatures. An attack that weaponizes native MDM wipe functionality may evade these controls entirely, appearing as a legitimate administrative action until it is too late.
Personal device risk: Employees who enrolled personal devices in corporate MDM programs lost personal data in this incident. This has implications for BYOD policies and the scope of enterprise MDM consent disclosures.
Geopolitical threat escalation: Retired Brig. Gen. Michael McDaniel, former deputy assistant secretary for homeland defense, warned that the Stryker attack may be a precursor to broader campaigns, identifying healthcare, banking, agriculture, and energy as likely future targets. Security teams in these sectors should treat this as an escalation signal, not an isolated event.
Scope and verification lag: Handala's claimed figures—200,000 devices, 50TB of exfiltrated data, 79 countries—may be inflated for psychological effect, a documented tactic for the group. Defenders should note that even partial execution of such a claim represents a catastrophic outcome for any organization.