Iran-Linked Hackers Wipe Thousands of Devices in Massive Stryker Cyberattack

Medical technology giant Stryker suffered a devastating cyberattack in March 2026, attributed to Handala—an Iran-linked hacktivist group now officially connected to Iran’s Ministry of Intelligence and Security (MOIS) by the US government. The attack caused widespread disruption to Stryker’s manufacturing, order processing, and shipping operations globally.

Handala exploited Microsoft Intune’s remote wipe functionality to erase data from thousands of corporate devices connected to Stryker’s Microsoft environment. The group claims to have extracted approximately 50 terabytes of critical data. While Stryker initially reported no evidence of ransomware, subsequent investigation by Palo Alto Networks’ Unit 42 revealed the use of a malicious file to execute commands and conceal activity within the network.

The operational fallout was severe: some hospitals temporarily disconnected from Stryker’s services, and surgical procedures were postponed due to shipping delays. CISA issued an alert urging organizations to review their endpoint security, and a class-action lawsuit has already been filed alleging Stryker failed to protect employee PII including Social Security numbers and private health information.

Source

Krebs on Security | SecurityWeek | Industrial Cyber

Why This Matters

This attack highlights a terrifying trend: the weaponization of legitimate MDM (Mobile Device Management) tools. Intune’s remote wipe is a standard enterprise feature designed for lost or stolen devices—turned against its owners as a mass destruction tool. It’s a reminder that any management plane with broad device access is also a broad attack surface.

The healthcare supply chain implications are particularly concerning. When a medical device manufacturer goes offline, hospitals don’t just lose a vendor—they lose surgical capability. The fact that state-sponsored actors are now targeting medtech companies with wiper attacks, rather than just stealing data, suggests an escalation in the willingness to cause physical-world disruption through cyber means.