Iran-Backed Handala Group Wiped 80,000 Stryker Devices in Retaliatory Cyberattack — Surgical Delays Worldwide

Summary

Medical technology giant Stryker has confirmed that a March 11, 2026 cyberattack attributed to the Iran-sponsored threat group Handala caused a global operational meltdown. The attackers exploited Stryker’s Microsoft Intune environment to deploy a wiper attack across the company’s fleet, reportedly hitting nearly 80,000 Windows devices and temporarily taking down electronic ordering systems across 79 offices worldwide.

Handala claimed to have exfiltrated 50 terabytes of data and framed the attack as retaliation for a missile strike on an Iranian school. The fallout was immediate and visceral: the UK’s NHS had to activate interim ordering systems, and multiple health systems delayed surgical procedures because Stryker couldn’t deliver patient-specific medical products on schedule.

Stryker engaged Palo Alto Networks for incident response and coordinated with the FBI and CISA. By early April, the company reported full operational recovery across its manufacturing, ordering, and shipping systems — though the incident will materially impact Q1 2026 earnings.

Source

Cybersecurity Dive · Krebs on Security · HIPAA Journal

Commentary

This attack is a case study in how device management infrastructure — specifically Microsoft Intune — can become a devastating force multiplier when compromised. A single entry point turned into a global wiper event across tens of thousands of devices. It’s the MDM equivalent of a supply chain attack, and it should terrify every IT team that relies on centralized endpoint management without layered controls.

The geopolitical dimension makes this even more significant. Handala operating as a hacktivist front for Iran’s intelligence apparatus means this kind of retaliatory targeting of civilian healthcare infrastructure isn’t going away. Medical technology companies just became high-value geopolitical targets — and their security posture needs to reflect that reality.