On March 11, 2026, Stryker employees on three continents switched on their computers and found them blank.
The attack struck shortly after 3:30 AM Eastern. By the time European employees started their workdays, the company had already sent thousands of staff home in Ireland, activated crisis communications over WhatsApp because corporate systems were down, and issued an internal message describing the situation as a “severe, global disruption.”
Stryker, a Fortune 500 medical device manufacturer with $25 billion in 2025 revenue, 56,000 employees, and products embedded in hospital supply chains across 61 countries, was at a complete stop.
The group that did it, Handala, claimed to have wiped more than 200,000 servers, mobile devices, and systems across 79 countries and exfiltrated 50 terabytes of data. Those numbers are almost certainly inflated because the group has a documented pattern of exaggerating breach claims for psychological effect.
But the disruption was confirmed. Employees across the US, Ireland, Australia, and India reported watching their corporate laptops and personal phones wipe in real time. Stryker’s Lifenet ECG transmission system became nonfunctional across most of Maryland, forcing emergency services to fall back on radio consultations with receiving hospitals. The company filed an 8-K with the SEC. CISA launched an investigation. The FBI declined to comment.
The moment a breach like the Stryker hack surfaces, it’s often only the beginning. Historically, incidents tied to Iranian-linked threat actors tend to come in waves. Treat this as a warning sign.
No Slack account needed.
Key Evidence
Devices Affected: Exceeding 200,000 (claimed) devices across 79 nations
Employees Idled: Approximately 56,000 personnel are temporarily displaced
Data Exfiltration Claimed: 50 TB (unverified; IBM X-Force/Sophos suggests the figure is inflated by Handala)
Technical Chain
- Credential phishing/stuffing: Global Admin compromise in Entra ID
- Intune console access: Mass remote wipe (base64 payload via legitimate MDM channel)
- Full factory reset on all enrolled devices (Windows/iOS/Android/servers)
- EDR/AV blind, commands came from the trusted Intune infrastructure
BYOD Devastation
Personal devices enrolled in Intune were fully factory reset, destroying personal photos, eSIMs (which caused loss of phone service), and banking 2FA apps. Employees are told to immediately uninstall Company Portal, Teams, and VPN from any remaining personal devices.
Healthcare Impact
- Medical devices in clinical use: NOT affected (separate networks)
- Michigan and San Diego hospitals preemptively disconnected Stryker equipment
- AHA warned all hospitals to evaluate Stryker dependencies
- LIFENET (EMS/ECG): initially reported down in Maryland, Stryker later said it’s fine
Government Response
- CISA: investigating, but at 38% staffing due to a funding lapse, no advisory has been issued
- FBI: No advisory or instructions
- No government advisory on Intune/MDM abuse as of March 15
Attribution and Nature of the Attack
An Iran-linked hacktivist group called Handala (also referred to as Hatef or Hamsa) has publicly claimed responsibility, describing it as retaliation amid geopolitical tensions (linked to U.S.-Iran/Israel conflicts).
Reports characterize it as a destructive “wiper” attack rather than traditional ransomware attacks, in which attackers allegedly gained access to administrative tools (e.g., Microsoft Intune/Active Directory) to issue remote wipes and resets, stealing data (claimed to be 50TB extracted) while erasing systems.
This aligns with broader patterns of geopolitical cyber operations, with no extortion demands noted.
Source of the Image by CheckPoint Unit 42 – Operational interconnections of Void Manticore
Official Statements and Reports
Stryker first announced the incident via customer updates on its website, describing it as a “cybersecurity attack” that caused widespread disruption to its internal Microsoft systems (e.g., laptops, mobile devices, and business applications).
The company states there is no indication of ransomware or malware and believes the incident is contained within their internal environment (no spillover to customer systems or patient data has been reported).
Stryker confirmed that the attack has caused, and is expected to continue causing, disruptions to operations, including manufacturing, processing, shipping, and order fulfillment. They have no estimated timeline for full recovery.
Customer Updates: Stryker Network Disruption
The Execution Mechanism is the Story
As far as we know, Handala did not deploy a custom wiper to Stryker’s endpoints. They accessed Stryker’s Microsoft Intune console and issued an enterprise-wide remote wipe command.
Native Intune features were used to push OS reset commands to systems and mobile devices rather than deploying wiper malware, and doing that requires access to administrator-level portals, which signals high-level credential compromise. Intune admin credentials were obtained, used to authenticate to the console, and then used to execute a wipe policy at enterprise scale.
The BYOD problem compounds this significantly. Stryker employees had enrolled their personal devices in Intune to access corporate email and applications, and that enrollment is what put their personal phones in scope. One employee in Australia described colleagues losing their personal devices along with the 2FA app that was their only path back into corporate accounts. The wipe did not stop at the company boundary. It followed the MDM enrollment wherever it reached, across personal hardware that employees had no reason to believe was at risk.
The Handala logo that appeared on login pages before the wipe confirms the operation was staged in advance. You cannot land, navigate to Intune admin, configure a global wipe policy, and execute across 79 countries in a single session without prior dwell time.
Stryker disclosed a separate breach in December 2024 involving unauthorized access that led to the exfiltration of PII and medical records. Whether that earlier intrusion left persistent footholds that enabled the March 2026 Intune access is unconfirmed.
From the MSPs Trenches
This Guardz telemetry across many SMB tenants, capturing 184 device wipe and removal operations through Microsoft Intune. All legitimate. Routine offboarding, lost devices, and hardware refresh. The right chart breaks it down cleanly: 65.2% are Clear-MobileDevice full wipes (120 ops), 34.8% are Remove-MobileDevice unenrollments (64 ops).
Tenant A dominates at 58 operations, accounting for 31.5% of total volume, with four MSP tenants visible in the left chart, confirming that delegated admin activity is a normal, ongoing part of MSP operations across this dataset.
Now apply the Stryker scenario. Handala’s entire attack was Clear-MobileDevice at scale – the same event type that makes up 65.2% of this chart. An attacker with delegated MSP admin access who executes 30 wipes across three client tenants at 3 AM does not produce a different audit log entry from the legitimate operations shown here. The event type is identical. The only differences are volume, concentration, and the fact that it occurs across multiple tenants in the same session.
That delegated access model is operationally necessary, and also the exact attack surface Handala targets. A single compromised MSP credential touching Tenants C, E, G, and I in sequence is a multi-client incident that starts with one phished technician account and one Intune console login.
Caution: Even the strongest protections can vanish in a moment. In Microsoft Intune, a Global Administrator can disable most security features.
The MSPs Angle
For organizations that rely on Managed Service Providers (MSPs) to handle their endpoint management and identity systems, the MSP becomes a highly privileged target. The core risk of a Global Admin compromise in Entra ID and subsequent Intune console access is compounded when that credential is held by a third-party provider managing multiple client environments. The MSP’s role elevates the need for stringent access controls from a client best practice to a critical security standard.
MSPs must immediately incorporate the key defensive controls into their default client offerings and internal operating procedures:
Implement Multi-Admin Approval (MAA) by default. MSPs must enable a second approver requirement for all destructive Intune commands, such as remote wipe, retire, and bulk policy deployments. This single control would block an unauthorized global attack even if a privileged MSP account is compromised.
Enforce Zero Standing Privileges (PIM). All Intune Administrator, Global Administrator, and Intune Service Administrator roles managed by the MSP must be assigned using Privileged Identity Management (PIM) with just-in-time activation. This ensures that standing access that persists after a session ends is eliminated.
Mandate Phishing-Resistant MFA. The MSP’s own administrators must use FIDO2 hardware keys or certificate-based authentication for all MDM and Entra admin roles, moving beyond reliance on easily bypassed push notifications or SMS.
Limit BYOD Exposure: MAM MSPs should prioritize and advocate for Mobile Application Management (MAM-only) policies for client Bring Your Own Device (BYOD) scenarios, using App Protection Policies instead of full Mobile Device Management (MDM) enrollment, to ensure personal data is never in scope for a corporate wipe command.
Address Session Cookie Replay: Be aware that “MFA enabled” is not sufficient if it relies only on push notifications. A stolen session cookie from an already-authenticated admin session can bypass push-based MFA entirely. To close this gap, Entra ID Conditional Access must be explicitly configured to use token binding via sign-in frequency controls and token protection policies.Role-Based Access Control (RBAC): Remove the bulk Wipe permission from day-to-day IT administrator RBAC roles. This ensures that the ability to issue destructive commands is restricted to only the most privileged security accounts.
