Stryker — Handala wiper attack via Microsoft Intune
Iran-linked Handala compromised a Microsoft Intune admin account at Stryker and remotely wiped roughly 200,000 employee devices across 79 countries.
- Target
- Stryker — Handala wiper attack via Microsoft Intune
- Date public
- 11 March 2026
- Sector
- Healthcare
- Attack type
- Nation State
- Threat actor
- Handala (Iran-linked, MOIS)
- Severity
- High
- Region
- Global (US-headquartered)
On 11 March 2026, US medtech giant Stryker disclosed a cyber incident that disrupted its global internal networks and rendered employee devices inoperable across 79 countries. According to analysis from Kevin Beaumont and Sygnia, the Iran-linked threat actor Handala obtained credentials for a Microsoft Entra ID account with Intune administrative rights, then used Intune’s legitimate device-management capabilities to push a remote-wipe policy to roughly 200,000 endpoints — including BYOD devices.
No malware was deployed on the wiped systems. The destructive action was carried out using Microsoft’s own management tooling, which is why the attack bypassed conventional endpoint defences. Handala also claimed exfiltration of approximately 50 TB of data prior to the wipe.
CISA issued an advisory on 18 March urging organisations to harden endpoint management system configurations, citing the Stryker incident directly. Patient-connected medical devices were not affected; manufacturing, order processing and shipping were materially disrupted and Stryker has indicated a hit to Q1 earnings.
A full deep-dive — covering the credential-theft chain, the Intune policy abuse pattern, and the wider Iranian state attribution — will be added once Mandiant and Microsoft Threat Intelligence post-incident reporting is published.