Stryker — Handala wiper attack via Microsoft Intune

What happened

On 11 March 2026, Stryker — the US-headquartered medical-device manufacturer with around 51,000 employees and operations in more than 100 countries — disclosed a cyber incident that had begun in the early hours of the same day at its Cork, Ireland operations centre and spread within hours into the global corporate environment. The Iran-linked threat group Handala claimed responsibility. The attackers did not deploy ransomware, drop a custom wiper, or exploit any product vulnerability. They logged into Microsoft Intune with stolen credentials carrying elevated rights, and used Intune to issue a remote-wipe instruction to roughly 200,000 enrolled devices across 79 countries. Corporate laptops, phones and BYOD tablets used to access Stryker resources were factory-reset in a single coordinated operation.

Handala further claimed exfiltration of around 50 TB of data prior to the destructive action. That figure has not been independently verified and Stryker has not commented on the volume publicly. What is no longer in dispute is the operational impact. Manufacturing was offline for almost three weeks, order processing and shipping stopped, and the company reported approximately $375 million in deferred or lost Q1 sales when it filed its first-quarter 10-Q. Adjusted earnings per share came in at $2.60 against an analyst consensus of $2.98; revenue at $6.0 billion against an expected $6.34 billion. Adjusted operating margin contracted 180 basis points, driven almost entirely by lost manufacturing absorption rather than any structural cost issue. Stryker maintained its full-year 2026 guidance on the basis that the lost Q1 revenue is recoverable across the remaining quarters, and stated that none of its patient-connected medical devices — implants, surgical robotics or hospital-deployed hardware — were affected.

CISA issued an advisory on 18 March 2026 citing the Stryker incident directly and urging organisations to harden their endpoint-management configurations. That a critical-infrastructure agency would name a single private-sector victim in an advisory within a week of disclosure is itself notable; it reflects how directly transferable the techniques are to any other Intune-managed estate.

How it worked

The intrusion has now been analysed in detail by Sygnia, Palo Alto Networks’ Unit 42, Obsidian Security, Coalition and others. The chain compresses into three steps.

The first was credential acquisition. The hypothesis with the most consensus — supported by Coalition’s incident review and consistent with Handala’s prior operating pattern — is that the credentials of a Stryker IT administrator were harvested by an infostealer running on a personal or unmanaged endpoint. Infostealers, which silently exfiltrate browser-saved passwords, session cookies and authentication tokens, have become an industrial-scale supply chain feeding initial-access brokers, and the marketplaces where their output is sold are by now well documented. Phishing remains a plausible alternative path. What matters for defenders is that the entry point was an identity, not a vulnerability.

The second was privilege use. The compromised account either was, or could escalate to, a Global Administrator or an Intune Service Administrator inside Stryker’s Microsoft Entra ID tenant. That role grants administrative authority over the entire device-management plane, including the ability to define and target compliance, configuration and retirement policies against any device or device group in the directory. No further compromise was required after the role was reached.

The third was payload execution. Handala used Intune’s native device-action capabilities — the same primitives an internal IT team uses to retire a stolen laptop or recover a leaver’s phone — to issue a remote-wipe action targeting the entire enrolled fleet. From the perspective of every endpoint in scope, the wipe was a legitimate, signed instruction from Stryker’s own Microsoft management plane. Endpoint detection and response products have no place to intervene in that path; the action is, by design, indistinguishable from authorised administrative use. This is why the incident bypassed conventional endpoint controls completely, and why no recovered device showed evidence of malware.

On attribution, Handala has been operating since late 2023 as a hacktivist-styled public persona. The threat-intelligence consensus, including assessments from Microsoft, Mandiant and Palo Alto Networks, is that the persona is a public-facing front for Void Manticore, a cyber unit inside Iran’s Ministry of Intelligence and Security with prior involvement in destructive operations against Israeli and US targets. The Stryker operation is the largest and most operationally consequential action attributed to the group to date.

Timeline

• Late 2023 — Handala persona emerges; assessed by Microsoft, Mandiant and others as a public front for Void Manticore (MOIS).
• Late 2025 / early 2026 (estimated) — Intune administrator credentials acquired, most likely via infostealer malware on an unmanaged endpoint.
• 11 March 2026, early hours — Stryker’s Cork, Ireland operations centre is first to report disruption; remote-wipe action propagates to roughly 200,000 enrolled devices in 79 countries within hours.
• 11 March 2026, mid-day — Stryker publishes its first customer message acknowledging the incident.
• 12 March 2026 — Handala claims responsibility publicly, including a claim of approximately 50 TB of exfiltrated data prior to the wipe.
• 18 March 2026 — CISA issues endpoint-management hardening advisory citing the Stryker incident directly.
• Late March 2026 — Manufacturing operations resume; total production outage approximately three weeks.
• April 2026 — Sygnia, Unit 42, Obsidian and Coalition publish post-incident analyses; consensus forms around the identity-and-management-plane chain.
• 29 April 2026 — Stryker files Q1 2026 10-Q disclosing approximately $375M in deferred or lost sales; maintains FY26 guidance.

What defenders should learn

The conventional kill chain is not a useful map for an attack of this shape. There was no malware payload to detect, no exploit chain to patch, no anomalous outbound traffic from any endpoint to investigate. The attacker compromised an identity, used it to log into a management plane, and ran a legitimate administrative action. Every traditional defensive layer downstream of identity was bypassed because each one assumed the management plane itself was trustworthy.

The Stryker case is the clearest argument yet that the identity and management planes deserve the same treatment defenders have spent a decade applying to the production network: minimum-blast-radius design, hard separation between privilege tiers, ruthless reduction in the number of accounts that can carry out cross-tenant destructive actions, and conditional-access policies that treat the act of signing into a Global Administrator role as the high-risk operation it is. Privileged access workstations, phishing-resistant authentication, just-in-time elevation and credential hygiene on the endpoints from which administrators work are now load-bearing controls rather than aspirational ones. The infostealer pipeline that almost certainly fed this intrusion is also a defensible surface: an administrator who never signs into corporate identity from an unmanaged device cannot have those credentials lifted by a browser-resident stealer.

The segmentation lens follows naturally and is left lighter here on purpose. The short version: a single Entra ID tenant with one all-powerful Global Administrator role is, architecturally, a flat network at the identity layer. The work of breaking that flatness — administrative tier isolation, role minimisation, removing the assumption that one identity can act everywhere — is now defender work, not designer preference.