Handala hackers wiped 80,000 Stryker devices via Microsoft Intune—no malware used. The pro-Iran group's retaliation for the Minab school bombing disrupted 79 countries

Continue reading
In the early hours of March 11, 2026, employees of medical technology giant Stryker woke up to find their work laptops bricked, their mobile devices wiped clean, and the logos of a previously obscure hacker group staring back at them from company login pages. By the time the dust settled, approximately 80,000 devices had been remotely erased in a coordinated attack that used no malware, deployed no ransomware, and yet brought global operations to a standstill. This was not the work of sophisticated nation-state hackers exploiting zero-day vulnerabilities—it was the work of Handala, a pro-Iranian hacktivist group that just demonstrated the most terrifying evolution in cyber warfare to date.
The technical community initially braced for revelations of a sophisticated wiper virus or a previously unknown exploit chain. Instead, investigators from Microsoft’s Detection and Response Team (DART) and Palo Alto Unit 42 uncovered something far more alarming: the attackers simply used Stryker’s own tools against them.
After compromising an administrator account and creating a new Global Administrator account within Stryker’s Microsoft environment, the threat actor accessed Microsoft Intune—the company’s cloud-based endpoint management system. Between 5:00 and 8:00 a.m. UTC, they issued a single command: wipe. The Intune platform obediently began erasing approximately 80,000 managed devices, including corporate laptops and even some personal devices that employees had enrolled in the company network.
As it was confirmed in their detailed forensic breakdown, the attack’s genius lay in its simplicity.
By targeting the very tools IT departments use to secure and manage devices, Handala turned Stryker’s security infrastructure into a weapon.
The company’s own statement emphasized that “the threat actor did not deploy any malware on its systems”—a distinction that initially led some to underestimate the severity of what had just occurred.
This attack represents a paradigm shift in how we must think about privileged access management. Handala didn’t need to develop custom exploits or bypass sophisticated endpoint detection—they simply needed credentials that already had the keys to the kingdom.
The creation of a new Global Administrator account represents the single most critical failure point in this incident. Once the attackers achieved this level of access within Stryker’s Microsoft environment, they effectively became system administrators with all the powers—and none of the oversight—that such privileges entail.
The Intune platform, designed to help organizations securely manage thousands of devices remotely, became the perfect delivery mechanism for mass destruction.
For security professionals, the implications are staggering.
Every organization using cloud-based management tools must now ask themselves: if an attacker gained Global Admin privileges tomorrow, how quickly could they destroy our entire device fleet? The answer, as Stryker learned, is “in about three hours.”
While the technical method was innovative, the motivation behind the attack was rooted in familiar geopolitical tensions. In their claim of responsibility posted on X, Handala stated they attacked Stryker “in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure” of Iran and its allies.
The reference to Minab—a girls’ school in Tehran reportedly bombed by U.S. forces in recent attacks on Iran, killing over 175 people, mostly children—provides the emotional and political context for this retaliation. Stryker, despite being a medical technology company with no direct role in military operations, had become a target by association. The company maintains operations in Israel and secured a $450 million contract from the Department of Defense last year to supply medical devices to the U.S. military.
This targeting logic represents a dangerous escalation in hacktivist operations. Handala isn’t interested in symbolic website defacements or data leaks designed for embarrassment. They are pursuing destructive operations against Western economic targets connected—however indirectly—to U.S. military actions in the Middle East.
One of the most fascinating aspects of this incident involves the information war that accompanied the technical attack. Handala initially claimed to have stolen 50 terabytes of critical data and wiped over 200,000 systems, servers, and mobile devices—figures designed to maximize psychological impact and media coverage.
However, forensic investigators have found no indication that data was exfiltrated during the breach. The actual device count appears closer to 80,000, though this figure still represents a devastating operational impact. Stryker’s offices in 79 countries faced disruptions, with electronic ordering systems remaining offline for days afterward.
This discrepancy between claimed and actual impact reveals a critical aspect of modern hacktivist operations: the narrative matters as much as the attack itself. By inflating their success metrics, groups like Handala generate greater media attention, inspire other would-be attackers, and create the perception of weakness in their adversaries—all without needing to actually achieve the claimed data theft.
As of March 16, Stryker has provided a measured update on their recovery status. The company emphasizes that “all Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use”—a critical distinction meant to reassure hospitals and healthcare providers that patient care isn’t compromised.
However, the operational impact remains significant. Electronic ordering systems are still offline, forcing customers to place orders manually through sales representatives. Supply chain systems remain the company’s top priority for restoration, with Stryker stating that “our core transactional systems are already on a clear path to full recovery.”
For organizations watching this incident unfold, the recovery roadmap offers several lessons:
Perhaps the most significant takeaway from the Stryker incident is what it portends for the future of cybersecurity. For decades, defenders focused on keeping malware out—building firewalls, deploying antivirus software, and monitoring for malicious code. Handala just demonstrated that in a cloud-managed world, you don’t need malware to destroy thousands of devices. You just need the right password.
This attack heralds the death of traditional malware as the primary threat vector for destructive attacks. Why spend months developing a sophisticated wiper virus that might be detected by endpoint protection when you can simply borrow the administrative credentials and let Microsoft’s own tools do the work for you?
The implications for identity and access management are profound. Organizations must now assume that attackers will eventually obtain administrative credentials and architect their systems accordingly. This means:
According to IBM X-Force Exchange’s tracking, Handala emerged after Hamas’ October 7 attack on Israel and has progressively expanded its targeting scope. Initially focused on Israeli civilian infrastructure, the group has since targeted energy companies in the Gulf region and now Western organizations, with “deliberate targeting of life‑critical sectors such as healthcare and energy.”
The group’s operational philosophy, as described by IBM, focuses on “generating disruptive and psychological impact” through a “broad and evolving toolkit, including phishing, custom wiper malware, ransomware‑style extortion, data theft, and hack‑and‑leak activity.” The Stryker attack represents their most sophisticated and impactful operation to date, but it almost certainly won’t be their last.
For healthcare organizations and other critical infrastructure providers, the lessons are stark:
CISA Acting Director Nick Andersen stated that the agency is “working shoulder-to-shoulder with our public and private sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker.” This response, while appropriate for a single incident, points to the need for more fundamental changes in how government and industry collaborate on cybersecurity.
The Stryker attack represents exactly the kind of scenario that information sharing and analysis centers were designed to address. When a novel attack method emerges—in this case, using management tools as weapons—the private sector needs immediate, actionable intelligence to defend against similar tactics. The fact that Microsoft DART and Palo Alto Unit 42 are leading the investigation suggests that commercial cybersecurity capabilities remain ahead of government response, but coordination between these entities will be critical for developing broader defensive guidance.
While precise financial figures aren’t yet available, the scale of disruption offers hints at the economic damage. With offices affected in 79 countries and electronic ordering systems offline for days, the supply chain delays alone will cost millions. Manual order processing, while functional, cannot match the efficiency of automated systems, meaning backlogs will take weeks to clear.
For Stryker’s customers—hospitals and healthcare providers already operating on thin margins—these delays could have cascading effects on patient care and operational efficiency. The attack demonstrates how a relatively simple intrusion into corporate systems can ripple outward to affect entire ecosystems of partners and customers.
As the security community digests the implications of the Stryker attack, several actionable recommendations emerge for organizations seeking to avoid a similar fate:
The Stryker attack will be studied for years as a turning point in cybersecurity—the moment when the industry collectively realized that the tools we built to manage complexity had also created unprecedented vulnerability. Handala didn’t break in through a fortified door; they walked through an open one wearing an administrator’s uniform. Until organizations fundamentally rethink how they protect and monitor privileged access, the next Handala is already planning their own variation on this devastatingly effective theme.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation