What happened?
Medical technology giant Stryker was hit by a destructive cyberattack claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group. The incident occurred on 11 March 2026 and resulted in a global disruption to the company's entire Microsoft environment.
Stryker manufactures a range of products including surgical and neurotechnology equipment, employs over 53,000 people, and is a Fortune 500 company that reported global sales of $22.6 billion in 2024.
The scale of the attack was extraordinary. Handala claimed that Stryker's offices in 79 countries were forced to shut down after the group erased data from more than 200,000 systems, servers, and mobile devices. The group also claimed to have stolen 50 terabytes of critical data before initiating the wipe.
Crucially, while some initial reports described the use of wiper malware, emerging evidence indicates that the attackers used living-off-the-land techniques to remotely wipe systems — specifically, by abusing Microsoft Intune, a cloud-based unified endpoint management service designed to secure and manage devices within an organisation. A trusted source with knowledge of the attack told KrebsOnSecurity that the perpetrators appear to have used Microsoft Intune to issue a "remote wipe" command against all connected devices. Stryker confirmed that no malware or ransomware was detected during its investigation.
Employees across the United States, Ireland, Costa Rica, and Australia reported that their managed Windows and mobile devices were remotely wiped in the middle of the night. The attackers also defaced the company's Entra login page to display the Handala logo. Employees in Ireland, where Stryker's largest hub outside the US is based, reported that anything connected to the network was down, and that anyone with Microsoft Outlook on their personal phones had their devices wiped. Staff were instructed to remove corporate management and applications from their personal devices, including the Intune Company Portal, Teams, and VPN clients.
Stryker acknowledged that the attack caused disruption to order processing, manufacturing, and shipping. Some locations were forced to revert to "pen and paper" workflows after systems became unavailable.
Handala stated the attack was in retaliation for a February 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. Handala referred to Stryker as a "Zionist-rooted corporation," possibly a reference to the company's 2019 acquisition of the Israeli company OrthoSpace.
So what?
The Stryker incident is not merely a corporate IT crisis — it is a watershed moment for how organisations should think about the weaponisation of their own management infrastructure.
This was a supply chain and patient care issue, not just an IT outage. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity that they were unable to order surgical supplies normally sourced through Stryker. As the source put it: "This is a real-world supply chain attack. Pretty much every hospital in the US that performs surgeries uses their supplies." A number of hospitals opted to disconnect from Stryker's online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment upon arrival at hospital.
The attack vector is deeply concerning. Rather than deploying custom destructive malware, the attackers appear to have gained access to Microsoft Intune and used the platform's own legitimate remote wipe functionality to simultaneously erase over 200,000 endpoints across 79 countries. This is a textbook example of a "living off the land" attack — using trusted, built-in tools in ways that evade traditional security controls and leave minimal forensic traces.
The geopolitical context signals escalation. Since the US-Israel-Iran conflict erupted in late February 2026, Handala has sharply ramped up its claimed activity, focusing on targets perceived as aligned with Israel and its allies. Palo Alto Networks, which links Handala to Iran's Ministry of Intelligence and Security, notes that recent observed activities are opportunistic, with a noticeable focus on supply-chain footholds — such as IT and service providers — to reach downstream victims. This means the threat does not stop with Stryker. Any organisation that is, or is perceived to be, associated with Israeli interests, US defence, or Western institutions may find itself in scope.
The personal device dimension raises novel legal and HR questions. Colleagues who had personal phones enrolled for work access lost personal data after their devices were reset. This raises immediate questions around data liability, bring-your-own-device (BYOD) policies, and employee notification obligations — issues that legal teams at affected organisations will need to address promptly and carefully.
The reputational and regulatory exposure is significant. Stryker is a publicly traded company and filed a Form 8-K with the US Securities and Exchange Commission (SEC), confirming that it suffered a cyberattack that impacted its entire Microsoft environment. The incident is a stark reminder that cyber incidents now carry regulatory disclosure obligations that must be handled with precision and speed.
What should I do?
The Stryker attack is a call to action for all organisations that rely on Microsoft cloud services, particularly those using Intune for endpoint management. The following steps should be considered urgently.
Audit and harden your Microsoft Intune environment
The attackers appear to have used Microsoft Intune's legitimate remote wipe functionality to simultaneously erase devices across the globe. This makes securing access to Intune an absolute priority. Organisations should:
- Implement Multi Admin Approval (MAA) in Intune, a feature that requires that high-impact administrative actions — such as issuing remote wipe commands — be approved by a second designated administrator before they can be executed. Had this control been in place, the attackers' ability to issue mass wipe commands in a single action would have been significantly constrained. Enabling MAA for destructive operations (device wipe, retire, factory reset) is one of the single most effective mitigations available in the Intune platform and should be treated as a baseline security requirement, not an optional hardening measure.
- Review who holds Global Administrator and Intune Administrator roles. Apply the principle of least privilege rigorously and remove any accounts that do not require these permissions.
- Enable Privileged Identity Management (PIM) in Entra ID so that administrator roles require just-in-time activation and approval, limiting the window of exposure if an admin account is compromised.
Protect your Entra ID (Azure AD) environment
The attackers defaced Stryker's Entra login page, suggesting they had achieved a high level of access within the Microsoft identity infrastructure. Organisations should:
- Enforce phishing-resistant multi-factor authentication (MFA) — such as FIDO2 security keys or Windows Hello for Business — on all privileged accounts.
- Enable Conditional Access policies to restrict administrative actions to trusted, compliant devices and known locations.
- Regularly review and audit sign-in logs and privileged role assignments using Microsoft Entra ID Protection.
- Consider enabling Entra ID's Privileged Access Workstations (PAW) model for highly sensitive administrator activities.
Review your BYOD and personal device enrolment policies
Employees who had personal phones enrolled for work access lost personal data after their devices were remotely wiped. Organisations should:
- Assess whether personal device enrolment in Intune is necessary and proportionate.
- Where personal devices must be enrolled, consider using the Intune Mobile Application Management (MAM) without enrolment model, which sandboxes corporate data within managed applications without giving Intune the ability to wipe the entire device.
- Update BYOD policies and employee agreements to clearly set out the risks, and review whether current policies comply with applicable data protection law (including UK GDPR or EU GDPR, as applicable).
Develop and test your incident response plan
Numerous employees reported that the attack forced some locations to revert to "pen and paper" workflows after systems became unavailable. This level of operational disruption underscores the importance of having tested, offline-accessible business continuity and incident response plans. Organisations should:
- Ensure incident response plans account for scenarios in which cloud management platforms themselves are compromised or weaponised.
- Conduct tabletop exercises that simulate a mass device wipe scenario.
- Maintain offline backups of critical data that are not accessible via cloud-connected management tooling.
Assess your supply chain and third-party risk
Palo Alto researchers noted a noticeable focus by Handala on supply-chain footholds, using IT and service providers to reach downstream victims. Organisations should review their third-party and supply chain risk management frameworks to understand their exposure to attacks that originate from compromised upstream providers.
Stay alert to the geopolitical threat environment
Since the escalation of the US-Israel-Iran conflict in late February 2026, Handala has sharply increased its claimed activity against targets perceived as aligned with Israel and its allies. Legal and compliance teams should work alongside their IT security counterparts to assess whether their organisation's profile, business relationships, or public positions could make them a target, and act accordingly.