On March 11, 2026, between approximately 5:00 and 8:00 AM UTC, the Iran-linked Handala group executed a mass device wipe attack against medical technology manufacturer Stryker, affecting operations across 79 countries. According to Krebs on Security and BleepingComputer, investigators determined approximately 80,000 devices were wiped — not the 200,000+ initially claimed by the attackers.
Attack Chain — No Malware Required
According to detailed analyses from Sygnia, Lumos, and Coalition, the attack used only legitimate Microsoft tools:
- Credential theft: Handala obtained Stryker credentials via infostealer malware — 278 compromised credentials were identified between October 2025 and March 2026
- Admin account compromise: Attackers accessed an existing Intune administrator account
- Privilege escalation: Used the compromised admin to create a new Global Administrator account in Azure/Entra ID
- Mass wipe: Issued remote wipe commands through Microsoft Intune against all enrolled devices simultaneously
No ransomware, no malware, no zero-day exploits were used. The entire attack leveraged legitimate endpoint management functionality.
Business Impact
MedTech Dive and AHA News reported that Stryker's global manufacturing, shipping, and electronic ordering systems were halted for several days. Stryker confirmed the attack was contained by March 15, with manufacturing fully operational by early April. The company stated that no patient safety or medical device security was compromised.
Attribution
On March 20, 2026, the U.S. Department of Justice formally attributed the attack to Iran's Ministry of Intelligence and Security (MOIS). Handala, which emerged in late 2023, masquerades as a hacktivist group but operates as a MOIS proxy according to Palo Alto Networks and Arctic Wolf.
Context
The Stryker incident demonstrates that endpoint management platforms are now primary attack vectors. A single over-permissioned administrator account, without phishing-resistant MFA or multi-admin approval for destructive actions, enabled a nation-state actor to cripple a Fortune 500 manufacturer's global operations in three hours. For organisations subject to NIS2, this is a direct illustration of why access control (ISO 27001 Annex A control 5.15) and privileged access management (control 8.2) require continuous enforcement — not annual review.